19 Billion Passwords Leaked in 2024: How to Secure Your Accounts Now

Since April 2024, over 19 billion passwords have been compromised and leaked online from more than 200 data breaches, exposing a massive security risk to users worldwide. A recent study by Cybernews reveals that only about 6% of these passwords were unique, meaning the vast majority—94%—were reused or weak, making them highly vulnerable to hacking attempts.

Key Findings on Password Weaknesses

• Common Passwords Remain Dominant: Classic weak passwords like “123456” appeared 338 million times, “password” 56 million times, and “admin” 53 million times in the leaked data. These default or lazy passwords continue to be a major security problem because many users never change them from system defaults or recycle them across accounts.
• Reuse and Predictability: The study found a widespread epidemic of password reuse, with many users employing the same passwords across multiple platforms. This creates a domino effect where a breach on one site can compromise other accounts.
• Names and Curse Words: Personal names are the second most common password component, with an 8% chance of appearing in passwords, often linked to popular names of 2025. Surprisingly, millions of passwords also contain curse words, including 16 million with the F-word.
• Password Composition: Roughly one-third of passwords use only lowercase letters and digits, while nearly 20% of unique passwords mix case and numbers but lack special characters. Such patterns are vulnerable to dictionary and brute-force attacks, as hackers use precompiled lists of common words and patterns to crack passwords quickly.
• Password Length: Most passwords are between 8 to 10 characters long, with 8 characters being the most popular length. However, longer passwords—ideally between 14 to 18 characters—are much stronger and harder to crack.

How to Protect Yourself Right Now

Given the alarming state of password security, here are crucial steps to safeguard your online accounts:

• Use Strong, Unique Passwords: Avoid common words, default passwords, and personal information. Create passwords that are long (14+ characters), mixing uppercase, lowercase letters, numbers, and special symbols.
• Consider Passphrases: Using a memorable phrase or sentence with mixed characters can significantly enhance password strength while making it easier to remember.
• Employ Password Managers: These tools generate, store, and autofill complex, unique passwords for every account, reducing human error and the temptation to reuse passwords. Password managers also facilitate secure sharing of credentials and improve overall security posture.
• Enable Multi-Factor Authentication (MFA): MFA adds an essential extra layer of security by requiring additional verification beyond just the password. Accounts with MFA are far less likely to be compromised even if the password is leaked.
• Use Passkeys or Biometrics Where Available: Some services offer passkeys or biometric logins, which provide more secure and convenient alternatives to passwords.
• Never Share Your Passwords: Keep your credentials confidential to prevent unauthorized access.
• Follow Updated Guidelines: The 2025 NIST password guidelines recommend prioritizing password length over complexity, allowing passphrases up to 64 characters, and avoiding forced periodic password changes unless a breach occurs. They also emphasize blacklisting commonly used or compromised passwords.

Summary

The widespread reuse and weakness of passwords exposed in 19 billion leaked credentials highlight a critical cybersecurity challenge. To protect yourself, adopt strong, unique passwords, leverage password managers, enable MFA, and consider modern authentication methods like passkeys and biometrics. These steps are essential defenses in an era where cyber threats are increasingly sophisticated.