Unique passwords often reduce vulnerability to data breaches and unauthorized access. However, it’s common practice for people to use the same password for multiple accounts – because they don’t want to forget their passwords and lose access to their profiles.
Passwords are very crucial in ensuring the sanctity and safety of online accounts. Third parties can hardly gain access to your account if they don’t know your password – unless it’s insecure and easy to crack. Hence, it’s vital to use strong passwords that comply with PCI DSS, SOC 2, and other relevant frameworks.
On a side note, including a few numbers in your password is not a healthy practice as it does not translate to a solid and secure password.
In this article, we’ve curated a list of 85 best password statistics emphasizing the importance of having a secure password. Dive in to discover weak password behavior and password trends and practices.
Top 10 password statistics – Quick list
Here’s a list of the top 10 statistics covering every aspect of password security and management.
- Although 67% of organizations establish a password policy for employees, ironically, only 34% ensure strict implementation.
- In 2021, “123456” appeared as the easiest-to-crack password, taking hackers less than one second to crack.
- One of the most popular passwords, cutting across all industries, is “password.”
- 57% of workers wrote down official passwords on writing materials, and 67% have lost these notes.
- About 46% of cybersecurity and IT security experts admit to saving passwords in accessible documents.
- Although 92% of people know that using password variations is unsafe, 65% still do it.
- 42% of password manager users use fingerprint and biometric authentication for their accounts.
- Every 1 out of 3 Americans prefer easy-to-remember passwords over secure passwords.
- 79% of users create passwords with word-number combinations.
- Phishing attacks led to 36% of data breaches in 2020.
Password security statistics
Technological companies are now adopting password managers and two-factor authentication to improve password security. Below are statistics showing how Americans are ensuring premium password security management.
- The adoption of two-factor authentification is more prevalent among employed participants. In 2021, while 79% of employed respondents admitted using two-factor authentification, only 60% of unemployed participants used it. (Duo Labs)
- Two-factor authentification has gained widespread popularity between 2019 and 2021. In 2019, only 53% of the respondents used the technology, compared to 79% in 2021. (Duo Labs)
- 66% of Americans are not asked to use a password manager for their official duties. However, 73% of Americans believe their companies should provide one for them. (Bitwarden)
- 40% of Americans are more inclined to use password managers than 31% from the rest of the world. (Bitwarden)
- SMS-based two-factor authentication is the most popular 2FA method among users (85%), followed by emails (72%). (Duo Labs)
- According to a Visa survey, most users know biometric authentication, with 65% of users at least trying fingerprint unlock and more than half (35%) using it regularly. (Visa)
- There’s been an increase in the number of people using password generators, as 27% used them in 2021, up from 15% in 2020. (Secureframe)
- Around 94% of cybersecurity and IT security leaders admit that they require password management training. However, only 63% organize this training more than once annually. (Bravara Security)
- While 67% of organizations establish a password policy for employees, only 34% strictly enforce this policy. (Yubico and Ponemon Institute)
For those who don’t put much effort into setting a unique password, the chances that they use common passwords like “password,” “abcdef” and “123456” are high. Although it’s not the best decision as it’s easier to crack, many people still use these common passwords.
Here are some stats demonstrating why you must avoid using common passwords.
- According to a 2021 study, the average American loses access to 10 online accounts monthly. (LastPass Survey)
- WPEngine assessed that about 420,000 out of 10 million passwords ended with a number between 0 and 99. (WPEngine)
- 21% of users include their birth years in their passwords. (DeleteMe)
- Roughly 18% of users create passwords with their pets’ names. (DeleteMe)
- After carefully assessing about 4.6 million passwords that hackers use to attack RDP ports in online attacks, 24% of the passwords have eight characters. (Specops 2023 Weak Password Report)
- The most popular animal-related password in 2021 was “dragon,” with 2,684,735 users, followed by “monkey,” with 2,507,887 users. (NordPass)
- Women used the password “iloveyou” more than men, according to NordPass. While 222,287 women used this password, only 96,785 men used it. (GroundReport)
- About 64% of people will stop visiting certain websites or social media if they cannot remember their password. (LastPass)
- The most common superhero names people used as their passwords were “Superman” and “Batman.” (WPEngine)
- A 2022 study revealed that users include years in their passwords. It can be their birth year, graduating year, or any year with a special memory. (HelpNetSecurity)
Industry password security statistics
Like many individuals, companies also fail to establish and enforce safe password policies to keep third parties and hackers from confidential information. Below’s a list of statistics relating to password security in industries.
