In recent years, standards for creating strong passwords have become especially relevant. More and more services require passwords of at least 10 characters, with capital letters, numbers or symbols. However, comparative analysis of leaked passwords shows that partially complying with these rules does not guarantee resistance to brute force or AI-driven attacks.

Kaspersky analysts have studied 231 million unique passwords from major breaches recorded between 2023 and 2026, identifying several key patterns. First, 68% of today’s passwords can be cracked in less than a day and 60% in about an hour. Additionally, most compromised passwords begin or end with a number, a repeating pattern that facilitates mass unauthorized access attempts.

Kaspersky analysts share some practical recommendations for creating stronger passwords and avoiding common mistakes.

Avoid predictable patterns in symbols and numbers

Among the leaked passwords that include a single symbol, the most used is “@”, present in 10% of cases. It is followed by the period (.) in 3% and the exclamation mark (!).

As for the numbers, very predictable patterns are also repeated:

• 53% of the passwords analyzed end in numbers

• 17% start with numbers

• About 12% include sequences reminiscent of dates (between 1950 and 2030)

• 3% contain keyboard sequences such as “qwerty” or “ytrewq”, although numerical combinations such as “1234” predominate.

According to Alexey Antonov, head of Kaspersky’s Data Science team, the use of common symbols, numbers or dates, especially at the beginning or end of the password, considerably facilitates brute force cyber attacks.

“Brute force attacks systematically try all possible combinations until the correct one is found. If cybercriminals know the most common patterns, the time needed to crack a password is drastically reduced. To avoid this, it is best to use password generators that create random combinations of letters, numbers and symbols,” he explains.

Between “paradise” and “hell”: avoid common words

The study also reveals that many passwords are based on emotionally charged words or current trends. Between 2023 and 2026, for example, the use of “Skibidi” grew significantly. In addition, positive words such as “love”, “magic”, “friend”, “team”, “angel”, “star” or “eden” predominate, although negative terms such as “hell”, “devil”, “nightmare” or “scar” also appear.

“Using a single word as a password, even adding a number or symbol, is still a weak option. It is too predictable a pattern. It is best to create passphrases that combine several unrelated words, incorporating numbers, symbols and even small intentional variations. The longer, random and unpredictable it is, the more difficult it will be to crack. In addition, it is essential to activate two-factor authentication whenever possible,” adds Alexey Antonov.

Does password length matter?

Although long passwords remain more difficult to crack, analysis confirms that length alone is no longer sufficient. With the use of AI-based tools, even long passwords can be vulnerable if they follow predictable patterns.

Short passwords (up to eight characters) can be cracked in less than a day. However, more than 20% of 15-character passwords can also be cracked in less than a minute using advanced algorithms.

A strong password should be more than 16 characters and combine letters, numbers, and symbols randomly.

In total, 60.2% of the passwords analyzed can be cracked in approximately one hour, and 68.2% in less than a day.

These calculations are based on the use of a single RTX 5090 GPU and the MD5 algorithm. In practice, cybercriminals can use multiple GPUs, which speeds up the process exponentially.

New password generation function on the web

Today, a strong password must be more than 16 characters and combine letters, numbers and symbols randomly, without repetitions or patterns. Additionally, it is essential that each account has a unique password.

To facilitate this process, Kaspersky has incorporated a password generation function on its website, which allows you to check whether a password has been leaked and create strong passwords for free.

To manage credentials in a simple and secure way, it is recommended to use a password manager, which stores all information in an environment protected by a single master key. This type of tools also allows autocompletion and synchronization between devices, in addition to managing new forms of access such as passkeys.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.