How to improve your password hygiene

Establishing strong password security not only helps keep your data safe and reduce the risk of breaches — it also helps you stay compliant with frameworks like SOC 2 and PCI DSS. 

We’ve compiled a list of password statistics that underscore the importance of password security. Scroll to learn about password breaches, weak password behaviors including resuing across multiple accounts, password trends, and more.

Password breaches statistics

Compromised or weak passwords are a leading cause of data breaches. Find out how they contribute to data breaches below. 

1. Weak passwords are a primary factor in account hacks, with 35% of respondents identifying this as the cause of their security breaches. (Forbes Advisor and Talker Research)

2. When asked why they believe their password was stolen, 27% of surveyed respondents said company data breaches, indicating that external security failures play a substantial role in individual account vulnerability. (Forbes Advisor and Talker Research)

3. 80% of confirmed data breaches that Mastercard experiences with their customers can be linked to weak or stolen passwords. (Identity Week)

4. 30% of respondents (IT experts, employees, and heads of organizations) said they have experienced a security breach due to weak passwords. (GoodFirms)

5. "Password" is the most common term used by hackers to breach enterprise networks. (Specops Software)

6. The most common base terms in passwords used in successful attacks were: "password", "admin", "welcome", and "p@ssw0rd". (Specops Software)

7. 85% of data breaches involved a human element such as phishing, stolen credentials, and human error. (Verizon)

8. 35% of people believe their password was hacked because they had a weak password. (Forbes Advisor and Talker Research)

9. 30% believe it was due to repeatedly using the same password on multiple accounts. (Forbes Advisor and Talker Research)

10. Social media accounts, reported by 29% of participants, are the most frequent targets for password hacking. Email accounts are the second most frequent, reported by 15% of users. (Forbes Advisor and Talker Research)

11. Brute force, a basic type of credential attack that involves guessing all possible passwords, is most successful when individuals or applications use weak or, even worse, default credentials. While an effective tool in the attacker’s arsenal, it appeared in only 2% of breaches in 2024. (Verizon)

12. One in five individuals admitted to knowing they’ve had at least one password involved in a data breach or available on the dark web. (Keeper Security)

13. 39% of individuals are unaware of whether they've been breached and 32% do not know whether their passwords are available on the dark web. (Keeper Security)

14. Of those who did know they had a breached password or dark web exposure (20%), almost one in ten (9%) took no action whatsoever. (Keeper Security)

Weak password statistics and behaviors

Take a look at these weak password statistics to understand common mistakes and bad practices that put data at risk.

15. 3 in 4 (75%) people globally don't adhere to widely-accepted password best practices, according to a survey of over 8,000 individuals across the US, UK, France and Germany. (Keeper Security)

16. 30% of people still use simple passwords to protect their digital accounts. (Keeper Security)

17. 64% of individuals are not confident that they are managing their passwords well. (Keeper Security)

18. More than one in three people (35%) globally admit to feeling overwhelmed when it comes to taking action to improve their cybersecurity, and one in ten admit to neglecting password management altogether. (Keeper Security4

19. 46% of Americans say they generally create a password that they think is easier to remember, even if it may be less secure. (Pew Research Center)

20. Roughly seven-in-ten Americans (69%) say they feel overwhelmed by the amount of passwords they have to keep track of. (Pew Research Center)

21. At the same time, 45% of Americans say they feel anxious about whether their passwords are strong and secure. (Pew Research Center)

212 Most Americans still rely on risky password practices. Over half of adults use unsecured methods like memorization, browser storage, and written records to manage their passwords. (Security.org)

23. 15% of people use their own first name in their password. (Security.org)

24. 88% of passwords used in successful attacks consisted of 12 characters or less. (Specops Software)

25. 79% of respondents created their password by mixing and matching words and numbers. (Security.org)

26. 64% of respondents said they use at least eight characters when creating a password. (Security.org)

27. 18.82% of passwords used in attacks contained only lowercase letters. (Specops Software)

28. Non-dictionary passwords comprised 43% of the sample of 193 million passwords found freely accessible on various dark web sites. Some were weak, such as those consisting of same-case letters and digits (10%) or digits only (6%). (Kaspersky)

29. Just 25% of individuals globally say they use strong, unique passwords for all of their accounts. (Keeper Security)

Password reset statistics

Password management can not only lead to employee and admin frustration — it can also hurt your bottom line. Read the password reset statistics to learn how below.

