A new analysis reveals that a common habit of making small tweaks to existing passwords — such as adding a number or changing a symbol in an existing password, instead of creating a unique one — is a massive security risk that hackers easily exploit. Despite company policies and security training, this widespread practice of using near-identical passwords remains one of the biggest, most underestimated threats, cybersecurity experts warn.
This risky behaviour is indeed widespread. NordPass’ password reuse survey reveals that 62% of Americans, 60% of Brits, and 50% of Germans reuse passwords across multiple online accounts. On average, people reuse passwords for about five accounts, with one-fifth admitting to reusing them for 10 or more accounts.
“This risky habit, affecting nearly three in five users, creates a domino effect of vulnerability, where a single compromised password can unlock an entire digital life,” says Karolis Arbaciauskas, head of product at NordPass.
Adding a letter, a number, or a symbol
According to the survey data, 68% of Americans who reuse passwords make at least some changes before reusing them. The same is true for 62% of Brits and 61% of Germans. The most common change is adding or changing a number, symbol, or letter.
“Such a lax approach to security can result in stolen data or an emptied bank account, and a lot of anxiety,” says Arbaciauskas. “However, I must agree that, in terms of sheer damage that a threat actor could do, this practice is an especially dangerous phenomenon in the corporate environment. Because it technically does not violate most password policies, and it often stays unnoticed by administrators. This way, it can become an entry point for threat actors, who would gladly extort or blackmail the company.”
Most common variations
In the “Top 200 most common passwords 2025” list, researchers found 119 nearly identical passwords, which were divided into seven approximate groups:
- Sequential number variations. Examples: 12345, 123456, 1234567,987654321.
- “Admin” variations. Examples: admin, Admin, adminadmin, admin123.
- “Password” variations. Example: password, Password1, p@ssw0rd, Passw0rd.
- Keyboard pattern variations. Examples: qwerty, qwerty123, abcd1234, Abcd@1234.
- Repetitive pattern variations. Examples: 11111111, 111111111, aa112233, aabb1122.
- Common word variations. Examples: welcome, Welcome1, test123, Test@123.
- Prefix/suffix variations. Examples: a123456, Aa123456, Aa@123456, 12345678a.
The most numerous groups are sequential number variations, keyboard pattern variations, and repetitive pattern variations.
“This is just a rough breakdown, based on variations of the same passwords. However, in principle, all 200 passwords can be placed into certain predictable categories. For example, when compiling the list itself, we noticed that popular names and surnames, place names, swear words, brand names and equivalents of the word ‘password’ in various languages, are often used as passwords. Often with added numbers or special characters. Those passwords feel unique, but are all predictable patterns. Threat actors know this, and the automated hacking tools they use, most certainly can apply common transformations, such as adding or changing characters, and incrementing numbers,” says Arbaciauskas.
Why do people reuse passwords?
A third of internet users who reuse passwords say they do it because they have too many accounts to manage different passwords for each one. About 25% say that they find it inconvenient to create and manage unique passwords.
“People reuse passwords because it’s easier that way. Between work tools, financial apps, subscriptions, social networks, online shopping, and gaming, the number of accounts adds up quickly. The average person has around 170 passwords. Remembering unique passwords for all of them isn’t realistic. But it is worrying that, despite repeated warnings, about 10% of respondents still don’t think there’s a significant risk in reusing passwords. This mindset is a disaster waiting to happen. Threat actors could gain access to all your accounts, your identity could be stolen, and your credit card — maxed out, or a loan could be taken out in your name. In a corporate setting, this behaviour could cost millions, if you let ransomware in,” says Arbaciauskas.
Password safety tips
According to Arbaciauskas, a few general rules can greatly improve digital hygiene and help avoid falling victim to cyberattacks due to ineffective password management:
- Security training. Many companies are already doing this. Although this doesn’t always work — sometimes even cybersecurity professionals get fooled — training bears fruit. Companies that run regular security workshops experience fewer cases of reused credentials, and employees often use this knowledge in personal life.
- Password policies and technologies. Companies should have robust password policies. Ideally, the company’s system would automatically compare newly created passwords with those already leaked on the dark web and prevent the creation of one that is the same or very similar to the one already leaked. It’s best to use password generators for both personal and work accounts.
