A major cybersecurity report has revealed that 68 percent of modern passwords can be cracked within just one day — a finding that should make every internet user stop and think about how safe their accounts really are.
The report, published by cybersecurity firm Kaspersky, is based on an analysis of 231 million unique passwords that were leaked between 2023 and 2026. The findings paint a worrying picture of how predictable and vulnerable most people’s passwords actually are.
The Most Common Mistakes People Make
The research found that the vast majority of compromised passwords either begin or end with a digit — a very common habit that makes them far easier to crack through brute-force attacks. Users also frequently rely on positive or trending words in their passwords. For example, the use of the word “Skibidi” in analysed passwords increased 36-fold over recent years, reflecting how internet trends directly influence password choices.
Among passwords containing only one symbol, the “@” sign is the most commonly used, appearing in 10 percent of cases, followed by a dot (.) found in 3 percent of passwords. Numbers also follow very predictable patterns — 53 percent of examined passwords end with digits, 17 percent begin with digits, nearly 12 percent contain a numeric sequence resembling a date between 1950 and 2030, and 3 percent include simple keyboard sequences such as “qwerty.” The most commonly used pattern of all remains the basic numeric sequence “1234.”
Even Long Passwords Are Not Safe Anymore
The report also highlighted a growing and alarming trend — short passwords of up to eight characters are typically cracked through brute-force attacks in less than a day. However, due to AI-powered smart algorithms, more than 20 percent of 15-character passwords can now be broken in under a minute.
This means that simply making your password longer is no longer enough on its own to stay protected.
What the Experts Say
Alexey Antonov, Data Science Team Lead at Kaspersky, warned that commonly used symbols, numbers, or dates — especially when placed in obvious positions such as the beginning or end of a password — significantly simplify brute-force attacks for cybercriminals. He strongly recommended using less common characters and avoiding numeric or keyboard sequences entirely.
“Brute-force attacks work by systematically trying every possible character combination until the correct password is found. When attackers already know which characters users tend to favour, the time required to crack a password drops dramatically. To avoid choosing predictable symbols, users should rely on dedicated password generators that create random combinations of letters, numbers, and symbols with equal probability,” Antonov said.
How to Protect Yourself
Based on the report’s findings, here are the key steps every internet user should take right now:
- Never start or end your password with a number
- Avoid using trending words, names, or phrases
- Do not use keyboard sequences like “qwerty” or “1234”
- Use a password manager or generator for truly random passwords
- Make passwords at least 15 characters long — but ensure they are genuinely random
- Use a different password for every account