50. When asked about different password management strategies, 21% of Americans say they always, almost always or often reset passwords. (Pew Research Center)

51. 68% of people had to change their password across multiple accounts after their password was compromised. (Forbes Advisor and Talker Research)

52. Of those who have experienced account hacking, 18% of survey respondents say they use variations of old passwords when resetting them. (Forbes Advisor and Talker Research)

53. Approximately 47% of Americans forget their passwords a few times a month at least. (Casino.org)

54. 15.3% of Americans admit to forgetting their passwords at least once or multiple times a week. (Casino.org)

55. 51% of users reset a password once a month or more frequently because they can't remember it. (Entrust)

56. 15% of users reset a password at least once a week because they can't remember it. (Entrust)

57. 43% of Americans have not updated a password in over 5 years. (Casino.org)

58. When asked what's the longest they've gone with the same password, 43% of Americans said over five years. 22% said 1-3 years and 16% said 3-5 years. Less than 9% said the recommended amount (less than 6 months or more frequently). (Casino.org)

59. 62.9% of online users change their passwords only when prompted. (GoodFirms)

60. Of those who did know they had a breached password or dark web exposure (20%), one in three (32%) changed the password for the affected website. (Keeper Security)

61. 31% changed the password for the breached site and all others in which they use the same password. (Keeper Security)

Password security statistics

With multi- and two-factor authentication and password managers on the rise, more password security options are available. Discover how individuals are safeguarding their password management below. 

67. When asked what was the best way to achieve personal cybersecurity, the number one answer was picking strong passwords (28%). The next top answer was enabling multi-factor or two-factor authentication (19%). (Keeper Security)

68. Aside from password managers, people use the following methods to secure their passwords:

• 31% use FaceID
• 29% use fingerprint scanning
• 18% use generated passwords. (Forbes Advisor and Talker Research)

69. Of those who did know they had a breached password or dark web exposure (20%), only one in four (24%) changed the password for all affected sites and added additional important security measures such as multi-factor authentication. (Keeper Security)

70. When asked about different password management strategies, 41% of Americans say they always, almost always or often write their passwords down and 34% save them in their browser. (Pew Research Center)

71. When asked about their password management habits:

• 38% said they write passwords down
• 35% rely on memory to remember passwords
• 32% use same password across multiple accounts
• 24% store passwords on their computer. (Forbes Advisor and Talker Research)

72. 22% of individuals do nothing to keep their passwords safe. (Forbes Advisor and Talker Research)

73. In a 2023 survey, 41% of developers worldwide stated that increasing two-factor authentication adoption was their top authentication priority. (Statista)

74. One-third of developers highlighted increased password security as their main priority. (Statista)

Business password statistics

The increase of remote work has brought its own set of password security challenges. Read on to find out the challenges your organization may face when trying to keep sensitive data safe in today’s shifting business environment. 

75. The average number of passwords per person in the workplace is 87. (NordPass)

76. In 2023, nearly 56% of respondents among IT professionals worldwide said their company supported SMS time-based one-time passwords (TOTPs) to enable their staff to access business IT resources. (Statista)

77. 23% view their workplace security habits as risky, with notable percentages storing passwords insecurely (45%) or using weak credentials (44%). (Bitwarden)

78. A majority of Americans continue to use outdated and potentially insecure practices for password management at work, including memory (58%) and pen and paper (34%). (Bitwarden)

79. More than half of US respondents (52%) say that they somewhat frequently or very frequently reuse passwords across workplace platforms or accounts. (Bitwarden)

80. 61% of US respondents say they receive regular security training focused on safeguarding login credentials against common threats, with 97% citing that they are confident or somewhat confident in counteracting those threats. (Bitwarden)

81. When asked about workplace security habits, 44% of US users admitted to using weak or personal-info based passwords. (Bitwarden)

82. 23% of US users said they do not use 2FA in the workplace. (Bitwarden)

83. 77% of US users admitted to storing or sharing work passwords insecurely. (Bitwarden)

84. Adoption of two-factor authentication (2FA) is on the rise, with 74% of US respondents using it for most workplace accounts or only for important accounts. (Bitwarden)

85. If organizations adopted passkeys, 65% of respondents feel their trust in their company’s security resilience would increase, and 68% would be more inclined to use passkeys personally if their workplace implemented them. (Bitwarden)

