In 2022, a staggering 24 billion passwords were exposed globally, according to Digital Shadows. This alarming statistic highlights the growing threat to security in the digital age. Yet, many continue to use weak credentials, putting their accounts and personal data at risk.
LastPass reports that 80% of breaches involve stolen or weak passwords. Despite 91% of users acknowledging the dangers of reuse, only 12% practice uniqueness. This cognitive dissonance is further exacerbated by “password fatigue,” affecting 40% of users.
In New Zealand and Australia, similar trends are evident. The reliance on easily guessable credentials remains a pressing issue. Addressing this requires a shift in mindset and better tools to manage security effectively. 
The alarming truth about weak passwords
Digital Shadows reveals that 96% of weak passwords are cracked in less than a second. This startling statistic underscores the vulnerability of predictable credentials in today’s digital landscape. Despite awareness campaigns, many continue to use easily guessable combinations, leaving their accounts exposed to cyber threats.
Why Simple Passwords Are a Security Nightmare
NordPass findings indicate that 70% of top passwords are crackable instantly. Hackers leverage brute-force tools, which cost as little as $4 on the dark web, to exploit these vulnerabilities. Predictable choices like “admin” or “123456” make it effortless for cybercriminals to gain unauthorised access.
NZ CERT has repeatedly warned about credential stuffing attacks, where hackers use stolen credentials to breach multiple accounts. The economic incentives are clear, with the average dark web credential fetching $15.43.
How Hackers Exploit Predictable Passwords
One common tactic is “password spraying,” where attackers use universal defaults to target multiple accounts. Beyond Identity reports that 73% of password guessers succeed, highlighting the ease of exploiting weak credentials.
A case in point is the 23andMe breach, where reused credentials allowed hackers to access sensitive data. This incident serves as a stark reminder of the risks associated with poor password practices.
- NordPass: 70% of top passwords crackable instantly.
- Dark web credential price: $15.43 on average.
- NZ CERT advisories: Credential stuffing attacks on the rise.
- 23andMe breach: Reused credentials led to data exposure.
What are the most common reused simple passwords?
Recent studies highlight a troubling trend in password practices. Despite widespread awareness, many users continue to rely on predictable combinations, leaving their accounts vulnerable to cyber threats. This section explores the top offenders and regional patterns in password choices.
Top 10 worst passwords of 2025
Reader’s Digest reveals the most frequently used credentials in 2024. These include:
- 123456
- admin
- 123456789
- password
- qwerty
- 12345
- 12345678
- 111111
- 123123
- abc123
In New Zealand, similar patterns emerge, with many users opting for sequential numbers or generic terms. This highlights a global issue with local implications.
Regional trends in password choices
Australasian preferences often reflect cultural influences. For instance, “AllBlacks2024” has gained traction in New Zealand, while UK and Italy show football team references. Security.org reports that 18% of users incorporate pet names, and 21% use birth years, further exposing vulnerabilities.
Sequential numbers remain a dominant pattern, with 64% of credentials falling within 8-11 characters. Industry-specific risks also persist, such as “ubnt” in tech circles, demonstrating the need for tailored security measures.
The shocking risks of using common passwords
Cybercriminals exploit weak credentials with alarming efficiency, putting sensitive data at risk. The speed at which hackers crack passwords underscores the vulnerability of predictable choices. Digital Shadows reports that adding a special character increases crack time by 1.5 hours, yet many users still opt for simplicity over security.
How Quickly Hackers Can Crack Weak Passwords
Cracking speeds vary drastically based on password complexity. A 14-character password with mixed symbols takes years to crack, while an 8-character one falls in seconds. Here’s a comparison:
- 14-character password: 62 trillion times longer to crack.
- 8-character password: Cracked instantly by brute-force tools.
This stark contrast highlights the importance of robust credentials. Beyond Identity notes that 27.5% of users retain passwords unchanged for 3-5 years, further increasing risks.
Real-World Consequences of Password Breaches
The fallout from weak passwords extends beyond individual accounts. The 2023 Medibank breach in New Zealand exposed sensitive data, costing millions in damages. Ponemon Institute reports a 32% identity theft rate linked to such breaches.
Credential chaining, where 6.7 billion unique combinations are derived from 24 billion leaks, amplifies the threat. Netsafe NZ highlights social engineering losses, showing how reused credentials enable broader attacks.
Banking credentials fetch $70.91 on the dark web, making them prime targets for hackers. This financial incentive drives relentless exploitation of weak passwords, emphasizing the need for stronger practices.
Why people still use terrible passwords
Despite widespread awareness of cybersecurity risks, many users continue to rely on weak passwords. This behaviour often stems from a combination of convenience and misconceptions about security. Understanding these factors is crucial to addressing the issue effectively.
The convenience trap
One major reason for poor password habits is the sheer convenience of using simple credentials. LastPass reports that employees face an average of 154 monthly logins, leading to fatigue and shortcuts. Many opt for easy-to-remember combinations, even if they compromise security.
Generational differences also play a role. While 47% of millennials memorise passwords, the 50+ age group tends to prioritise uniqueness. This highlights how convenience often overrides security concerns, especially in high-pressure environments.
Common misconceptions about password security
Many users believe that complexity alone ensures safety, but this is a fallacy. A password like “P@ssw0rd” may seem secure but remains vulnerable to cracking tools. Length, rather than complexity, is a stronger deterrent against breaches.
Another misconception is “security through obscurity,” where users assume uncommon words or phrases are safe. However, hackers use advanced tools to exploit such patterns, making this approach ineffective.
In New Zealand, 65% of organisations are moving towards a passwordless future, recognising the limitations of traditional methods. This shift reflects a growing understanding of the need for better cybersecurity practices.
