• Secureframe Blogarrow
  • 70 Password Statistics to Inspire Better Security Practices [2022]
70 Password Statistics to Inspire Better Security Practices [2022]

70 Password Statistics to Inspire Better Security Practices [2022]

  • March 29, 2022

If you’ve ever reused a password, you’re not alone. 

Even though 65% of people know that reusing passwords or a variation of a password is a bad practice, they continue to do so. 

While it may seem innocent enough to tack on a few extra numbers or characters at the end of a password, this helps hackers crack into multiple accounts. 

Understanding what makes a password insecure is the first step toward creating better password hygiene. Establishing strong password security not only keeps your data safe but also helps you stay compliant with frameworks like SOC 2 and PCI DSS

We’ve compiled a list of 70 password statistics that underscore the importance of password security.  Scroll to learn about password trends, weak password behaviors, and password practices by industry.

Weak password statistics and behaviors

While most people know that password reuse is a bad security practice, many do it anyway. Take a look at these weak password statistics and password reuse statistics to find out how poor password behaviors could put your data at risk. 

1. 36% of people engage in bad password habits because they believe their accounts are not valuable enough for hackers. (LastPass)

2. 80% of data breaches are linked to passwords. (Verizon)

3. 62.9% of online users change their passwords only when prompted. (GoodFirms)

4. Even though 92% of people know that using a variation of the same password is a risk, 65% always or mostly use the same password or a variation. (LastPass)

5. 62% of employees say they store login credentials in a notebook or journal, leaving them accessible to prying eyes. (Keeper Security)

6. 64% of respondents said they use at least eight characters when creating a password. (Security.org)

7. 37% of respondents have used their employer’s name in a work-related password. (Keeper Security)

8. 79% of respondents created their password by mixing and matching words and numbers. (Security.org)

9. 30% of respondents (IT experts, employees, and heads of organizations) said they have experienced a security breach due to weak passwords. (GoodFirms)

10. 15% of people use their own first name in their password. (Security.org)

11. 18% of respondents said they had to reset their work passwords an average of five or more times in 2020. (Dashlane)

12. Employees reuse a password an average of 13 times. (LastPass)

13. Forgetting a password caused 78% of respondents to reset a password within the last 90 days when surveyed in 2019. (HYPR)

Business password statistics

The increase of remote work has brought its own set of password security challenges. Read on to find out how to keep your organization’s sensitive data safe in today’s shifting business environment. 

14. Two-factor authentication (2FA) adoption is more common among employed respondents (79%) compared to unemployed respondents (60%). (Duo Labs)

15. 49% of IT security professionals and 51% of individuals share passwords with colleagues to access business accounts. (Yubico and Ponemon Institute

16. 57% of respondents admit to writing down work-related online passwords on sticky notes, with 67% of those admitting to having lost these notes. (Keeper Security)

17. 59% of IT security professionals report that their company relies on human memory to manage passwords. (Yubico and Ponemon Institute)

18. 51% of individuals say they use their personal mobile device to access work-related items, and of those respondents, 56% do not use 2FA. (Yubico and Ponemon Institute)

19. Individuals reuse passwords across an average of 16 workplace accounts. IT security respondents say they reuse passwords across an average of 12 workplace accounts. (Yubico and Ponemon Institute)

20. 39% of American employees didn't feel the need to change their online security habits when working remotely because they were already strong. (LastPass)

21. 66% of employees say that they’re more likely to write down work-related passwords when working from home than they’re while working in the office. (Keeper Security)

22. 44% of employees surveyed said they shared sensitive information and passwords for professional accounts while working remotely. (LastPass)

23. In 2020, 14% of respondents said they shared their work-related passwords with their significant other or spouse. (Keeper Security)

24. Only 35% of employers surveyed said they made employees update their passwords more regularly when working remotely. (LastPass)

Password security statistics

With two-factor authentication and password managers on the rise, more password security options are available. Discover how Americans are safeguarding their password management below. 

25. Using multi-factor authentication makes your account 99.9% less likely to be compromised. (Microsoft

26. Two-factor authentication has become more popular over the past two years, with 79% of respondents saying they used it in 2021 compared to 53% in 2019. (Duo Labs)

27. SMS text messaging (85%) is the most common second factor that users choose when logging into 2FA accounts. (Duo Labs)

28. In 2021, 93% of respondents said that banking and financial information was the most important to secure. (Duo Labs)

29. 65% said they trust fingerprint or facial recognition more than traditional text passwords. (LastPass)

30. 27% of people used password generators in 2021, compared to 15% in 2020. (Security.org)

31. 67% of companies have a password policy for employees, but only 34% say they strictly enforce it. (Yubico and Ponemon Institute)

32. A 12-character password takes 62 trillion times longer to crack than a six-character password. (Scientific American)

33. Bad bots, performing credential scraping and other malicious actions, account for 24% of all internet traffic. (Dark Reading)

Data breach statistics

Find out how weak passwords are contributing to data breaches below. 

