New analysis of one billion leaked credentials reveals that most people reuse weak passwords

Companies like Google, Microsoft, and even non-profits like the National Cyber Security Alliance all want to kill the password in the near future. In the meantime, passwords remain the most used tool for securing online accounts, and people aren’t getting any better at choosing adequate ones that would make life more difficult for hackers.
Every year we find that more and more people are picking the worst possible passwords to secure their devices and online accounts. Many still insist on using the classic “123456” and “qwerty,” or a seemingly unsophisticated combination of the two. Even worse, study after study has shown that many users don’t change their passwords even after their credentials are exposed in a data breach.

A new analysis conducted by Turkish student Ata Hakçıl at a university in Cyprus found the same theme of weak passwords being reused. After looking at large data dumps of username and password combinations that have been leaked over the last decade in various data breaches, Hakçıl noted that one out of every 142 passwords was “123456.”

Despite the efforts of security researchers and online services to encourage the use of more complex passwords throughout the years, only 40,000 of the one billion that were analyzed were of the “high entropy” type — meaning they’re more difficult to guess thanks to their length and the use of digits, uppercase characters, and special characters.

Security experts recommend longer passwords as opposed to short, random ones that are difficult to remember. However, the average length of the passwords in the study is a little over nine characters, which is above the eight characters minimum recommended by the National Institute of Standards and Technology but also lower than the FBI’s recommended length of at least 15 characters.

Companies like Google are on a mission to stop people from reusing passwords through things like the Security Checkup Dashboard, going as far as to integrate it in Chrome. Apple is adding a similar feature in Safari on macOS Big Sur, and you can always check Troy Hunt’s Have I Been Pwned database to see if one of your accounts has been compromised in a recent hack.

Still, powerful hardware and artificial intelligence have made guessing passwords a lot easier in recent years, which is why password managers that can remember much longer passwords for you are so popular nowadays. It also doesn’t hurt to use multi-factor authentication.