- 68.6% believe the password to their online banking account is safe. (Beyond Identity)
- Averagely, people often share three passwords with others. At the top of the list is the password to video streaming accounts with 50.1%, music streaming accounts recording 48.8%, and phone passwords with 34.2%. (Beyond Identity)
- One of the most popular passwords, cutting across all industries, is “password.” (NordPass)
- 59% of companies providing financial services have over 500 passwords that don’t expire. (Varonis)
- One of the most popular passwords in the medical sector is “vacation.” (NordPass)
- There was a 34% chance that participants would reset the passwords to online banking apps once a month and a 44% chance that they would once a year. (Beyond Identity)
Business password statistics
Ever since the pandemic in 2020, remote jobs have become prevalent. Although this new business environment promotes higher productivity, it requires advanced password security policies.
Here are statistics covering challenges organizations often face in the remote system of operations.
- 55% of workers access work-related items using their personal devices, and 56% do not have two-factor authentification. (Yubico and Ponemonn Institute)
- 57% of workers wrote official passwords on Sticky Notes, and 67% lost these notes. (Keeper Security)
- 66% of workers admit they’re more likely to write work-related passwords and details on paper when working from home than in the company’s workspace. (Keeper Security)
- 59% of information technology security experts reveal that their firm depends on human memory for password management. (Yubico and Ponemon Institute)
- 51% of individuals and 49% of IT security experts share passwords with team members to access business accounts. (Yubico and Ponemon Institute)
- 44% of survey workers revealed that they shared passwords and sensitive details for professional accounts while performing their duties remotely. (LastPass)
- Averagely, companies spend $480 per worker for the time wasted solely because of password issues. (Beyond Identity)
- 39% of American workers claimed they didn’t have to change their passwords and online security measures while working remotely because they believed they were secure and strong enough. (LastPass)
- About 46% of cybersecurity and IT security experts admit they still save passwords in official documents with general access. (Bravura Security)
- Employees reuse passwords for an average of 16 official accounts. On average, IT security respondents admit using the same passwords for 12 workplace accounts. (Yubico and Ponemon Institute)
- 35% of surveyed managers claim that they made workers update their passwords regularly while working remotely. (LastPass)
- Only 7% of cybersecurity and IT security managers can confidently terminate workers’ access, maintain business continuity, and transfer passwords and credentials when they urgently terminate a worker’s employment. (Bravura Security)
- 5% of cybersecurity and IT security managers were confident that workers could not take passwords with them when leaving the company. (Bravura Security)
- Around 53% of IT experts have shared passwords via email. (Bitwarden)
- Only 24% of IT and cybersecurity experts have never shared official passwords. (Bitwarden)
Data breach statistics
Unhealthy password habits contribute to hackers’ successes in gaining unauthorized access. Here’s how poor password measures increase data breaches.
- 83% of survey participants did not know how to check if their information was on the dark web. (LastPass)
- 60% of victims of data breaches in 2020 had used at least one password for multiple accounts. (SpyCloud 2021 Credential Exposure Report)
- The most common term that hackers use to gain access to an enterprise network is “password.” (Specops 2023 Weak Password Report)
- “admin,” “password,” “p@ssword,” and “welcome” were the most common password terms used in successful data attacks in 2022. (Specops 2023 Weak Password Report)
- After a breach in 2020, 45% of the survey participants did not change the passwords to their accounts. (LastPass)
- The most common form of password attack is phishing, forming 36% of the data breaches in 2020. (Verizon)
- A survey in 2022 revealed that about 24 billion usernames and passwords are on the dark web and other cybercriminal marketplaces, a 65% increase from 2020. (Digital Shadows)
- Password issues make up 80% of data breaches. (Verizon)
- Only 53% of IT and cyber security managers changed their organization’s passwords or reorganized their corporate accounts after several data attacks like phishing and man-in-the-middle attacks. (Yubico and Ponemon Institute)
- Bad bots performing malicious actions like credential scraping cause 24.1% of internet traffic. (Imperva)
- Human elements such as stolen credentials, phishing, and other human errors account for 74% of data breaches. (Verizon 2023 Data Breach Investigations Report)
- 62% of respondents with high password fatigue were more likely to experience data breaches or hacks than those with low password fatigue (29%). (Beyond Identity)
Password reset statistics
Implementing strong and effective password management habits is essential for seamless and secure communication and transactions.
Below are passwords reset statistics showing the importance of a healthy password management policy or habit.