How hackers steal your passwords
Hackers employ sophisticated methods to compromise accounts and steal sensitive data. These techniques range from technical exploits to psychological manipulation, making it essential to understand how they operate.
Credential stuffing and brute force attacks
One prevalent method is credential stuffing, where attackers use stolen username and password pairs across multiple sites. Verizon reports that 63% of attacks rely on compromised credentials. This approach is effective because many users reuse the same words across different services.
Brute force attacks, on the other hand, involve systematically guessing passwords. Tools like Hashcat can test millions of combinations per second, making weak credentials vulnerable. Beyond Identity found that 15.6% of hackers search personal files for clues, further increasing the risk.
Social engineering tactics to watch for
Social engineering exploits human psychology to gain access to accounts. Phishing, for instance, involves tricking users into revealing their credentials. In New Zealand, tax refund scams are a common tactic, luring victims with fake promises.
Another risk is shoulder surfing, where attackers observe passwords in public spaces. The Microsoft breach in 2022 highlighted how password spraying—using stolen credentials to test common passwords—can lead to widespread compromises.
- Verizon DBIR: 70% of web app attacks involve stolen credentials.
- Hashcat benchmarks: Millions of combinations tested per second.
- NZ phishing trends: Tax refund scams on the rise.
Protecting yourself with better password habits
Adopting robust password practices is essential in today’s digital landscape. With cyber threats on the rise, safeguarding your accounts requires more than just basic measures. This section explores actionable strategies to enhance your security and reduce vulnerabilities.
Creating uncrackable passwords
Strong passwords are your first line of defence against cyberattacks. Experts recommend using a mix of letters, numbers, and special characters to create complex credentials. A 20+ character password significantly increases crack time, making it harder for hackers to breach your accounts.
One effective method is the Diceware technique, which generates secure passphrases. For example, combining random words like “crystal-tiger-mountain” creates a memorable yet uncrackable password. CERT NZ also advises against using personal information, as it’s easily guessable.
The power of password managers
Managing multiple strong passwords can be challenging. This is where a password manager becomes invaluable. Tools like Bitwarden and LastPass generate, store, and autofill unique credentials for each account, reducing the risk of reuse.
Globally, over 45 million users rely on password managers to enhance their security. In New Zealand, adoption rates are growing, with many recognising the benefits of centralised password management. These tools also offer features like breach alerts, ensuring timely updates to compromised credentials.
Why multi-factor authentication matters
Adding an extra layer of security can make all the difference. Multi-factor authentication (MFA) requires users to verify their identity through a second method, such as a fingerprint or SMS code. Microsoft reports that MFA reduces breaches by 99.9%, making it a critical safeguard.
In New Zealand, ANZ banks are leading the way in biometric MFA adoption. This approach not only enhances security but also simplifies the login process. By combining password managers with MFA, users can significantly reduce their exposure to cyber threats.
Taking action for your digital security today
Securing your digital presence starts with immediate action. With 50% of productivity lost to password resets, it’s crucial to adopt better practices. Begin by checking if your credentials have been compromised using tools like HaveIBeenPwned. This step ensures you’re aware of potential risks.
Next, consider using a password manager to generate and store unique passwords for every account. NZ-based options like iPassword offer robust solutions tailored to local needs. Regularly rotating credentials for critical services adds an extra layer of protection.
New Zealand’s government cybersecurity initiatives also provide valuable resources. Leveraging these can help organisations and individuals stay ahead of threats. Remember, 2.2% of users still rely on passwords over 21 years old—don’t be part of this statistic.
Take charge of your devices and accounts today. Strong, unique credentials and proactive measures are your best defence against evolving risks.
FAQ
Q: Why are simple passwords a security risk?
A: Simple passwords are easy to guess or crack, making accounts vulnerable to hackers. Predictable choices like “123456” or “password” are often reused, increasing the risk of breaches across multiple platforms.
Q: What are the top 10 worst passwords of 2025?
A: The worst passwords include “123456,” “password,” “qwerty,” and “admin.” These predictable combinations are frequently exploited by hackers using brute force or credential stuffing attacks.
Q: How do hackers exploit weak passwords?
A: Hackers use methods like brute force attacks, where they systematically try common combinations, or credential stuffing, where stolen credentials are tested across multiple accounts. Weak passwords make these tactics highly effective.
Q: What are the real-world consequences of password breaches?
A: Breaches can lead to identity theft, financial loss, and unauthorised access to sensitive data. Organisations and individuals alike face significant reputational and financial damage from compromised accounts.
Q: Why do people still use weak passwords?
A: Many prioritise convenience over security, opting for easy-to-remember combinations. Misconceptions, such as believing hackers won’t target them, also contribute to poor password habits.
Q: How can I create stronger passwords?
A: Use a mix of uppercase and lowercase letters, numbers, and special characters. Avoid common words or sequences. Password managers can generate and store unique, complex passwords for each account.
Q: What is the role of multi-factor authentication?
A: Multi-factor authentication adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone. This reduces the risk even if your password is compromised.
Q: How do password managers improve security?
A: Password managers store and generate strong, unique passwords for each account. They eliminate the need to reuse passwords or write them down, significantly enhancing overall security.
Q: What are credential stuffing attacks?
A: Credential stuffing involves using stolen login details from one breach to access other accounts. This method exploits the common habit of reusing passwords across multiple platforms.
Q: How can I protect myself from social engineering tactics?
A: Be cautious of unsolicited emails or messages asking for personal information. Verify the sender’s identity and avoid clicking on suspicious links. Regularly update passwords and enable security features like two-factor authentication.
