If you’ve ever reused a password, you’re not alone. 

Even though 65% of people know that reusing passwords or a variation of a password is a bad practice, they continue to do so. 

While it may seem innocent enough to tack on a few extra numbers or characters at the end of a password, this helps hackers crack into multiple accounts. 

Understanding what makes a password insecure is the first step toward creating better password hygiene. Establishing strong password security not only keeps your data safe but also helps you stay compliant with frameworks like SOC 2 and PCI DSS. 

We’ve compiled a list of 80 password statistics that underscore the importance of password security.  Scroll to learn about password trends, weak password behaviors, and password practices by industry.

Weak password statistics and behaviors

While most people know that password reuse is a bad security practice, many do it anyway. Take a look at these weak password statistics and password reuse statistics to find out how poor password behaviors could put your data at risk. 

1. 1 in 3 Americans are more interested in having a password that is easy to remember versus being secure. (Bitwarden)

2. 36% of people engage in bad password habits because they believe their accounts are not valuable enough for hackers. (LastPass)

3. 62.9% of online users change their passwords only when prompted. (GoodFirms)

4. Even though 92% of people know that using a variation of the same password is a risk, 65% always or mostly use the same password or a variation. (LastPass)

5. 62% of employees say they store login credentials in a notebook or journal, leaving them accessible to prying eyes. (Keeper Security)

6. 15% of people use their own first name in their password. (Security.org)

7. 37% of respondents have used their employer’s name in a work-related password. (Keeper Security)

8. 88% of passwords used in successful attacks consisted of 12 characters or less. (Specops Software)

9. 79% of respondents created their password by mixing and matching words and numbers. (Security.org)

10. 64% of respondents said they use at least eight characters when creating a password. (Security.org)

11. 18.82% of passwords used in attacks contained only lowercase letters. (Specops Software)

12. 30% of respondents (IT experts, employees, and heads of organizations) said they have experienced a security breach due to weak passwords. (GoodFirms)

Data breach statistics

Find out how weak passwords are contributing to data breaches below. 

13. 80% of data breaches are linked to passwords. (Verizon)

14. Respondents with high password fatigue were twice as likely to have been hacked or breached (62%) than those with low fatigue (29%). (Beyond Identity)

15. "Password" is the most common term used by hackers to breach enterprise networks. (Specops Software)

16. The most common base terms in passwords used in successful attacks were: "password", "admin", "welcome", and "p@ssw0rd". (Specops Software)

17. Even after experiencing a data breach such as a man-in-the-middle attack or phishing attack, only 53% of IT security professionals say their organizations changed how passwords or protected corporate accounts were managed. (Yubico and Ponemon Institute)

18. 45% of survey respondents did not change their passwords in the past year even after a breach had occurred. (LastPass)

19. 85% of data breaches involved a human element such as phishing, stolen credentials, and human error. (Verizon)

20. 36% of breaches in 2020 involved phishing, making it the most common type of password attack. (Verizon)

21. Of passwords recovered from breaches in 2020, 60% of victims had reused at least one password across multiple platforms. (InfoSecurity)  

22. As of 2022, it's estimated that 24 billion usernames and passwords are available in cybercriminal marketplaces, including on the dark web. This is an increase of 65% in just two years. (Digital Shadows)

23. 83% of survey respondents said they would have no way of knowing if their information was on the dark web. (LastPass)

24. Bad bots, performing credential scraping and other malicious actions, account for 24% of all internet traffic. (Dark Reading)

Password reset statistics

Password management can not only lead to employee and admin frustration — it can also hurt your bottom line. Read the password reset statistics to learn how below.

25. 1 in 5 people need to reset their passwords several times per week because they forget them. (Bitwarden)

26. When forced to reset a password due to login issues, 12% of people said they are most likely to use a variation of an old password. (Beyond Identity)

27. When resetting a password and told "new password cannot be the same as old password," 48% of people said they are very likely to abandon the site. (Beyond Identity)

28. 57% of people will immediately forget their new password after resetting it. (SWNS/OnePoll survey for LastPass)

29. 25% of online shoppers would abandon their carts of $100 if prompted to reset a password at checkout. (Beyond Identity)

30. 76% of people claimed they have abandoned their cart due to issues related to resetting their passwords. (Beyond Identity)

31. 18% of respondents said they had to reset their work passwords an average of five or more times in 2020. (Dashlane)

32. 45% of people said they have to change their password due to incorrect login details at least once a year. (Beyond Identity)

Business password statistics

The increase of remote work has brought its own set of password security challenges. Read on to find out the challenges your organization may face when trying to keep sensitive data safe in today’s shifting business environment. 