- 12% of people would use a variation of their old password when forced to reset it, often because of login problems. (Beyond Identity)
- 18% of survey participants in 2020 had to reset their official passwords an average of at least five times. (Dashlane)
- At least 1 in 5 people forget their passwords, having to reset them multiple times within a week. (Bitwarden)
- 48% of people are likely to leave a site when they get the “new password cannot be the same as old password” prompt while trying to reset their password. (Beyond Identity)
- 44 to 47% of people have changed their password because they entered incorrect login details at least once a year. (Beyond Identity)
- 57% of people cannot remember their passwords immediately after setting a new one. (OnePoll survey for LastPass)
- 76% of people revealed that they left their carts because of password resetting issues. (Beyond Identity)
- 25% of online shoppers won’t think twice before abandoning carts worth $100 when faced with password resetting issues at checkout. (Beyond Identity)
Weak password behaviors and statistics
Setting weak passwords or reusing passwords is a bad practice that can cause harm to individuals and organizations. Below are statistics showing how unhealthy password behaviors increase data risk:
- The password of 64% of participants includes at least eight characters. (Secureframe)
- 62% of workers write their login details in a journal or notebook, granting access to third parties and prying eyes. (Keeper Security)
- Although 92% of people know that using an existing password’s variation is unsafe, 65% still use the same, identical, or slightly different passwords for their accounts. (LastPass)
- 88% of passwords hackers used in successful attacks had a maximum of 12 characters. (Specops 2023 Weak Password Report)
- 1 out of 3 Americans are more concerned with having a password that they can remember easily than a secure password. (Bitwarden)
- 30% of participants, including workers, IT professionals, and firm managers, admit they have experienced a security breach resulting from weak passwords. (GoodFirms)
- 37% of workers have used the names of their employers for official accounts or devices. (Keeper Security)
- 62.9% of internet users only change their passwords when prompted. (GoodFirms)
- 79% of respondents mix words and numbers when creating their passwords. (ExplodingTopics)
- 18.82% of passwords hackers used in successful attacks had only lowercase letters. (Specops 2023 Weak Password Report)
- 15% of people include their first names in their passwords. (WPEngine)
- 36% of people do not enforce secure password habits because they think their accounts are not valuable for hackers to invade. (LastPass)
- According to a 2022 study, “123456” was commonly used in large-scale data breaches. (Locker)
The future of password management and security
There are different ways to ensure password security, even when you use new technologies, like two-factor authentication or biometrics. Read statistics on the future of password management and security below.
- 96% of IT and cybersecurity experts worldwide believe that authentication without passwords would improve the user experience for workers. (Ping Identity)
- 32% of participants in a 2021 survey used a password manager. (Duo Labs)
- 42% of participants in the same survey used fingerprint and other biometric authentication for their accounts or some applications. (Duo Labs)
- About 89% of IT professionals are confident that passwordless multi-factor authentication provides the highest level of authentication security. (HYPR)
- The estimate for the global market for passwordless authentication was $15.6 billion in 2022, predicted to surpass $53 billion in 2030. (Statista)
- While 65% of Americans are confident that using biometrics can improve the security of a company’s authentication process, 55% believe passwordless authentication is the best. (Yubico and Ponemon Institute)
- The estimate for the global market for multi-factor authentication was $17.9 billion in 2022, predicted to surpass $53 billion in 2030. (Research and Markets)
- According to organizations adopting or planning to adopt passwordless authentication, the top forms of authentication technologies include biometrics (67%), PIN (48%), and physical security keys (38%) globally. (Ping Identity)
Other password statistics
Are you thinking of how you can apply some of the statistics above? Below are some frequently asked questions with answers to enlighten you on password security.
What’s the maximum number of passwords an average person can have?
- According to a study in 2019, an average person has around 70-80 passwords for multiple accounts. (NordPass)
What is the most popular password?
- The top four most popular passwords in 2020 were “123456” (2,543,285 users), “123456789” (961,435 users), “picture1” (371,612 users), and “password” (360,467 users). (NordPass)
- The most popular password in 2021 was “123456” (103,170,552 users), which hackers could crack in less than one second. (NordPass)
How many people use the word “password” in their passwords?
- According to NordpPass, “password” remains the most-used password from 2019 to 2022, having about 4,929,113 users. Ironically, cracking this password also takes less than one second for criminal hackers. (NordPass)
Having outlined all these informative password statistics, what’s the takeaway?
Individuals and organizations must imbibe and enforce strong password habits. It’s not enough for you to set passwords you can easily remember. They must be safe, secure, and challenging to crack. Follow this, and you’ll always be one step ahead of hackers and cybercriminals.
Aim to use at least 12 characters for your password. Although most sites expect you to use eight characters, the more characters you include, the harder it is to crack. Your passwords must also include different character types alongside letters and numbers.
Absolutely! Cybercriminals can steal your password or other credentials by hacking into a website’s active directory, phishing, or other cyber attacks.
When your password manager notifies you of a breach, you can restore safety by following these steps:
1. Reset the passwords you save in the vault regularly.
2. Avoid saving your master password online.
3. Use tools that support multi-factor authentication.