86. In a 2024 survey, 36% of respondents in selected countries had used a password in the past two months to access a work account. This represents a decrease from 2022, when over 50 percent of respondents declared having used a password to access a work account in the last two months. (Statista)

87. In 2023, 60% of IT and cybersecurity leaders in the US reported using a Privileged Access Management (PAM) solution to manage their workplace passwords. In addition, over half of respondents stated that their company used an enterprise password management solution to create, store, and change passwords. (Statista)

88. In 2023, 43% of IT and cybersecurity leaders in the US had already replaced traditional passwords with biometrics or passkeys at their workplace. (Statista)

Password security statistics by industry

Despite the importance of password safety, many industries fall short of implementing proper password policies to keep their businesses safe. Find out where your industry stands below.  

89. In a study of data from public third-party breaches that affected Fortune 500 companies across 17 industries, 20% of passwords were the exact name of the company or its variation. (NordPass)

90. The hospitality industry had the most passwords that were the company’s name or its variation. (NordPass)

91. “Password” is one of the most popular passwords across all industries. (NordPass)

92. “Vacation” is one of the most popular passwords in the health care industry. (NordPass)

93. The industry of human resources had the highest unique password percentile at 31%. (NordPass)

94. The telecommunications industry had the lowest unique password percentile at 20%. (NordPass)

95. 59% of financial services companies have more than 500 passwords that do not expire. (Varonis)

96. According to Dashlane's research, the top 5 industries with the highest security scores in 2024 are:

1. Software & Tech
2. Information, Media & Telecommunication
3. Education
4. Transportation & Storage
5. Accommodation & Food Services. (Dashlane)

97. Industries with the lowest security scores in 2024 are:

1. Legal
2. Manufacturing
3. Construction
4. Healthcare
5. Energy & Utilities (Dashlane)

98. Nearly three-quarters (72.2%) of the 5,140 law firms audited had employee username and password combinations that appeared in lists circulating on the dark web. A total of 1,001,313 passwords were discovered, averaging 195 password combinations per firm or 1.27 per individual staff member. (Atlas Cloud)

Password trends

If you’ve ever used “123456” or “password” as your password, you’re not alone. Find out what the most common passwords are below so you can avoid them yourself. 

99. The most popular type of passwords (28%) includes lowercase and uppercase letters, special characters and digits. Most of these passwords in the sample under review are difficult to brute-force. (Kaspersky)

100. After examining a subset of 4.6 million passwords being used to attack RDP ports in live attacks, the most common password length was 8 characters (24%). (Specops Software)

101. Nearly 500,000 of the 10 million passwords WPEngine examined ended with a number between 0 and 99. (WPEngine)

102. Nearly half a million (420,000) of the 10 million passwords ended with a number between 0 and 99 and more than one in five people who added those numbers chose 1. (WPEngine)

103. Batman and Superman were the most common superhero names to be used as passwords. (WPEngine)

104. Research from Mailsuite reveals the most hacked pop culture passwords in 2024. In an analysis of more than 300 million exposed passwords from the Pwned database, Mailsuite determined that Superman is the most hacked word from pop culture to use as a password, having appeared in 584,697 data breaches. (Mailsuite)

105. The next most hacked password is Blink-182, which appeared 482,244 times in data breaches. (Mailsuite)

106. The most hacked word in music to use as a password is Eminem, having appeared in nearly 300,000 data breaches. (Mailsuite)

107. The most hacked password to use based on video games is Minecraft, having appeared in more than 200,000 data breaches. (Mailsuite)

108. The password "iloveyou" was used more often by women (222,287) compared to men (96,785). (NordPass)

109. 21% of passwords include the user’s birth year. (Security.org)

110. 18% of passwords include the name of the user’s pet. (Security.org)

The future of password security

Whether you opt for biometrics or multi-factor authentication, there are many ways to increase the security of your passwords. 

