Kaspersky has released new password security research showing that many users still rely on predictable password patterns despite growing awareness around cybersecurity risks.
Ahead of World Password Day, the company analyzed 231 million unique passwords exposed in data leaks between 2023 and 2026. The findings revealed that 68% of modern passwords could be cracked within a day, while more than half ended with a number — a pattern that significantly weakens password security.
Most leaked passwords still use predictable number patterns
According to the research, users frequently place numbers in predictable locations, making passwords easier for brute-force attacks and AI-assisted cracking systems to guess.
Key findings from Kaspersky show that 53% of analyzed passwords ended with digits, while 17% started with digits. Nearly 12% included date-like sequences ranging from 1950 to 2030, and around 3% contained common keyboard patterns such as “1234” or “qwerty.”
The study also found that users heavily favor familiar symbols. Among passwords containing only one special character, “@” appeared in 10% of cases, while “.” appeared in 3%. The exclamation mark (“!”) also ranked among the most commonly used symbols overall.
Kaspersky researchers warned that attackers already prioritize these predictable combinations when running automated password attacks.
AI tools make weak passwords easier to crack
The report highlights how AI-powered cracking tools are changing the cybersecurity landscape, reducing the effectiveness of older password habits.
While shorter passwords remain highly vulnerable, the study found that even some 15-character passwords could be cracked in under a minute if they relied on common structures or recognizable words.
Using a single Graphics Processing Unit such as the NVIDIA GeForce RTX 5090 and the MD5 hashing algorithm, researchers from Kaspersky estimated that 60.2% of analyzed passwords could be cracked within one hour, while 68.2% could be cracked within one day.
The company also noted that real-world attackers often use multiple GPUs simultaneously, allowing password-cracking attempts to scale significantly faster.
Trending internet terms increasingly appear in passwords
Beyond numbers and symbols, the research also showed that users commonly include emotional words, pop culture references, and internet trends in their passwords.
One notable example was the word “Skibidi,” whose usage reportedly increased 36 times between 2023 and 2026 following the rise of the viral online trend.
Researchers from Kaspersky also identified commonly used positive words such as “Love,” “Magic,” “Friend,” “Angel,” “Star,” and “Eden.” Negative words appeared less frequently but still surfaced in password datasets, including “Hell,” “Devil,” “Nightmare,” and “Scar.”
The findings reflect a broader cybersecurity issue in which users often prioritize memorability over unpredictability, making passwords easier for automated systems to anticipate and crack.
Password managers and passphrases recommended
Kaspersky recommends using long, randomized passwords that combine letters, symbols, and numbers in less predictable ways.
The company also advises users to avoid single-word passwords, use multi-word passphrases with random variations, enable two-factor authentication (2FA), and rely on password managers for secure storage and synchronization.
To support safer password creation, Kaspersky added a password generation tool to its password checker platform, allowing users to automatically generate stronger credentials.
The company also continues promoting passkeys and password managers as alternatives to traditional password-only authentication systems, which remain vulnerable to phishing, credential leaks, and brute-force attacks.
