More than 50% of leaked passwords end with a number, and the “@” symbol appears in 10% of cases, according to Kaspersky research.
This highlights persistent weaknesses and predictability in user password behaviour, particularly as AI is increasingly being used by hackers to exploit predictable security habits.
Kaspersky experts analysed 231 million unique passwords from major password leaks between 2023 and 2026.
The security firm says it revisited existing research conducted in 2024 to provide new stats for World Password Day, observed on 7 May 2026. The 2024 database was expanded by an additional 38 million real passwords posted by attackers on dark web forums.
KNOW MORE
For deeper insights into modern cyber defence strategies, register for ITWeb Security Summit Cape Town 2026 or ITWeb Security Summit 2026 in Johannesburg. These annual gatherings bring together leading local and international experts to discuss the threats, technologies and strategies shaping the future of cyber security.
According to the latest data, the findings point to highly-predictable structures, widespread re-use of common patterns and growing concerns about how quickly modern passwords can be compromised.
According to Kaspersky: “68% of modern passwords can be cracked by hackers within a day. This underscores how quickly attackers can break into accounts using brute-force and artificial intelligence (AI)-driven techniques.”
The research further shows that even passwords that appear to meet standard complexity requirements remain vulnerable if they follow predictable structures.
“60.2% of all analysed passwords – regardless of length – can be cracked in about an hour, while 68.2% can be cracked in a day. In addition, short passwords of up to eight characters are typically cracked in under a day.
“However, even longer credentials are not immune, with more than 20% of 15-character passwords broken in less than a minute using AI-powered approaches,” notes the research.
Kaspersky’s analysis shows that predictability remains a core weakness in password creation. The report states that 53% of examined passwords end with digits, while 17% begin with digits.
“Nearly 12% of passwords include a numeric sequence that resembles a date (from 1950 to 2030) and 3% of leaked passwords include keyboard sequences like “qwerty” or “ytrewq”, but most of them are digital sequences like ‘1234’.”
The report also shows that users tend to rely on a small set of familiar symbols. Among leaked passwords containing a single special character, the “@” symbol appears in 10% of cases, followed by the dot (.) at 3% and the exclamation mark (!).
These patterns, according to the report, significantly reduce the effort required for attackers using brute-force methods.
Alexey Antonov, data science team lead at Kaspersky, explains the security implications of these patterns.
“Brute-force works by systematically trying every possible character combination until the correct password is found. When attackers already know which characters users tend to favour, the time required to crack a password drops dramatically.
“To avoid the temptation of choosing predictable symbols, entrust password creation to dedicated generators that produce random letters, numbers and symbols with equal probability,” advises Antonov.
Emotional language
Beyond structure, the content of passwords also reveals behavioural trends. Kaspersky notes that users frequently rely on emotionally positive or culturally trending words.
The report highlights increased use of the word “Skibidi”, which surged 36 times between 2023 and 2026 in line with its popularity online. Positive words such as “love”, “magic”, “friend”, “team”, “angel” and “star” also appear frequently, alongside occasional negative terms like “hell”, “devil”, “nightmare” and “scar”.
“These linguistic choices further weaken password strength by introducing predictability into credential creation.”
Shayimamba Conco, security evangelist: Africa at Check Point Software Technologies, warns that even strong passwords can’t save users from AI, infostealers and the Telegram underground.
The cyber threat landscape, he adds, has rapidly evolved into an industrialised cyber crime-as-a-service economy fuelled by generative AI. Hackers are no longer breaking in − they are simply logging in.
“This year's World Password Day is one where we pull back the curtain on the global industrial marketplace that has quietly been built on the back of our collective password failures − a machinery that is now, for the first time, being turbocharged by AI in ways that are fundamentally changing the rules of engagement,” he explains.
According to Conco, the underground economy supporting this ecosystem has also shifted, with dark web forums now largely used for credibility, while transactions move to Telegram channels and automated bots, speeding up monetisation of stolen data.
Pricing data from the 2025/2026 Dark Web Price Index shows hacked Facebook accounts selling for around $45, Gmail accounts between $60 and $65, while high-value financial logins can exceed $1 000. Corporate access remains the most lucrative segment, with some privileges surpassing $113 000.
“The scale of this underground economy is staggering,” Conco continues.
“There is a GenAI blind spot… copy-pasting into browsers has surpassed file transfers as the top corporate data exfiltration vector. There are evolving, continuous risks from unmanaged AI usage and data leakage.”
Share