33. On average, employers spent $480 per employee on time wasted due to password issues alone. (Beyond Identity)

34. 49% of IT security professionals and 51% of individuals share passwords with colleagues to access business accounts. (Yubico and Ponemon Institute) 

35. Nearly half — 46% — of IT security and cybersecurity leaders say they still store passwords in shared office documents. (Bravura Security)

36. 57% of respondents admit to writing down work-related online passwords on sticky notes, with 67% of those admitting to having lost these notes. (Keeper Security)

37. 59% of IT security professionals report that their company relies on human memory to manage passwords. (Yubico and Ponemon Institute)

38. When asked whether an employee leaving the company could take passwords with them, only 5% of IT security and cybersecurity leaders said they were extremely confident that wasn’t possible. (Bravura Security)

39. If they have to urgently terminate an employee, only 7% of IT security and cybersecurity leaders are extremely confident they can transfer passwords and credentials, terminate access, and maintain business continuity. (Bravura Security)

40. Individuals reuse passwords across an average of 16 workplace accounts. IT security respondents say they reuse passwords across an average of 12 workplace accounts. (Yubico and Ponemon Institute)

41. 39% of American employees didn't feel the need to change their online security habits when working remotely because they were already strong. (LastPass)

42. 66% of employees say that they’re more likely to write down work-related passwords when working from home than they’re while working in the office. (Keeper Security)

43. 44% of employees surveyed said they shared sensitive information and passwords for professional accounts while working remotely. (LastPass)

44. Only 35% of employers surveyed said they made employees update their passwords more regularly when working remotely. (LastPass)

45. 51% of individuals say they use their personal mobile device to access work-related items, and of those respondents, 56% do not use 2FA. (Yubico and Ponemon Institute)

Password security statistics

With two-factor authentication and password managers on the rise, more password security options are available. Discover how Americans are safeguarding their password management below. 

46. Two-factor authentication has become more popular over the past two years, with 79% of respondents saying they used it in 2021 compared to 53% in 2019. (Duo Labs)

47. Two-factor authentication adoption is more common among employed respondents (79%) compared to unemployed respondents (60%). (Duo Labs)

48. SMS text messaging (85%) is the most common second factor that users choose when logging into 2FA accounts. (Duo Labs)

49. 65% said they trust fingerprint or facial recognition more than traditional text passwords. (LastPass)

50. 27% of people used password generators in 2021, compared to 15% in 2020. (Security.org)

51. Americans are more likely (40%) to use a password manager than the rest of the globe (31%). (Bitwarden)

52. While the majority of Americans (66%) are not required to use a password manager at work, nearly 3 in 4 Americans (73%) think their workplace should provide one. (Bitwarden)

53. 67% of companies have a password policy for employees, but only 34% say they strictly enforce it. (Yubico and Ponemon Institute)

54. 93% of IT security and cybersecurity leaders say they require password management training, with 63% holding training more than once per year. (Bravura Security)

Password security statistics by industry

Despite the importance of password safety, many industries fall short of implementing proper password policies to keep their businesses safe. Find out where your industry stands below.  

55. “Password” is one of the most popular passwords across all industries. (NordPass)

56. “Vacation” is one of the most popular passwords in the health care industry. (NordPass)

57. Respondents were most likely to reset their password once a month (34%) or once a year (44%) on money transfer apps. (Beyond Identity)

58. 59% of financial services companies have more than 500 passwords that do not expire. (Varonis)

59. 68.6% of people believe their online banking account's password is safe. (Beyond Identity)

60. On average, people reported sharing three of their passwords with others, with video streaming (50.1%), music streaming (48.8%), and phone (34.2%) being the most common accounts. (Beyond Identity)

Password trends

If you’ve ever used “123456” or “password” as your password, you’re not alone. Find out what the most common passwords are below so you can avoid them yourself. 

61. The most common password of 2021 was "123456," which would take hackers less than one second to crack. (NordPass)

62. A 2021 study found that the average American was locked out of 10 online accounts in one month. (SWNS/OnePoll survey for LastPass)

63. After examining a subset of 4.6 million passwords being used to attack RDP ports in live attacks, the most common password length was 8 characters (24%). (Specops Software)

64. Nearly 500,000 of the 10 million passwords WPEngine examined ended with a number between 0 and 99. (WPEngine)

65. Batman and Superman were the most common superhero names to be used as passwords. (WPEngine)

66. The password "iloveyou" was used more often by women (222,287) compared to men (96,785). (NordPass)

67. 64% of people will avoid visiting certain websites or accounts if they know they’ve forgotten their password. (SWNS/OnePoll survey for LastPass)

68. In 2021, the password "dolphin" was the most popular animal-related password. (NordPass)

69. 21% of passwords include the user’s birth year. (Security.org)

70. 18% of passwords include the name of the user’s pet. (Security.org)

The future of password security

Whether you opt for biometrics or multi-factor authentication , there are many ways to increase the security of your passwords. 

