68% of modern passwords can be cracked within a day Kaspersky research reveals

Kaspersky experts analyzed 231 million unique passwords in major password leaks from 2023 to 2026, and uncovered several key patterns. First, 68% of modern passwords can be cracked within a day. Second, it turned out that the vast majority of compromised passwords either begin or end with a digit – a common pattern that makes them potentially vulnerable to brute force attacks. And third, users also favor positive and trending words; for example, over the past couple of years, use of the word “Skibidi” in analyzed passwords surged 36 times, mirroring the rise of that internet trend.

In the recent years, secure passwords’ rules have become a widely discussed topic. More and more services now demand passwords that are at least 10 characters long, include an uppercase letter, and contain a number or a symbol. Yet a comparative analysis of leaked passwords from the past few years shows that that even following some of those rules does not guarantee resistance to brute‑force or AI‑driven attacks.

Kaspersky experts share practical advice on how to make passwords more complex and secure, and how not to repeat common mistakes.
Among the leaked passwords that contain just one symbol, the “@” sign tops the list, appearing in 10% of cases. The next most common symbol is a dot (.), found in 3% of passwords.

Numbers also follow similarly predictable patterns. 53% of examined passwords end with digits, 17% begin with digits, nearly 12% include a numeric sequence that resembles a date (from 1950 to 2030), 3% of leaked passwords include keyboard sequencies like “qwerty” or “ytrewq”, but most of them are digital sequencies like “1234”.

Alexey Antonov, Data Science Team Lead at Kaspersky, notes that commonly used symbols, numbers, or dates – especially when placed in obvious positions (such as at the beginning or end of a password) – significantly simplify brute force attacks for cybercriminals. That’s why it’s highly recommended to give preference to less popular characters, and avoid numeric or keyboard sequences.

“Bruteforce works by systematically trying every possible character combination until the correct password is found. When attackers already know which characters users tend to favor, the time required to crack a password drops dramatically. To avoid the temptation of choosing predictable symbols, entrust password creation to dedicated generators that produce random letters, numbers, and symbols with equal probability”, says Alexey.
The research shows that emotional and trending words frequently become the basis for a password.

Kaspersky experts has also conducted analysis of the occurrence of positive and negative words in passwords, and it turned out that there are more positive ones. Among those regularly appearing are positive words like “love”, “magic”, “friend”, “team”, “angel” and “star”, “eden”. Interestingly, positive words are much more common than negative ones. However, words like “hell”, “devil”, “nightmare” and “scar” also occur.

«Using a single word password, even with a trailing number or a special character, is a weak choice. The pattern is too predictable, making it easy for attackers to guess. Instead, craft a passphrase that strings together several unrelated words, each supplemented with internal numbers and symbols, and sprinkle in a few intentional misspellings. The longer and more random and unpredictable the password is, the harder it is to crack. As an additional way to protect yourself, enable two-factor authentication (2FA) wherever possible”, recommends Alexey Antonov.

It’s well known that longer passwords are harder to crack, and the analysis of leaked passwords confirms this principle. However, with the rise of AI driven tools, length alone no longer guarantees security: even lengthy passwords can be compromised if they follow predictable patterns.

The research shows that short passwords of up to eight characters that appeared in the leak are typically cracked by brute force attacks in under a day. However, thanks to AI-powered smart algorithms, more than 20% of 15-character passwords can be broken in less than a minute.

What’s more 60.2% of all analyzed passwords – regardless of length – can be cracked in about an hour; 68.2% – in a day.

In modern terms, truly secure passwords not only meet the gold standard of 16+ characters, but also consist of random, non-repeating letters, numbers, and symbols, and are unique for each account. To help users create such passwords, Kaspersky has added a password generation feature to the Kaspersky Password Generator website.

For easy and secure password management, auto-fill, and cross-device synchronization consider using a Kaspersky Password Manager in which all credentials are stored in a secure vault and protected by a single master password.