Expert analysis has revealed that 68% of modern passwords can be cracked within a day
Image: Ron AI
A global cybersecurity and digital privacy company have revealed alarming new findings about modern password security, after analysing 231 million unique passwords exposed in major data leaks between 2023 and 2026.
Research conducted by Kaspersky found that 68% of passwords could be cracked within a single day, highlighting how predictable user habits continue to undermine online security despite growing awareness around strong password practices.
According to the cybersecurity company, many users begin or end with a digit, a common pattern that makes them potentially vulnerable, as well as favour positive and trending words.
Kaspersky’s analysis showed that 53% of examined passwords ended with digits, while 17% began with numbers. Nearly 12% contained date-like sequences between 1950 and 2030, and about 3% of leaked passwords included keyboard patterns such as “qwerty” or common number strings like “1234”.
Among the leaked passwords that contain just one symbol, the “@” sign tops the list, appearing in 10% of cases. The next most common symbol is a dot (.), found in 3% of passwords. Among all analysed passwords “@” takes second place in terms of prevalence, and in third place is “!”.
Among passwords containing only one symbol, the “@” sign was the most frequently used, appearing in 10% of cases. A full stop (.) followed at 3%, while “!” ranked among the most commonly used special characters overall.
Alexey Antonov, Kaspersky's data science team lead, said these predictable habits significantly reduce the time needed for cybercriminals to crack passwords using brute-force attacks.
“Bruteforce works by systematically trying every possible character combination until the correct password is found. When attackers already know which characters users tend to favour, the time required to crack a password drops dramatically. To avoid the temptation of choosing predictable symbols, entrust password creation to dedicated generators that produce random letters, numbers, and symbols with equal probability”, said Antonov.
The research also revealed that internet culture increasingly shapes password choices. Use of the word “Skibidi” in passwords surged 36-fold between 2023 and 2026, reflecting the popularity of the viral online trend.
Positive words were found to be more common in passwords than negative ones. Frequently used terms included “love”, “magic”, “friend”, “team”, “angel”, “star” and “eden”. Less common, but still present, were negative words such as “hell”, “devil”, “nightmare” and “scar”.
“Using a single‑word password, even with a trailing number or a special character, is a weak choice. The pattern is too predictable, making it easy for attackers to guess. Instead, craft a passphrase that strings together several unrelated words, each supplemented with internal numbers and symbols, and sprinkle in a few intentional misspellings.
"The longer and more random and unpredictable the password is, the harder it is to crack," said Antonov.
The study found that passwords of eight characters or fewer could usually be cracked in under a day. More concerningly, AI-powered tools were able to break more than 20% of 15-character passwords in less than a minute if they followed predictable patterns.
Overall, 60.2% of all analysed passwords could reportedly be cracked within an hour, while 68.2% fell within a day.
Kaspersky said modern secure passwords should contain at least 16 characters and include random, non-repeating combinations of letters, numbers and symbols. Users were also urged to avoid reusing passwords across accounts and to enable two-factor authentication wherever possible.
The company has introduced a password generation feature on its password management platform to help users create stronger credentials.
Security experts also continue to recommend password managers, which securely store login details in encrypted vaults protected by a single master password and increasingly support passkey authentication across devices.