A new study shows, once again, that Internet users are not following good practices enough when it comes to creating passwords. Yet the risks are significant, whether on a personal or professional level. Here's a little reminder of the best practices that absolutely must be respected.
May 6th is International No Diet Day. But also coloring, drones, scrapbooking, nude gardening (you read that right...) and the "password." The perfect opportunity to revisit the most widespread and yet least used means of computer security in the world. Because, despite the many ways that exist to create and manage passwords, Internet users continue to put themselves in danger by creating passwords that are too easy to crack.
Read also – What is “password spraying”? This formidable cyberattack that causes enormous damage.
On the occasion of the 2025 edition of World Password Day, the specialized information site Cybernews has published a study that paints a catastrophic picture of Internet users’ password practices. This study is based on 3 TB of data stolen by cybercriminals and published on the Internet between April 2024 and March 2025. 213 GB of this data is passwords. That's more than 19 billion logins. That's more than enough to assess Internet users' practices.
94% of passwords are reused across multiple websites
These practices are disastrous. Because, of the 19 billion passwords, only a little over a billion are unique. That's 6%. Let's turn the information around: 94% of passwords are used more than once. This could be due to chance. Or it could be a consequence of laziness on the part of users who recycle their passwords across multiple sites. Why is this dangerous? Because with a single hacked password, hackers will be able to connect to several services to steal the victims' identities.
The study reveals other bad habits. "1234" was one of the most popular words in 2024, approaching 4%. Qwerty, azerty, password, admin, and sequences of numbers that follow one another in ascending order (from 1234 to 1234567890) were each found several tens of millions of times in the database. Millions more use simple words, first names, city or country names, etc.
5% of passwords contain only numbers and 8% are composed only of lowercase letters. Finally, 28% are composed only of lowercase letters and numbers. Fortunately, there are also some good performers: 28% of passwords combine uppercase and lowercase letters, numbers, and special characters. Regarding password length, it is recommended to choose a string of at least 12 characters. But the vast majority do not exceed 11 characters.
Here's how to create a secure password
What are the best practices when it comes to creating a password? Here are some recommendations from security specialists:
- 12 characters minimum
- At least one number, one lowercase letter, one uppercase letter, and one special character of each
- No dictionary words, first names, or personal information (e.g., date of birth)
- A unique password for each service
It is also recommended to change your password regularly and enable two-factor authentication via email or SMS. While creating and managing passwords can become complicated with these constraints, be aware that all the most popular operating systems (Android, iOS, Windows, macOS) and web browsers (Chrome, Safari, Edge, etc.) include a secure manager with password creation. Of course, you also need to secure access to this manager... We also recommend using free software to check if your passwords have been compromised.
0 Comments