Over Half of Passwords Leaked in 2025 Were Already Compromised

A new cybersecurity report has revealed that most of the passwords exposed in data breaches this year were not newly stolen, but reused credentials that had been circulating online for years.

According to findings released by cybersecurity firm Kaspersky, 54 percent of passwords found in major data leaks in 2025 had already appeared in previous breaches, some dating back as far as four years.

The research, which analyzed password leaks between 2023 and 2025, suggests that weak digital habits, rather than increasingly sophisticated attacks, remain one of the biggest threats to online security.

Kaspersky said the average lifespan of a leaked password is now between 3.5 and four years, meaning many users continue to rely on login details that attackers already know.

The company warned that this pattern leaves accounts vulnerable even when platforms strengthen their own security systems.

Why Weak Passwords Still Dominate

Despite years of security warnings, multi-factor authentication campaigns, and the growing use of biometrics, passwords remain the primary way most people access online services — and many are still easy to guess.

Kaspersky’s analysis shows that predictable patterns continue to dominate leaked credentials. Simple numeric sequences like “12345” remain among the most commonly exposed passwords, while dates and years are frequently used as add-ons.

The report found that around 10 percent of leaked passwords contained numbers resembling years between 1990 and 2025, while one in every 200 compromised passwords ended specifically with “2024”.

Common words, personal names, and country names also featured heavily, making them vulnerable to brute-force attacks that rely on automated guessing.

Security experts say combining familiar words with predictable dates creates the illusion of complexity without offering real protection.

Industry Push Toward Passkeys

The findings come as major technology companies intensify efforts to move users away from traditional passwords altogether.

Passkeys, which are already supported by Google, Apple, and Microsoft, replace typed passwords with cryptographic credentials stored on a user’s device. Unlike passwords, passkeys are not shared with servers and cannot be reused across platforms, making them resistant to phishing and large-scale data breaches.

Nigeria Faces Surge in Cyber Threats with Reported 119,000 Data Breaches in Q1 2025

Instead of entering a password, users authenticate using device-based verification such as fingerprints or facial recognition, while the underlying cryptographic key remains private.

Kaspersky said the persistence of reused passwords highlights why the shift to passkeys is becoming increasingly urgent.

Alongside the report, the company announced updates to its password manager to support the creation, storage, and syncing of passkeys across devices and operating systems, addressing one of the early barriers to wider adoption.

The firm said reducing login fatigue and eliminating password reuse could significantly lower the risk of future breaches, especially as cybercriminals continue to exploit human behaviour rather than technical flaws.