Hosting Providers, You May Want to Beef Up Your Password Requirements

A new study by Cybernews found four common themes in the most exploitable passwords. And chances are, your clients are using all of them.

Cybernews’ research team studied actual leaked data from 200 incidents between April 2024 and 2025. By analyzing actual passwords people use, their research proved certain bad habits are still happening.

Among the worst of their findings is that a lot of people are reusing the same passwords across different platforms, said Neringa Macijauskaitė, an information security researcher at Cybernews.

“We’re facing a widespread epidemic of weak password reuse,” she said. “Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks.”

Using common passwords — and reusing them on different accounts — only makes it easier for hackers to break in. For many, even one security breach can be too expensive to recover from.

Providers, it may be a good idea to ask clients to reset their passwords. And when you do, you’ll want to include these parameters to avoid some of the most common mistakes.

There was a time when passwords were just four characters long. Fast-forward 20 years, and the standard rose to eight. But Macijauskaitė says the new minimum should be 12 characters or more.

Forty-two percent of people still use passwords between eight and 10 characters, with eight characters being the most common (likely because many systems won’t accept anything shorter nowadays).

The report called this “lazy keyboard patterns.” Even going one character beyond the minimum is a step further than most are willing to take.

Macijauskaitė added, “Despite years of security education, users still prefer shorter passwords because they are easier to type and memorize.”

If this report showed us anything, it’s that the average person isn’t too creative when it comes to passwords.

People are still using simple sequences like “1234” or “123456,” and common defaults like “password” and “admin.”

Popular names from the Top 100 list are easy targets, as are positive words like “love,” “sun,” and “freedom.”

Also, avoid pop culture favorites like “Mario” or “Elsa.” Profane words like “ass” and “bitch” are surprisingly common too. Other common keywords are popular cities, animals, months and seasons, and foods.

Take a moment to think about your own password. Is it mainly lowercase, maybe with a number or two thrown in? If so, that structure is among the most common passwords.

“According to our weakest password research done in 2022, only 1% of passwords used a mix of lowercase, uppercase, numbers, and symbols. Now that figure has climbed to 19%,” said Macijauskaitė.

The issue is that this structure increases vulnerability to brute-force and dictionary attacks.

Dictionary attacks use a precompiled list of predictable passwords, so things like “password123” and “letmein” are going to take about one second to break into.

While tracking this might be nearly impossible, it really comes down to trusting people to be honest. Your clients’ accounts should have a password that’s unique and isn’t used anywhere else, said Macijauskaitė.

“The prevalence of weak, reused, and simple passwords across platforms significantly increases the risk of cyberattacks,” she added.

And it’s not even just their account they’re risking. Depending on your infrastructure and internal security mitigation measures, it could affect the entire system.

“If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect,” Macijauskaitė said.

Most providers have rules to prevent users from reusing old passwords. Others take it up a notch, which is quickly becoming the bare minimum.

For example, VMware requires your password to have a mix of uppercase and lowercase letters, numbers, and special characters. In another few years, it may also require a 12-plus-character count, too.

Since clients expect providers to be responsible for protecting their environments and their data, securing password requirements is a simple way to help stay on track.

But since it’s a bit of a hassle, it may also be helpful to throw a password manager tool into your suite to make your clients’ lives a little easier.