🧠🧑💻 From feeling to facts: Password security in reality check
- Daniel Eberhorn
- Dec 31, 2025
- 4 min read
Image generated by OpenAI's DALL·E
In conversations with admins, developers, or CISOs, the same question comes up again and again: What is considered a secure password today? The answers range from "Summer 2021!" to 64 characters of pure randomness.
To make this discussion more tangible, I analyzed a well-known, publicly available password leak: the 2021 Fortinet leak. Although the incident occurred several years ago, the passwords it contained are frighteningly current—both in structure and mindset.
The leak impressively demonstrates how weak the first line of defense often is. Tens of thousands of VPN credentials ended up unencrypted on the internet – providing a rare insight into the real password practices of companies around the world.
What the Fortinet leak shows
A total of 76,384 passwords were extracted from the Fortinet dump and analyzed. The key data:
distribution
12.27% of passwords meet basic security criteria
Note: at least 12 characters long and a combination of at least three of the following four categories - uppercase letters, lowercase letters, numbers and special characters.
87.73% are considered unsafe – sometimes shockingly trivial
Length analysis
Average password length: 10.23 characters
Shortest password: 6 characters
Longest password: 50 characters long
complexity
46.82% contain special characters
91.53% contain numbers
70.14% use capital letters
98.60% use lowercase letters
In almost all cases, secure passwords contain at least three of these four categories—ideally all of them. Many passwords on this list, however, are based on clear patterns or contain no special characters or capital letters.
Weaknesses in the system: Typical patterns and points of attack
1. Trivial passwords
Examples like 123456 , password , abc123 , or qwerty appear hundreds of times. These passwords can be compromised within seconds using simple tools and standard dictionaries.
2. Years
The combination of terms like "summer" or "welcome" with a year like 2020 or 2021 is extremely common: 2020 appears 6,768 times , and 2019 1,692 times . Such passwords can be targeted with tools and pattern searches—even simple word lists with a combined year quickly lead to success.
Note: Even though the leak dates back to 2020/2021, these patterns are still current today and can easily be transferred to 2024 or 2025.
3. Only numbers
2,230 passwords consist exclusively of numbers. Here, too, the brute-force resistance is minimal—less than one second for 6-digit passwords.
4. Repeated base with slight variation
Many passwords are based on a repeated basic pattern – such as “Summer2019”, “Summer2020”, “Summer2021” – and merely suggest variation without providing real security.
Technical classification: Creating secure vs. insecure passwords
A comparison of the character sets found in the Fortinet leak reveals significant differences. Important: The following percentages describe how often certain features appeared within the passwords classified as "secure" or "unsecure" in the leak. They do not represent recommendations on how frequently a particular character "should" appear in a secure password.
feature | Secure passwords (%) | Insecure passwords (%) |
Contain special characters | 100.00% | 39.38% |
Contain numbers | 94.68% | 91.08% |
Contain capital letters | 100.00% | 66.01% |
Contain lowercase letters | 100.00% | 91.68% |
Note: In this analysis, passwords were classified as "secure" if they are at least 12 characters long and consist of a combination of at least three of the following four character types: uppercase letters, lowercase letters, numbers, and special characters.
The difference lies not in the mere use of numbers or letters – but in their consistent and combined application.
Context-dependent terms: When language becomes a risk
Terms like summer , winter , or month names like June , April , or December frequently appear in passwords—and that's no coincidence. People often choose passwords that are easy to remember—intuitively using familiar words from their everyday lives. The problem: Such words are not only easy to remember, but also easy to guess.
These terms appear repeatedly in password lists – often combined with numbers or years. Examples like Summer2021 , Winter2019 , or April2020! are not exceptions, but rather patterns. Such passwords offer attackers an ideal target: They can be systematically tested using so-called "dictionary attacks" and targeted word-year combinations.
It becomes particularly critical when a common term doesn't form the entire password, but is only a part of it – for example, as a prefix, suffix, or component in a seemingly complex character string. Even then, the attack point remains, as many tools specifically search for such known patterns.
In short, as soon as language or context-related terms appear in a password, it becomes predictable. And predictability is always a risk in password security.
Top terms in the leak:
summer : 1,235 occurrences
winter : 890 occurrences
A smart attacker uses context-sensitive dictionaries and regex combinations to efficiently test precisely such terms.
Recommendations: What secure passwords should really look like
Detailed recommendations on how passwords should be structured today – and why old rules of thumb like “8 characters are enough” are long outdated – can be found in the article:
What can we learn from the leak for password security?
Even professional networks were affected – many of them with VPN access without multi-factor authentication. Many administrators responded by resetting passwords – but that's not enough.
The key finding: A good password alone isn't enough. A security concept is needed that includes, among other things:
MFA as standard
Security awareness at all levels
Regularly check compromised credentials
