New research reveals just how easy it is for hackers to crack the average password, and what users need to change to stay protected.
Vast Majority of Passwords Remain Weak
A new analysis of 10 million compromised passwords has found that almost all of them, 98.5%, fail to meet basic security standards. The data, pulled from a much larger collection of over a billion leaked credentials, was reviewed by cybersecurity firm Specops. Their research paints a bleak picture of current password practices.
By plotting password length against character complexity, the team created a heatmap that showed where weak combinations tend to fall. Only 1.5% of the analyzed passwords qualified as strong, defined as being at least 15 characters long and including two or more types of characters, such as letters and numbers or symbols.
The most common weak passwords in the dataset were just eight characters long and included only two character types. Examples included predictable formats like "Summer22" or "Office99". Around 8% of all reviewed passwords fit this short and simple pattern. Another 7.6% included only one character type, such as lowercase letters, and also used eight characters or fewer.
Short Passwords, Big Problems
Security professionals have long warned that weak passwords give attackers an easy way in. Once they gain access to a single account, especially with reused credentials, hackers can often move laterally across systems, access sensitive data, and avoid detection.
Modern brute-force tools have also changed the game. With GPUs and cloud-based cracking rigs, attackers can test billions of combinations per second. That makes anything under 12 characters a soft target. Encryption techniques like hashing or salting can help, but they cannot compensate for poor password construction.
In large-scale attacks, botnets are often deployed to test stolen credentials across multiple services. These distributed attempts can get around rate limits and other basic protections, boosting the odds of success. Even systems with strong access controls remain at risk when users rely on short or recycled passwords.
The 15-Character Benchmark
The Specops team recommends aiming for at least 15 characters with mixed character types. Passwords built this way are far less susceptible to brute-force methods. Adding digits or symbols expands the total number of possible combinations. For example, adding numbers to a lowercase-only password expands the character space from 26 to 36 options, which increases the total possibilities exponentially. That difference alone makes a big impact when scaled to 15 or more characters.
This threshold isn't arbitrary. Passwords that meet the 15-character minimum, and use two or more character classes, often require centuries to crack, even with advanced hardware. The Specops report estimates that crack time moves from hours to years once passwords exceed this length and complexity.
Why Password Reuse Makes It Worse
Length and complexity help, but uniqueness matters too. Reused passwords, even strong ones, lose their strength when found in leaked datasets. Attackers often rely on massive password lists compiled from previous breaches, making reused credentials an open door rather than a locked gate.
The presence of billions of compromised passwords in circulation means any reused credential is a liability. Even those meeting the minimum standards may be vulnerable if they appear in known breach databases.
What You Can Do to Stay Safe
The best defense is using unique, lengthy passwords for every account. Password managers can help users generate and store strong combinations without relying on memory. These tools also reduce the temptation to reuse passwords across different platforms.
Security experts are also recommending a move toward passkeys, a newer authentication method supported by Google, Microsoft, and other major platforms. Passkeys avoid the password problem altogether by relying on device-based cryptographic keys that are resistant to phishing and credential stuffing.
In the meantime, the most practical step users can take is to check whether their credentials have appeared in any data leaks and replace anything that doesn’t meet the new standard. Anything under 15 characters, or lacking variety in character types, is best retired before it’s exploited.
Notes: This post was edited/created using GenAI tools.
Read next: OpenAI’s Internal Culture Revealed: Product Speed, Engineering Challenges, and Limited Safety Transparency
