- Password samples from 2015 and 2025 have been compared
- Password security is improving, but passwords are still reused
- People have difficulty remembering unique passwords
Despite the rise of many tools to facilitate credential security, there has not been enough change in password habits in the last 10 years.
Cybersecurity researcher Jeremiah Fowler has compared 2015 password trends to a monumental password breach in 2025 to understand what habits, if any, have changed.
The findings show that the recommended practices in 2025 for a strong password are incompatible with human memory.
Article continues below.
Password trends
The samples analyzed by Fowler show that in the last 10 years, only 15% of passwords could be classified as genuinely complex passwords, at least 12 characters in length made up of upper and lower case letters, numbers and symbols without structure or patterns.
The other 85% of passwords are considered easy or predictable. These are passwords that contain names, memorable phrases, or common structures (“password,” “admin,” or “qwerty”) with numbers and special characters attached. The problem with using memorable phrases and structures in passwords is that it makes them more vulnerable to brute force attacks.
The good news is that passwords containing keystrokes, waterfalls, and spatial pattern passwords (like “qwertyuiop”) have fallen by 15% to 20% since 2015. Similarly, keywords like “admin” and “password” have also fallen by the same percentage.
The number of passwords that appear to have been created by a password generator has also increased by 10% to 12%. However, there is still a critical weakness for all passwords.
Fowler cites a 2024 study that found the average person has about 168 passwords across all of their online accounts. Remembering a unique, strong password for each of these accounts is simply not feasible for the average person, so people erase the potential security that a strong password could have by reusing it across their accounts.
“We often take a lazy approach to passwords at our own risk, choosing convenience over security,” Fowler explained.
“Even forced password complexity rules are not a silver bullet if they are reused across multiple accounts, exposed in a data breach, or compromised by malware. It’s a fact that criminals are becoming more sophisticated, the use of AI in cybercrime is growing, and we must do more to protect our credentials.”
The best way to protect all your online accounts is to use a password manager – there are many paid services to choose from, and many brands also offer free password management plans to help keep your accounts secure.
Using an authenticator app can also improve the security of your account by requiring a second verification method through a separate device or biometric identifier.
The best password manager for every budget
