• Most compromised passwords either begin or end with digits
• Common symbols like ‘@’ and ‘.’ are heavily overused

ISLAMABAD: An analysis of 231 million unique passwords leaked between 2023 and 2026 has revealed several alarming patterns, according to a report by cybersecurity company Kaspersky.

Firstly, 68 per cent of modern passwords can be cracked within a day. Secondly, the vast majority of compromised passwords either begin or end with a digit — a common habit that makes them vulnerable to brute-force attacks.

Thirdly, users often rely on positive or trending words in their passwords. For example, the use of the word “Skibidi” in analysed passwords increased 36-fold over the past few years, reflecting the rise of the internet trend.

“In recent years, secure password rules have become a widely discussed topic. More and more services now require passwords that are at least 10 characters long, include an uppercase letter, and contain a number or symbol. Yet a comparative analysis of leaked passwords from recent years shows that even following some of these rules does not guarantee protection against brute-force or AI-driven attacks,” the Kaspersky report noted.

“Among leaked passwords containing only one symbol, the ‘@’ sign is the most common, appearing in 10pc of cases. The next most common symbol is a dot (.), found in 3pc of passwords. Numbers also follow predictable patterns: 53pc of examined passwords end with digits, 17pc begin with digits, nearly 12pc contain a numeric sequence resembling a date (from 1950 to 2030), and 3pc include keyboard sequences such as ‘qwerty’ or ‘ytrewq’. However, most commonly used patterns are numeric sequences like ‘1234’,” the report stated.

Alexey Antonov, Data Science Team Lead at Kaspersky, noted that commonly used symbols, numbers, or dates — especially when placed in obvious positions such as the beginning or end of a password — significantly simplify brute-force attacks for cybercriminals.

“That is why it is highly recommended to use less common characters and avoid numeric or keyboard sequences. Brute-force attacks work by systematically trying every possible character combination until the correct password is found. When attackers already know which characters users tend to favour, the time required to crack a password drops dramatically. To avoid choosing predictable symbols, users should rely on dedicated password generators that create random combinations of letters, numbers, and symbols with equal probability,” Antonov said.

The research also showed that emotional and trending words are frequently used as the basis for passwords. Positive words such as “love”, “magic”, “friend”, “team”, “angel”, “star”, and “eden” appeared regularly in leaked passwords and were far more common than negative words. However, words such as “hell”, “devil”, “nightmare”, and “scar” were also found.

The report revealed that short passwords of up to eight characters are typically cracked through brute-force attacks in less than a day. However, due to AI-powered smart algorithms, more than 20pc of 15-character passwords can now be broken in under a minute.

Published in Dawn, May 15th, 2026