- Samples of passwords from 2015 and 2025 have been compared
- Password security is improving, but they're still being reused
- People struggle to remember unique passwords
Despite the rise of many tools to make securing credentials easier, not enough has changed in password habits over the past 10 years.
Cybersecurity researcher Jeremiah Fowler has compared password trends from 2015 to a monumental leak of passwords in 2025 to understand what habits - if any - have changed.
The findings show that 2025’s recommended practices for a secure password are incompatible with human memory.
Article continues belowPassword trends
The samples analyzed by Fowler show that over the past 10 years, only 15% of passwords could be classified as genuinely complex passwords - being at least 12 characters in length made up of uppercase and lowercase letters, numbers, and symbols with no structure or patterns.
The other 85% of passwords are considered easy or predictable. These are passwords that contain names, memorable phrases, or common structures (“password,” “admin,” or “qwerty”) with numbers and special characters attached. The problem with using memorable phrases and structures in passwords is that it makes them more vulnerable to brute force attacks.
The good news is that passwords containing keyboard walks, waterfalls, and spatial pattern passwords (such as “qwertyuiop”) have fallen between 15%-20% since 2015. Similarly, keywords such as “admin” and “password” have also fallen by the same percentage.
The number of passwords that appear to have been created by a password generator has also increased by around 10%-12%. There still remains one critical weakness for all passwords however.
Fowler cites a 2024 study that found the average person has around 168 passwords across all of their online accounts. Remembering a strong, unique password for each of these accounts simply isn’t feasible for the average person, and so people erase the potential security a strong password could have by reusing it across their accounts.
“We often take a lazy approach to passwords at our own risk choosing convenience over security,” Fowler explained.
“Even forced password complexity rules are not a silver bullet solution if they are reused on multiple accounts, exposed in a data breach, or compromised by malware. It is a fact that criminals are becoming more sophisticated, the use of AI in cyber-crime is growing, and we must do more to protect our credentials.”
The best way to secure all of your online accounts is to use a password manager - there are many paid services to choose from, with many brands also offering free password manager plans to help keep your accounts secure.
Using an authenticator app can also enhance your account security by requiring a second method of verification through a separate device or biometric identifier.
➡️ Read our full guide to the best password manager
1. Best overall:
NordPass
2. Best for mobile:
RoboForm
3. Best for syncing and sharing:
Keeper
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.