Thanks to the unfortunate reality of massive data breaches, cybersecurity researchers now have access to billions of real-world passwords. Analyzing these credentials provides a sobering look at what the average user password actually looks like, and the results are startling. The truth is the vast majority of them are critically weak.
The Average Password Has a Frighteningly Low “Entropy”
In cybersecurity, password entropy is a measure of a password’s unpredictability and randomness. It’s calculated in “bits,” and the higher the number of bits, the longer it would take a computer to guess it through brute force. A truly secure password should ideally have around 80-100 bits of entropy.
So, how strong is the average password? Studies of large-scale data breaches paint a grim picture, estimating the average password entropy is somewhere between 19 and 41 bits.
- One widely cited study of half a million users found an average entropy of just 40.54 bits.
- An analysis of the infamous 2012 LinkedIn breach revealed that the cracked passwords had an even lower average entropy of 18.95 bits.
To put that into perspective, an 18-bit password can be cracked by a modern computer in less than a second. A 40-bit password, which many might consider reasonably complex, can be broken in a few hours to a few days with a dedicated cracking setup.
Why Are Our Passwords So Weak? The Predictable Human Factor
The core of the problem isn’t necessarily user laziness, it’s human psychology. We create passwords we can remember, and that makes us predictable. Attackers are smart and they don’t guess passwords randomly, they exploit these patterns.
1. The Myth of the Unique Password
The top 10 most common passwords (123456, password, qwerty, etc.) have appeared millions of times in data breaches. While you might think no one uses these, they are so common that they are the very first thing an attacker will try, giving them virtually zero effective entropy. The issue is compounded by password reuse; if your favorite password is leaked from one site, attackers will try it everywhere else.
2. We Follow the Same “Strong” Formulas
Most people follow the same predictable patterns to meet complexity requirements. A password like Dragon!2023 might seem strong, but it perfectly fits a common formula attackers specifically target: [CapitalizedWord][Symbol][Year]. This attack is called word mangling. Attackers know how you think, and they have a large incentive to crack a password.
When everyone follows the same “random” pattern, it’s not random anymore. A study that analyzed 10 million leaked passwords found that 84% should be considered weak and vulnerable, with the most common format being just eight characters with two character types.
3. We Underestimate the Power of Length
Password strength grows exponentially with each character you add. Unfortunately, studies show that nearly half of users create passwords that are eight characters or shorter. This limited length, combined with predictable patterns, makes them trivial for modern computers to crack.
4. AI Models Can Attack Passwords Now
The core of the problem isn’t that we’re lazy. It’s that our brains are wired for patterns, and attackers’ tools have evolved to exploit this better than ever. Previously, attackers relied on hand-crafted rules such as word mangling, and dictionary attacks.
Now, new approaches like PassGAN have raised the stakes. Instead of using human-made rules, PassGAN uses a Generative Adversarial Network (GAN), a type of AI, to autonomously learn the distribution of real passwords from leaked datasets. It doesn’t need a list of tricks, it models our password psychology and generates sophisticated guesses that mimic how real people think.
The AI learns to create password candidates that “look like” human-generated passwords, catching patterns that older rule-based systems miss entirely. When the output of PassGAN is combined with traditional tools like HashCat, it can crack 51% to 73% more passwords than HashCat could alone. This is terrifying. And PassGAN isn’t the only one.
What Can We Do About It?
The data from billions of leaked credentials indicates a clear conclusion: the average password is a significant security risk because it conflicts with human psychology.
The best defense for most accounts is a password manager for generating and storing long, random passwords. For the critical master password that protects the manager, a passphrase of four or five unrelated words is a stronger approach than a short, complex password.
The downside, of course, is that even this can be fragile. Human memory relies on association, not the perfect serial recall required by passwords. This has led to the exploration of new authentication systems that work with human cognition. For example, our new method called Fuzzypass utilizes “cued recall,” where a user remembers a list of words but only needs to provide a random subset to log in. This approach allows a person to command over 100 bits of entropy without the all-or-nothing brittleness of a traditional password.
This kind of innovation is part of a broader effort to rethink digital identity management. Platforms such as our Locke ID are building systems that not only manage passwords and passkeys but also explore next-generation authentication techniques such as Fuzzypass.