In 2024, the most commonly stolen password in data breaches was still “123456.” Not a clever variation. Not something that made even a minimal effort at security. Just a string of six sequential numbers that any automated tool can crack in under one millisecond. According to NordPass’s annual analysis, the top 10 most common passwords in the world have barely changed in five years. The password “password” itself appeared among the top choices in every single industry studied, including healthcare. In the human resources sector — filled with professional people — “vacation” was one of the most popular options.
What has changed is not human behavior — it is attacker capability. Modern password-cracking tools can test billions of combinations per second. A six-character password, even one mixing letters and numbers, can be broken in minutes. A 12-character password with genuine randomness takes significantly longer. According to security researchers at JumpCloud, a complex 12-character password takes 62 trillion times longer to crack than a 6-character one. That difference is not incremental — it is civilizational.
Why the Standard Advice Often Fails
For years, the standard password advice has been: use uppercase letters, lowercase letters, numbers, and symbols. That advice is not wrong, but it misses the more important point because people apply it predictably. Data from password breach analysis consistently shows that 60% of people who follow complexity rules capitalize the first letter, add a number at the end, and substitute a common symbol for a vowel — producing passwords like “P@ssword1” or “Welcome@123” that look complex but are among the first things an attacker’s tool tries.
Common substitutions — “3” for “e,” “@” for “a,” “0” for “o” — are in every password-cracking dictionary because they are so widely used. Attackers know exactly how people think when they try to create “complex” passwords that are still memorable.
What Actually Makes a Password Strong
Two factors matter more than anything else: length and genuine randomness. A 16-character password made of four unrelated common words — something like “table-river-cloud-seven” — is both easier to remember and vastly harder to crack than “P@ssw0rd123.” This approach is called a passphrase and it is one of the most practical improvements most people can make to their security immediately.
The math behind length is stark. A fully random 8-character password using all character types has about 6 quadrillion possible combinations — a modern cracking tool can exhaust that in hours. A 16-character passphrase from a vocabulary of 2,000 common words has astronomical possibilities that current computers cannot practically search in a human lifetime.
Randomness also matters. A password that means something to you — your child’s name plus their birth year, your favorite band followed by your street number — is not random. Those patterns are exploitable. According to IBM research, 42% of people who have been hacked used passwords with personal significance to them that made them easier to guess.
The Specific Words and Patterns to Avoid
Beyond the general principles, certain choices are so predictable that attackers specifically target them in their cracking strategies:
Your own name, birthday, or any variation of them — name plus birth year is extremely common and among the first patterns cracking tools test.
Names of family members, partners, or pets — easily discovered through a quick look at your social media profiles.
The name of the service itself. NordPass research found that 20% of Fortune 500 company passwords contain the company name. In the hospitality industry this rate was even higher.
Pop culture references. “Superman” appeared in 584,697 known data breaches; “Blink-182” in over 482,000; “Minecraft” in over 200,000 — all from the Mailsuite analysis of the Pwned database.
Sequential keyboard patterns: “123456,” “qwerty,” “asdfgh.”
Common phrases: “iloveyou,” “letmein,” “monkey,” “dragon” — all among the most breached passwords globally.
The Reuse Problem Is the Bigger Threat
Even a genuinely strong password becomes a liability the moment it is reused across multiple accounts. When LinkedIn suffered a major data breach, over 100 million user credentials eventually leaked online. Anyone who reused their LinkedIn password on other services had those accounts compromised too — sometimes years later when the stolen data surfaced on dark web markets.
In 2024-2025, credential stuffing — where attackers take leaked username and password pairs from one breach and automatically test them across hundreds of other websites — accounted for 22% of all confirmed data breaches globally, making it the single most common breach method. Tools that automate this process can test stolen credentials against thousands of sites within hours of a breach becoming public.
According to SpyCloud, their database of recovered credentials grew 22% to over 53 billion records by early 2025. That is 53 billion username-password combinations in circulation that attackers can test against your accounts right now. If you reuse any password that was ever part of a breach, your other accounts may already be vulnerable.
A Practical System That Works at Scale
Managing genuinely unique, strong passwords for 170 accounts — the average number maintained by a person in 2024 — is humanly impossible without tools. The solution is a password manager. Applications like Bitwarden (free and open-source), 1Password, or Dashlane generate and store complex, unique passwords for every account. You remember one strong master password; the manager handles everything else.
If you are not ready to adopt a password manager today, apply this priority hierarchy: use your strongest, most unique passwords on your email account first (it is the master key to everything else), then on financial accounts, then on anything that stores sensitive personal data. At minimum, never reuse the same password across your email, your bank, and any other account.
Check If Your Passwords Have Already Been Exposed
The website HaveIBeenPwned.com, maintained by security researcher Troy Hunt and trusted by government agencies around the world, allows anyone to check whether their email address has appeared in any known data breach — for free, in under a minute. If your email appears in results, change the passwords for those accounts immediately, especially if you reused that password anywhere else. It is one of the most underused and most valuable security tools available to everyday users.
Frequently Asked Questions
Q: How long should my password actually be?
A: Security researchers generally recommend a minimum of 12 characters, with 16 or more being significantly better. Length provides exponential protection: a 12-character fully random password takes 62 trillion times longer to crack than a 6-character one. For your most important accounts — email, banking, password manager master password — aim for 20+ characters using a passphrase approach.
Q: Is it okay to write passwords down on paper?
A: Writing passwords down on paper and keeping that paper in a secure physical location — a locked drawer at home, for example — is significantly safer than reusing simple passwords across accounts. The threat model for most people is remote attackers, not physical theft of their home. That said, a password manager is safer, more convenient, and eliminates the risk of losing the paper.
Q: Should I change my passwords regularly?
A: The older advice to change passwords every 90 days has largely been revised by security experts, including NIST (the US National Institute of Standards and Technology). Frequent mandatory changes tend to produce weaker passwords as people resort to predictable variations. A better approach: use strong, unique passwords, monitor for breaches using HaveIBeenPwned, and change a password when you have a specific reason to believe it may be compromised.
Q: What makes a master password for a password manager secure?
A: Your password manager master password needs to be both strong and memorable, since you cannot store it in the manager itself. A passphrase of four or five random unrelated words — “correct-horse-battery-staple-door” — is ideal: long enough to resist cracking, memorable enough that you will not forget it. Write it down and store it in a physically secure location until you have it fully memorized, then destroy the paper.
