If you are still appending the current year to the end of your password, you are not slick, and you certainly aren’t secure. According to new research from cybersecurity firm Kaspersky, we are stuck in a dangerous loop of bad digital hygiene, recycling credentials that hackers have known about for years.
The data, which analysed major password leaks from 2023 through 2025, paints a grim picture of human habit. The headline figure is alarming: 54 per cent of the compromised passwords found in 2025 leaks had already been exposed in prior data breaches.
This suggests that for the majority of users, the problem isn’t just that they are being hacked; it is that they are using keys that were stolen years ago. Kaspersky claims the average lifespan of a password found in these dumps is between 3.5 and 4 years. In internet time, that is an eternity.
The ‘12345’ Problem
Despite years of warnings, multi-factor authentication (MFA) pushes, and the rise of biometrics, the password remains the primary method of authentication for most – and we are terrible at creating them.
Kaspersky’s analysis found that users are still relying on predictable patterns that make brute-force attacks (where hackers use software to guess millions of combinations a second) trivially easy. The most common offender remains the sequence ‘12345’.
But it gets more specific. We have a tendency to anchor passwords to time.
- 10 per cent of the passwords analysed contained a number resembling a date between 1990 and 2025.
- 0.5 per cent of all leaked passwords ended specifically with “2024”. That might sound small, but it means every 200th password is essentially the same guessable string.
Common nouns like “love”, names of countries, and personal names also feature heavily. When you combine a common word with a predictable date suffix, you aren’t creating a stronghold; you are creating a welcome mat.
The Pivot to Passkeys
This inertia is exactly why the industry – including Google, Apple, and Microsoft – has been aggressively pushing toward passkeys, a standard that replaces the typed password entirely.
Unlike a password, which is a shared secret (you know it, the server knows it), a passkey uses public-key cryptography. When you set one up, your device generates a unique pair of cryptographic keys. The private key stays on your device and never leaves. The public key is sent to the service you are logging into.
When you try to log in, the service sends a mathematical challenge. Your device solves it using the private key, usually unlocked via a local biometric check like a fingerprint or Face ID. Because the server never holds your private key, there is nothing for hackers to steal in a server breach. It is also phishing-resistant; a passkey for google.com simply won’t work on a fake site like g00gle.com.
Kaspersky’s Implementation
This brings us to the software update accompanying the research. Kaspersky is updating its Password Manager to fully support passkeys across all platforms.
While passkeys are secure, the early user experience has been fragmented. A passkey created on an iPhone is stored in iCloud Keychain, which makes it annoying if you then want to log in on a Windows PC or an Android tablet. Third-party managers like 1Password, Bitwarden, and now Kaspersky, are trying to bridge that gap by syncing passkeys across different ecosystems.
The new update allows users to create, store, and sync passkeys directly within the Kaspersky app. This means if you generate a passkey on your phone, it is synchronised and available to unlock your account on your desktop, bypassing the platform restrictions of Apple or Google.
Marina Titova, VP for Consumer Business at Kaspersky, frames the update as a necessary evolution to stop the “juggling” of logins that leads to the fatigue – and the bad habits – highlighted in their report.
The feature works similarly to existing password flows: you update the app, grant permissions, and then follow the prompts on supported websites to replace your static password with a cryptographic key.