- Multi‑factor authentication (MFA). So far, this is the most reliable and convenient way to provide additional protection for business and personal accounts. MFA, which requires you to provide a one-time code when logging in, can stop account takeover even when the threat actors have your password.
- Password manager. It can help you generate, store, manage, and safely share passwords. A password manager removes the need to rely on memory altogether. Instead of trying to come up with something clever or easy to remember it creates long, random passwords that don’t follow patterns. And you don’t need to remember them — just autofill or copy paste.
- Consider passkeys. A passkey pairs public‑key cryptography with device biometrics, so there’s nothing to type, nothing to forget, and nothing to reuse. Although adoption is somewhat slower than expected, many major platforms already support them. Where passkeys are unavailable, turn on MFA.
Related
This entry was posted on February 10, 2026 at 9:30 am and is filed under Commentary with tags Nordpass. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Guest Post: From “admin” to “admin1” — why hackers love minor tweaks in your login credentials
A new analysis reveals that a common habit of making small tweaks to existing passwords — such as adding a number or changing a symbol in an existing password, instead of creating a unique one — is a massive security risk that hackers easily exploit. Despite company policies and security training, this widespread practice of using near-identical passwords remains one of the biggest, most underestimated threats, cybersecurity experts warn.
This risky behaviour is indeed widespread. NordPass’ password reuse survey reveals that 62% of Americans, 60% of Brits, and 50% of Germans reuse passwords across multiple online accounts. On average, people reuse passwords for about five accounts, with one-fifth admitting to reusing them for 10 or more accounts.
“This risky habit, affecting nearly three in five users, creates a domino effect of vulnerability, where a single compromised password can unlock an entire digital life,” says Karolis Arbaciauskas, head of product at NordPass.
Adding a letter, a number, or a symbol
According to the survey data, 68% of Americans who reuse passwords make at least some changes before reusing them. The same is true for 62% of Brits and 61% of Germans. The most common change is adding or changing a number, symbol, or letter.
“Such a lax approach to security can result in stolen data or an emptied bank account, and a lot of anxiety,” says Arbaciauskas. “However, I must agree that, in terms of sheer damage that a threat actor could do, this practice is an especially dangerous phenomenon in the corporate environment. Because it technically does not violate most password policies, and it often stays unnoticed by administrators. This way, it can become an entry point for threat actors, who would gladly extort or blackmail the company.”
Most common variations
In the “Top 200 most common passwords 2025” list, researchers found 119 nearly identical passwords, which were divided into seven approximate groups:
The most numerous groups are sequential number variations, keyboard pattern variations, and repetitive pattern variations.
“This is just a rough breakdown, based on variations of the same passwords. However, in principle, all 200 passwords can be placed into certain predictable categories. For example, when compiling the list itself, we noticed that popular names and surnames, place names, swear words, brand names and equivalents of the word ‘password’ in various languages, are often used as passwords. Often with added numbers or special characters. Those passwords feel unique, but are all predictable patterns. Threat actors know this, and the automated hacking tools they use, most certainly can apply common transformations, such as adding or changing characters, and incrementing numbers,” says Arbaciauskas.
Why do people reuse passwords?
A third of internet users who reuse passwords say they do it because they have too many accounts to manage different passwords for each one. About 25% say that they find it inconvenient to create and manage unique passwords.
“People reuse passwords because it’s easier that way. Between work tools, financial apps, subscriptions, social networks, online shopping, and gaming, the number of accounts adds up quickly. The average person has around 170 passwords. Remembering unique passwords for all of them isn’t realistic. But it is worrying that, despite repeated warnings, about 10% of respondents still don’t think there’s a significant risk in reusing passwords. This mindset is a disaster waiting to happen. Threat actors could gain access to all your accounts, your identity could be stolen, and your credit card — maxed out, or a loan could be taken out in your name. In a corporate setting, this behaviour could cost millions, if you let ransomware in,” says Arbaciauskas.
Password safety tips
According to Arbaciauskas, a few general rules can greatly improve digital hygiene and help avoid falling victim to cyberattacks due to ineffective password management:
Share this:
Like this:
Related
This entry was posted on February 10, 2026 at 9:30 am and is filed under Commentary with tags Nordpass. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.