Poor password practices continue to be the Achilles’ heel of cybersecurity, with over 80% of data breaches linked to compromised credentials, according to a new analysis by web hosting provider Hostinger.
The company’s security team conducted an extensive investigation into thousands of leaked password datasets, applying machine learning and behavioural analysis techniques to understand why many users still create passwords that offer minimal protection.
Critical Password Vulnerabilities Identified
“Many people assume they’re fully protected once they’ve set up a strong password, but security is an ongoing process,” explains Hostinger’s cybersecurity team. “New threats emerge constantly, and staying safe requires regular attention to your security practices.”
The research identified four primary password mistakes that consistently leave users vulnerable:
1. Inadequate Password Length
More than one-fifth (21.7%) of analysed passwords contained fewer than eight characters—all of which were instantly crackable in security tests. Despite the well-documented risks, many users continue to prioritize convenience over security by creating short passwords that are easier to type and remember.
Security experts recommend passwords of at least 12 characters, ideally based on memorable phrases or sentences.
2. Predictable “Unique” Patterns
Many users believe they’ve created secure passwords by using seemingly unique combinations like “minebluecar67.” However, Hostinger’s analysis revealed these formats follow predictable low-entropy patterns that sophisticated cracking tools can easily decipher.
To create truly secure passwords, cybersecurity professionals advise using a mix of uppercase and lowercase letters, numbers, and special characters while avoiding common words or predictable patterns.
3. The Length Misconception
The research uncovered a concerning trend: even passwords exceeding 20 characters had a 13% crack rate, making them nearly as vulnerable as much shorter options. This contradicts the common belief that longer passwords are automatically more secure.
“Length alone isn’t enough,” notes the report. “Passwords with repetitive elements like ‘aaaaaaa’ or ‘123123123’ significantly compromise security regardless of character count.”
4. Continued Use of Known Compromised Passwords
Perhaps most alarmingly, many users continue using passwords that appear in the top 10 million leaked password lists. The study identified 475 passwords that matched high-frequency entries from global breach databases.
This occurs because users often remain unaware their credentials have been compromised or continue reusing familiar passwords out of habit.
Protecting Your Digital Assets
Cybersecurity experts recommend regularly checking credentials through services like “Have I Been Pwned” and implementing two-factor authentication (2FA) wherever possible.
“Security-related settings should be maintained over time to ensure they still reflect your needs and provide the right level of protection,” emphasizes Hostinger’s security team.
As data breaches continue affecting businesses of all sizes, SMEs are particularly encouraged to review their password policies and implement comprehensive security awareness training for all staff members.