71. In a 2021 survey, 32% of respondents reported using a password manager. (Duo Labs)

72. In the same survey, 42% of respondents reported using biometric authentication (such as a fingerprint) for at least some applications. (Duo Labs)

73. 65% of American respondents believe that the use of biometrics would increase the security of their organization’s authentication process, and 55% believe the same of passwordless authentication. (Yubico and Ponemon Institute) 

74. Among organizations worldwide that adopted or plan to use passwordless authentication, the top forms are biometrics (67%), PIN (48%), and physical security keys (38%). (Ping Identity)

75. 96% of IT leaders globally say passwordless authentication would create an easier user experience for employees. (Ping Identity)

76. The global passwordless authentication market was valued at $15.6 billion in 2022, and is projected to exceed $53 billion by 2030. (Statista)

77. Nearly 9 out of 10 500 IT security decision-makers in the financial sector (89%) said that they "believe that passwordless MFA offers the highest level of authentication security." (HYPR)

78. The global market for multi-factor authentication (MFA), estimated at $17.9 billion in 2022, is projected to reach $53 billion by 2030. (Research and Markets)

Password statistic FAQs

Wondering how to put some of the takeaways above into practice? We answer some of the frequently asked questions regarding passwords below. 

How many passwords does the average person have?

79. A 2019 study found that the average person juggles 70-80 passwords across multiple accounts.

What percentage of people have “password” as their password?

80. A study by NordPass found that “password” was the fifth most popular password in 2020, used by 20,958,297 people globally. 

81. The top four passwords of the year were: “123456,” “123456789,” “12345,” and “qwerty.”

What is the most common password?

82. A 2022 study that looked at passwords included in large-scale data breaches found that “123456” was the most commonly used password. 

83. When creating a password, users tend to use variations of “password,” “123456,” and “qwerty.” The same study found that users also include years within their passwords, whether it was the year the password was created, the user’s birth year, or a special year to them like when they graduated or got married.

5 tips for improving your password hygiene

Now you know how important it is to develop strong passwords for all accounts. We offer tips below on ways you can level up your password hygiene.

1. Calculate password entropy

Password entropy is a measure of password strength. This can help you determine whether a password is easily hackable. 

Individuals can test the safety of a potential password by plugging it into a password entropy calculator. Aim for a score of 60 or higher, but remember not to make the password so complex that you’ll have trouble remembering it. 

You can improve password entropy by:

• Creating longer passwords with 14 to 16 characters
• Adding more characters within your password such as uppercase and lowercase letters, special characters, and numbers 
• Assigning passwords to employees rather than letting them choose their own 
• Creating a master list of commonly used passwords that are insecure and unable to be used for workplace credentials

2. Use random passwords for every account

If you use the same password for all of your accounts, you’re giving hackers an easy avenue to hack into multiple accounts with minimal effort. 

The solution is this: use random passwords for every account. That also includes not using slight variations of a password. For example, steer clear of adding numbers to a root password like “password12” or “password123,” as these variations are also easily hackable.

3. Look into regulation and standard requirements

If your organization complies with security frameworks like SOC 2, there are specific password requirements that can help you improve overall password security. 
For example, SOC 2 requires businesses to demonstrate how they track and manage credentials. A password manager is one way to adhere to this requirement. They not only help employees keep track of their passwords but also allow administrators to add and remove access to certain logins. 

4. Opt for multi-factor or passwordless authentication

One way that you can keep your sensitive data more secure is by adding multi-factor or passwordless authentication to your password management. 

Multi-factor authentication (MFA) requires a user to provide two or more verification factors to log into an account. Passwordless authentication requires users to verify their identity using more secure alternatives to passwords, like possession factors (one-time passwords [OTP], registered smartphones), or biometrics (fingerprint, retina scans).

MFA and passwordless verification factors replace insecure factors ("something you know"). They may include:

• Something you are (ex: facial recognition or a fingerprint)
• Something you have (ex: code generated by a smartphone authenticator app)

5. Invest in a password manager

Memory or sticky notes aren’t enough to keep track of your passwords. A password manager is a way to safely and conveniently store all of your passwords for all of your accounts in one platform. 

You can also securely share credentials with other employees and monitor who has access to certain credentials. When you need to offboard an employee, you can easily retract their access within the password manager.  

Hackers will continue to find savvy ways to hack into our private data. Given the statistics above, password security is one area where individuals need to pay special attention. 

While password security is just one aspect of a company’s overall security posture, it’s an area that can help you save money and protect your reputation. 

Looking for a few more ways to level up your password hygiene? Our infographic below examines top password statistics and offers tips for creating more secure passwords.