- Predictable password habits continue to enable attackers who rely on automated large-scale cracking
- Length remains the defining factor that determines a password’s actual resistance
- Administrators heavily influence password strength through the rules they choose
Yet more research has revealed that when it comes to thinking up strong passwords, we're all still pretty useless.
A report from Comparitech examining more than two billion exposed passwords found variations of sequential digits still dominate, with many of the most popular passwords are simple combinations created by running a finger across the first row of the keyboard.
Despite repeated warnings from security professionals, predictable passwords such as “123456”, “admin”, or even “password” continue to be among the most frequently used credentials.
Users mostly adapt common templates
Even supposedly improved versions, such as Aa123456 or Aa@123456, appear frequently and remain very predictable, the report notes, suggesting many users simply adapt common templates rather than adopting meaningful complexity or length.
The researchers say the root problem remains that many people choose short passwords that are easy to recall but also easy to compromise.
They are often made entirely of numbers, which are quickly defeated by modern cracking tools.
A significant portion of leaked strings includes the sequence 123, while others rely on similar numeric progressions.
Length and combination are key because longer passphrases are far more effective than short strings padded with arbitrary symbols.
Even small alterations can make a difference, because adding unexpected characters to a lengthy phrase drastically increases the time required to guess it.
Security researchers note that longer constructions also reduce the cognitive load on users who struggle with memorising complex mixtures of numbers and symbols.
In professional environments, administrators influence password strength more than users themselves.
Where organizations enforce minimal rules, employees frequently adopt the lowest permitted standard, creating widespread weaknesses that automated attacks can exploit at scale.
When requirements emphasise length and consistency, password quality improves by necessity, even if individuals still rely on predictable structures.
The enforced expansion of characters increases the computational effort required for brute-force attacks, making large-scale compromises more difficult.
Support tools can help shift these habits. A dedicated password manager can generate and store lengthy combinations that users no longer need to memorise.
Password generators inside browsers also offer some assistance, although reliability varies when software updates introduce unexpected behaviour.
For companies managing a wide range of accounts, a business password manager provides more structured enforcement.
They help administrators apply rules that reflect current security recommendations rather than outdated conventions.
Taken together, the latest findings suggest the core challenge is behavioural rather than technological - as unfortunately, users continue choosing ease over safety, and attackers continue capitalizing on those choices with increasingly efficient cracking methods.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.