111. Password health improved globally in 2024, according to a report by Dashlane. Looking across regions, the average Password Health Score in 2024 was between 72.6 and 79.8. While each region fell within the “Needs Improvement” range, all regions improved their scores between 2-4% in the past year. (Dashlane)

112. 45% of US respondents foresee passkeys and passwords coexisting and 22% anticipate passkeys will make passwords obsolete. (Bitwarden)

113. Over half (52 percent) of UK consumers agree that biometric authentication is more secure than passwords, and 42 percent feel it provides better protection for their personal data. (Visa)

114. The passwordless authentication solutions market was valued at USD 16.2 billion in 2023 and is anticipated to grow at a CAGR of over 10% between 2024 and 2032. (Global Market Insights)

115. During a 2023 survey, only 2% of developers said they did not considered authentication a priority. (Statista)

116. In 2023, more than 40% of respondents among IT and cybersecurity leaders in the United States mentioned legacy platforms and applications that require passwords and password-based MFA as one of the main obstacles faced by their workplace when planning to go passwordless. (Statista)

117. Skills and budget constraints constituted two other important obstacles to going passwordless, highlighted by 23 and 20% of IT and cybersecurity leaders in the US, respectively. (Statista)

118. The global market for multi-factor authentication (MFA), estimated at $17.9 billion in 2022, is projected to reach $53 billion by 2030. (Research and Markets)

Password statistic FAQs

Wondering how to put some of the takeaways above into practice? We answer some of the frequently asked questions regarding passwords below. 

How many passwords does the average person have?

119. A 2024 study found that the average person juggles about 255 passwords.

120. On average, a person has 168 passwords across personal accounts and 97 across work accounts.

121. This is a rapid growth in password usage for personal purposes, with an increase of nearly 70% since 2020.

What percentage of people have “password” as their password?

122. A study by NordPass found that “password” was the fourth most popular password in 2024, used by nearly 700,000 people globally. 

123. The top three passwords of the year were: “123456,” “123456789,” and “12345678."

What is the most common password?

124. An analysis of a 2.5TB database extracted from various publicly available sources, including those on the dark web, found that “123456” was the most commonly used password. 

125. When creating a password, users tend to use variations of “123456,” “qwerty,” and “password.”

126. Other commonly used passwords are simple words like "secret," "dragon," and "monkey" with no uppercase letters, numbers, or symbols.

5 tips for improving your password hygiene

Now you know how important it is to develop strong passwords for all accounts. We offer tips below on ways you can level up your password hygiene.

1. Calculate password entropy

Password entropy is a measure of password strength. This can help you determine whether a password is easily hackable. 

Individuals can test the safety of a potential password by plugging it into a password entropy calculator. Aim for a score of 60 or higher, but remember not to make the password so complex that you’ll have trouble remembering it. 

You can improve password entropy by:

• Creating longer passwords with 14 to 16 characters
• Adding more characters within your password such as uppercase and lowercase letters, special characters, and numbers 
• Assigning passwords to employees rather than letting them choose their own 
• Creating a master list of commonly used passwords that are insecure and unable to be used for workplace credentials

2. Use random passwords for every account

If you use the same password for all of your accounts, you’re giving hackers an easy avenue to hack into multiple accounts with minimal effort. 

The solution is this: use random passwords for every account. That also includes not using slight variations of a password. For example, steer clear of adding numbers to a root password like “password12” or “password123,” as these variations are also easily hackable.

3. Look into regulation and standard requirements

If your organization complies with security frameworks like SOC 2, there are specific password requirements that can help you improve overall password security. 

For example, SOC 2 requires businesses to demonstrate how they track and manage credentials. A password manager is one way to adhere to this requirement. They not only help employees keep track of their passwords but also allow administrators to add and remove access to certain logins. 

4. Opt for multi-factor or passwordless authentication

One way that you can keep your sensitive data more secure is by adding multi-factor or passwordless authentication to your password management. 

Multi-factor authentication (MFA) requires a user to provide two or more verification factors to log into an account. Passwordless authentication requires users to verify their identity using more secure alternatives to passwords, like possession factors (one-time passwords [OTP], registered smartphones), or biometrics (fingerprint, retina scans).

MFA and passwordless verification factors replace insecure factors ("something you know"). They may include:

• Something you are (ex: facial recognition or a fingerprint)
• Something you have (ex: code generated by a smartphone authenticator app)

5. Invest in a password manager

Memory or sticky notes aren’t enough to keep track of your passwords. A password manager is a way to safely and conveniently store all of your passwords for all of your accounts in one platform. 

You can also securely share credentials with other employees and monitor who has access to certain credentials. When you need to offboard an employee, you can easily retract their access within the password manager.  

Hackers will continue to find savvy ways to hack into our private data. Given the statistics above, password security is one area where individuals need to pay special attention. 

While password security is just one aspect of a company’s overall security posture, it’s an area that can help you save money and protect your reputation. 

Looking for a few more ways to level up your password hygiene? Our infographic below examines top password statistics and offers tips for creating more secure passwords.