34. Even after experiencing a data breach such as a man-in-the-middle attack or phishing attack, only 53% of IT security professionals say their organizations changed how passwords or protected corporate accounts were managed. (Yubico and Ponemon Institute)

35. In 2021, 90% of respondents indicated that they had up to 50 online/app accounts. (LastPass)

36. 83% of survey respondents said they would have no way of knowing if their information was on the dark web. (LastPass)

37. 45% of survey respondents did not change their passwords in the past year even after a breach had occurred. (LastPass)

38. 85% of data breaches involved a human element such as phishing, stolen credentials, and human error. (Verizon)

39. 36% of breaches in 2020 involved phishing. (Verizon)

40. As of 2020, it’s estimated that there are more than 15 billion stolen credentials available to cybercrime actors on the dark web. (Forbes)

41. Of passwords recovered from breaches in 2020, 60% of victims had reused at least one password across multiple platforms. (InfoSecurity)  

Password security statistics by industry

Despite the importance of password safety, many industries fall short of implementing proper password policies to keep their businesses safe. Find out where your industry stands below.  

42. “Password” is one of the most popular passwords across all industries. (NordPass)

43. “Vacation” is one of the most popular passwords in the health care industry. (NordPass)

44. Technology and software industries (37%) are more likely to adopt multi-factor authentication compared to the legal and insurance industries (20%). (LastPass)

45. 59% of financial services companies have more than 500 passwords that do not expire. (Varonis)

46. Small businesses (fewer than 25 employees) had an average of 85 passwords per employee. (LastPass)

47. Nearly a third of hospitals and health systems are planning to implement biometrics 29% by 2023. (HIMSS)

48. Across all industries, it took 280 days on average to identify and contain a data breach. (IBM)

49. Employees in the media/advertising industry had the highest average of passwords per employee, with an average of 97 passwords per employee. (LastPass)

50. Employees working in the media/advertising industries tend to reuse passwords at almost twice the rate of other industries. (LastPass)

51. Employees in the government industry had the least amount of average passwords per employee, with an average of 54 passwords per employee. (LastPass)

The future of password security

Whether you opt for biometrics or multi-factor authentication, there are many ways to increase the security of your passwords. 

63. In a 2021 survey, 32% of respondents reported using a password manager. (Duo Labs)

64. In the same survey, 42% of respondents reported using biometric authentication (such as a fingerprint) for at least some applications. (Duo Labs)

65. 65% of American respondents believe that the use of biometrics would increase the security of their organization’s authentication process, and 55% believe the same of passwordless authentication. (Yubico and Ponemon Institute

Password statistic FAQs

Wondering how to put some of the takeaways above into practice? We answer some of the frequently asked questions regarding passwords below. 

How many passwords does the average person have?

66. A 2019 study found that the average person juggles 70-80 passwords across multiple accounts.

What percentage of people have “password” as their password?

67. A study by NordPass found that “password” was the fifth most popular password in 2020, used by 20,958,297 people globally. 

68. The top four passwords of the year were: “123456,” “123456789,” “12345,” and “qwerty.”

What is the most common password?

69. A 2022 study that looked at passwords included in large-scale data breaches found that “123456” was the most commonly used password. 

70. When creating a password, users tend to use variations of “password,” “123456,” and “qwerty.” The same study found that users also include years within their passwords, whether it was the year the password was created, the user’s birth year, or a special year to them like when they graduated or got married.

5 tips for improving your password hygiene

Now you know how important it is to develop strong passwords for all accounts. We offer tips below on ways you can level up your password hygiene.

1. Calculate password entropy

Password entropy is a measure of password strength. This can help you determine whether a password is easily hackable. 

Individuals can test the safety of a potential password by plugging it into a password entropy calculator. Aim for a score of 60 or higher, but remember not to make the password so complex that you’ll have trouble remembering it. 

You can improve password entropy by:

  • Creating longer passwords with at least eight characters
  • Adding more characters within your password such as uppercase and lowercase letters, special characters, and numbers 
  • Assigning passwords to employees rather than letting them choose their own 
  • Creating a master list of commonly used passwords that are insecure and unable to be used for workplace credentials

2. Use random passwords for every account

If you use the same password for all of your accounts, you’re giving hackers an easy avenue to hack into multiple accounts with minimal effort. 

The solution is this: use random passwords for every account. That also includes not using slight variations of a password. For example, steer clear of adding numbers to a root password like “password12” or “password123,” as these variations are also easily hackable.

3. Look into regulation and standard requirements

If your organization complies with security frameworks like SOC 2, there are specific password requirements that can help you improve overall password security. 
For example, SOC 2 requires businesses to demonstrate how they track and manage credentials. A password manager is one way to adhere to this requirement. They not only help employees keep track of their passwords but also allow administrators to add and remove access to certain logins. 

4. Opt for two- or multi-factor authentication

One way that you can keep your sensitive data more secure is by adding two- or multi-factor authentication to your password management. 

2FA is a password feature that adds an additional layer to your login procedure by asking you to verify your identity in a second manner. Multi-factor authentication (MFA) requires a user to provide two or more verification factors to log into an account. 

2FA and MFA factors include:

  • Something you know (ex: password or PIN number) 
  • Something you are (ex: facial recognition or a fingerprint)
  • Something you have (ex: smartphone or badge)

5. Invest in a password manager

Memory or sticky notes aren’t enough to keep track of your passwords. A password manager is a way to safely and conveniently store all of your passwords for all of your accounts in one platform. 

You can also securely share credentials with other employees and monitor who has access to certain credentials. When you need to offboard an employee, you can easily retract their access within the password manager.  

Hackers will continue to find savvy ways to hack into our private data. Given the statistics above, password security is one area where individuals need to pay special attention. 

While password security is just one aspect of a company’s overall security posture, it’s an area that can help you save money and protect your reputation. 

Looking for a few more ways to level up your password hygiene? Our infographic below examines top password statistics and offers tips for creating more secure passwords.