Half of Passwords Compromised in 2025 Were Already Leaked, Kaspersky Lab Reports
Analysis reveals users stick with weak passwords for 3.5-4 years despite repeated breaches.
More than half of passwords compromised in 2025 had already appeared in previous data breaches, according to a large-scale analysis by Kaspersky Lab. The finding demonstrates that users continue relying on weak passwords and fail to change them even after confirmed leaks.
Kaspersky Lab specialists analyzed major password leaks globally from 2023 to 2025. The results paint a troubling picture: 54% of passwords compromised in 2025 were recycled from earlier breaches, with the average password remaining in use for 3.5 to 4 years.
This creates serious security risks. When passwords appear in leaked databases, attackers add them to credential-stuffing tools that automatically test stolen combinations across multiple services. A password compromised once becomes a permanent security liability across every account where it's reused.
The Date Problem
One in ten compromised passwords contained numbers resembling dates, ranging from "1990" to "2025." One in two hundred passwords ended specifically with "2024."
These date-based patterns make passwords easy targets for attackers who use dictionary attacks that systematically test common patterns. Birth years, graduation dates, and current years represent predictable choices that automated cracking tools exploit efficiently.
The Usual Suspects
The most common password remains "12345"—a sequence hackers can crack almost instantly using brute-force attacks. Other popular password components identified in the analysis include:
- The word "love"
- Common first names
- Country names
All of these represent low-hanging fruit for attackers. Password-cracking tools include dictionaries of common words, names, and patterns specifically because they appear so frequently in leaked databases.
Why Users Don't Change Passwords
The study highlights a fundamental disconnect between security best practices and user behavior. Despite widespread awareness of data breaches and regular news coverage of major leaks, most users stick with the same passwords for years.
Several factors contribute to this pattern:
Password fatigue: The average person maintains accounts across dozens of services, making unique passwords difficult to remember without a password manager.
Lack of immediate consequences: When a breach occurs at one service, users often don't experience immediate account compromise at other services where they've reused the same password. This creates a false sense of security.
Notification failures: Many users never receive or don't notice breach notifications, leaving them unaware their credentials have been compromised.
Convenience over security: Creating and remembering complex, unique passwords requires more effort than reusing familiar combinations.
The Credential Stuffing Threat
Password reuse transforms a single breach into a universal vulnerability. When attackers obtain credentials from one compromised service, they test those same username-password combinations across banking sites, email services, social media platforms, and corporate networks.
This technique, called credential stuffing, succeeds specifically because users reuse passwords. A breach at a gaming forum can lead to a compromised corporate email account if the same credentials work for both.
The 54% reuse rate identified in Kaspersky's study means that more than half of passwords appearing in 2025 breaches were already available to attackers from previous leaks. Those credentials have been circulating in criminal databases, tested against countless services, and incorporated into automated attack tools.
What Users Should Do
Security specialists recommend several steps to reduce password-related risks:
Use unique passwords for every service. Password managers like Bitwarden, 1Password, or KeePassXC generate and store complex passwords, eliminating the need to remember dozens of unique combinations.
Enable two-factor authentication (2FA) wherever available. Even if attackers obtain your password, 2FA blocks access without the second factor—typically a code from an authenticator app or hardware token.
Adopt passkeys when offered. Passkeys represent a modern authentication method resistant to phishing, credential stuffing, and password database breaches. They use cryptographic keys tied to specific devices rather than memorized secrets.
Monitor for breaches. Services like Have I Been Pwned allow users to check whether their email addresses have appeared in known data breaches, prompting password changes when necessary.
Change passwords immediately after breach notifications. When a service reports a data breach, change your password there and at any other service where you used the same credentials.
The Bigger Picture
The persistence of weak, reused passwords represents one of cybersecurity's most stubborn problems. Despite decades of security education, password breach statistics, and increasingly sophisticated attacks, user behavior changes slowly.
The 3.5-4 year average password lifespan identified by Kaspersky demonstrates that users view password changes as occasional maintenance rather than ongoing security practice. Meanwhile, attackers continuously refresh their credential databases with each new breach, accumulating vast collections of username-password combinations.
Organizations face similar challenges. Many companies lack policies requiring password changes after breaches, fail to detect credential-stuffing attacks, and don't enforce unique password requirements across their systems.
The solution requires both user behavior changes and technology evolution. Password managers reduce the friction of maintaining unique passwords. Two-factor authentication adds protection even when passwords leak. Passkeys eliminate passwords entirely, removing the vulnerability at its source.
Until these technologies see widespread adoption, password breaches will continue exposing the same credentials year after year—exactly as Kaspersky's analysis demonstrates is already happening.
