A large-scale analysis of credential leaks from 2023 to 2025 conducted by Kaspersky Lab highlights a long‑standing problem in password security: users continue to rely on weak, recycled passwords and frequently keep them unchanged for years, even after those passwords appear in public data breaches.
Key findings from the 2023–2025 global password breach analysis
Researchers examined massive datasets of stolen credentials that surfaced on the internet as a result of hacking campaigns, phishing attacks and security incidents at online services. The study looked not only at passwords, but also at associated account data, allowing experts to identify stable behavioral patterns among users worldwide.
One of the most alarming results: 54% of passwords compromised in 2025 had already been seen in earlier leaks. In other words, more than half of affected account owners did not change their passwords after they were first exposed and effectively became part of criminals’ toolkits.
According to the analysis, the average “life span” of a single password is around 3.5–4 years. During this period, the same credential set can circulate between different cybercriminal groups, be traded on underground forums and be repeatedly used in automated attacks, including credential stuffing — large‑scale attempts to log into many sites using known email/password combinations.
Why password reuse dramatically increases cyber risk
A critical issue revealed by the study is extensive password reuse across multiple services. Many users rely on the same or slightly modified password for email, social networks, online retailers, banking apps and even corporate systems. A breach at a seemingly insignificant site can therefore trigger a chain compromise of far more sensitive accounts.
Industry reports, such as the annual Verizon Data Breach Investigations Report, consistently show that a substantial share of incidents start with compromised credentials. Once a password is exposed in a breach, it rarely disappears from circulation. It is stored, copied and constantly reused in automated attacks around the world, often for years.
This makes email addresses and passwords long‑term targets: a user might not notice any immediate consequences of one breach, but the same credentials can later be exploited for fraud, account takeover or internal network access.
Common weak password patterns exposed in recent leaks
The research also examined the internal structure of leaked passwords. One recurring pattern is the use of date‑like numbers. Roughly one in ten compromised passwords contains sequences resembling years, such as “1990” through “2025”. These may represent birth years, anniversaries or simply convenient numeric combinations.
An additional trend is the preference for the current or recent year: about one in every 200 analyzed passwords ended with “2024”. For attackers, such predictable patterns are trivial to automate and include in basic password‑guessing lists.
Simple numeric strings such as “12345” also remain among the most common weak passwords. Other popular choices include the word “love”, personal names and country names. These can be quickly broken using dictionary attacks, in which automated tools test large lists of common words, phrases and patterns rather than random character combinations.
Best practices for strong password security in 2025
Characteristics of a strong, modern password
Contemporary cybersecurity guidance increasingly emphasizes that password length is more important than exotic symbols. Security specialists recommend passwords of at least 12–14 characters, and ideally even longer passphrases: meaningful but unique sentences or combinations of words that are not taken from books, song lyrics or popular quotes.
Key rules for secure password creation include:
- using a unique password for every online service;
- avoiding dates of birth, names, phone numbers and other easily guessed personal data;
- not using sequences such as “12345”, “qwerty” or widely known words and slogans;
- storing complex passwords in a reputable password manager instead of notes, spreadsheets or browser autofill alone.
Two-factor authentication and passkeys: moving beyond passwords
Even the strongest password offers limited protection if it has already been stolen. For this reason, more platforms are adopting additional identity‑verification mechanisms. The current baseline is two‑factor authentication (2FA), where a password is combined with another factor, such as a one‑time code from an authenticator app, SMS, hardware token or biometric.
A more advanced model is the use of passkeys, built on open standards such as WebAuthn and FIDO2. Passkeys rely on cryptographic key pairs stored on the user’s device instead of shared secrets. Because the private key never leaves the device and no password is entered, this approach is inherently resistant to phishing — an attacker tricking the user into a fake site cannot “capture” a password that is never typed.
Security experts recommend:
- enabling 2FA on all critical services, including email, social networks and online banking;
- switching to passkey‑based login wherever the feature is available;
- regularly checking email addresses against known breach databases, and immediately changing passwords for any accounts confirmed to be compromised.
The large‑scale password leaks of 2023–2025 clearly show that the habit of using the same simple passwords for years is incompatible with modern cybersecurity risks. Reducing exposure does not require complex technical skills: adopting unique long passwords, managing them with trusted password managers, enabling two‑factor authentication and gradually moving to passkeys significantly raises the cost of attacks for cybercriminals. The sooner individuals and organizations modernize their credential management practices, the harder it will be for attackers to convert the next trove of leaked passwords into successful intrusions.
