70+ Password Statistics for 2025

• An automated password-guessing attack occurs somewhere in the world about every 39 seconds​.
• The average number of passwords each individual has to manage has risen from about 100 in 2020 to more than 250​. 
• Global revenue for password managers is forecast to rise from under $2 billion in the early 2020s to more than $7 billion by 2030.
• Just 27% of U.S. adults use random password generators to create new passwords​. 
• 79% of people in the United States simply mix words with numbers to make passwords. 
• 57% admit to recycling variations of old passwords.
• Website password policy can constrain robust password management: 30% of websites don’t permit special characters in passwords, and 17% have no minimum length requirement​. 
• Almost 24 billion usernames and passwords were reported compromised in 2022 alone.
• 90% of dark web “access for sale” listings feature stolen logins (username & password combinations, frequently with an IP address)​. 
• In about 36% of cloud data breaches, attackers used valid credentials.​
• There are more than 300 billion passwords in use worldwide (by humans and machines).

One of the riskiest practices in password management is using the same one for multiple applications, yet it’s remarkably common:

• A whopping 60% of Americans reuse passwords.
• 13% use the same password for everything.
• Globally, 78% of people admit to reusing passwords.
• 52% of people worldwide use the same one on at least three accounts. 
• 59% of U.S. adults use personal names or birthdays in their passwords, making them exceptionally easy to guess. 
• 44% of internet users rarely or never change their passwords.
• 34% of people use slight variations of the same password repeatedly​ (e.g. adding numbers or symbols to an old password).
• 10% have used the same password since their teenage years.
• More than 36% of internet users write passwords on paper.
• Only 15% use a password manager. 
• 53% of IT professionals have shared passwords via email in plaintext.

One of the key principles of robust password creation is to make them hard to guess. Using common or predictable or common combinations of letters and words does not support this principle, but it is a surprisingly widespread practice:

• In 2023, the most common password was “123456”.
• More than 4 million people use 123456 as a password. It can be cracked in under a second. 
• Other passwords in the top ten for 2023 included: 
  • 123456789
  • qwerty
  • password 
• Other common passwords include: 
  • secret
  • dragon
  • monkey
  • Amazon
  • Netflix

One of the top causes of data breaches is — wait for it! — weak or stolen passwords:

• Approximately 49% of all data breaches involve compromised passwords. 
• In corporate settings, 81% of hacking-related breaches stem from weak or reused passwords.
• 88% of passwords used in successful attacks were 12 characters or fewer.
• 81% of hacking-related corporate breaches stem from weak or reused passwords or other credential issues​.
• 54.8% of Google Cloud platform breaches resulted from accounts or VMs having no passwords or weak ones​. 
• In 2022 alone, roughly 24 billion passwords were exposed in data breaches – a 65% increase in compromised passwords compared to 2020​.
• In 2022 alone, roughly 24 billion passwords were exposed in data breaches. 
• Stolen passwords are also a favorite tool for social engineering attacks, with 63% of such attacks involving compromised login credentials. Attackers use the valid passwords they obtain to quietly impersonate users.

Awareness of the risks poor password practices create is not enough to deter people from carelessness password use:

• 75% of people globally do NOT follow accepted password best practices. 
• 89% know that reusing passwords is a security risk, but only 12% actually use unique passwords for each account​. 
• 64% of individuals aren’t confident in their password management​.
• Many struggle with managing multiple passwords, with about 69% of Americans feeling overwhelmed by the number of passwords they must remember​, 
• 45% of Americans feel anxious about whether their passwords are strong enough​. 
• 68% of global respondents agree that a password’s security is more important than ease of memorization, yet over half still rely on memory (often reusing passwords) instead of using managers or other tools​.
• 46% of people surveyed in the United States create passwords that are easy to remember, even if that means they’re less secure​
• About 28% do “nothing special” to manage or secure their passwords (no password manager, no routine changes, etc.)​. 
• Even when they knew a password was breached, 9% still took no action to improve it​.
• About 47% of Americans say they forget a password a few times per month (leading to reset requests)​, and 15% forget passwords at least once a week​. 
• One study found 76% of users have been locked out of an account for forgetting a password. 44% of people started using password managers primarily because they kept forgetting 
• 13% of people admit they put the same level of effort into every password, whether it’s for a trivial site or online banking​. 
• Over 33% of people surveyed would feel embarrassed if they had to say their password aloud.
• Encouragingly, 35% of people say they are more worried about cyberattacks this year than last year​. 
• 35% of victims of an account takeover enabled two-factor authentication afterward.

Not every sector is the same when it comes to password practices. Some are more vigilant about password security than others, but there is a general laxness across the board:

• Analysis of Fortune 500 companies’ breach data revealed that an astonishing 20% of passwords were simply the company’s name or a slight variation. This practice is most widespread in the hospitality industry.
• All industries use weak passwords. NordPass analysis found the word “password” itself among the top passwords in every industry studied​. Even in healthcare, “vacation” was one of the most popular choices​.
• The human resources sector performs best when it comes to unique passwords, with the highest percentage of unique passwords (31%) in a breach analysis​. 
• The telecommunications industry had the lowest uniqueness rate (only ~20% unique passwords)​
• 59% of financial services companies operate with more than 500 employee passwords that never expire (no forced changes)​. 
• A 2024 Dashlane report that scored industries on password security rated the top five industries as:
  • Software/technology
  • Media/telecom
  • Education
  • Transportation & storage
  • Accommodation/food services​. 
• The industries with the weakest password security were: 
  • Legal
  • Manufacturing
  • Construction
  • Healthcare
  • Energy/Utilities​. 
• More than 37% of employees have used their employer’s name in a work-related password.
• 44% of employees reuse the same passwords across work and personal accounts.

It’s becoming increasingly clear that passwords alone are not the most reliable way to keep accounts secure. That’s why most online services now use two-step verification (2FA) or multi-factor authentication, which requires an additional verification method to sign into an account for the first time on a new device or app.

• In 2019 only 37% of U.S. users had 2FA enabled, whereas a 2024 Bitwarden survey found that 2FA adoption worldwide had grown to 78% for personal accounts and 73% for work accounts​. 
• However, 23% of U.S. employees do not use any form of 2FA at work​.
• MFA usage varies from workplace to workplace, but around 46% of IT professionals say they use 2FA to log into work systems​. 
• Almost 56% of IT professionals worldwide report that their company uses SMS-based one-time passcodes for logins​ (a very common 2FA method). 
• Microsoft estimates that enabling MFA can deter 96% of bulk phishing attempts and 76% of targeted attacks aimed at compromising accounts​.
• 19% of people surveyed said enabling 2FA/MFA was the second only to choosing strong passwords as the best way to protect themselves online. However, more than 50% of IT professionals in one study felt that SMS-based 2FA disrupted workflow or was annoying​. 
• Passwordless authentication (using methods like biometrics or hardware keys instead of traditional passwords) is growing in popularity. 87% of IT professionals believe shifting to passwordless login is very important for increasing security​. 
• 60% of organizations have begun to implement some form of passwordless access for their IT infrastructure — for example, 60% use hardware security tokens, 48% use one-time email links, and 42% use public/private key pairs for certain systems​. 

Despite the emergence of new technologies to secure applications, most organizations still depend on passwords. And not all of them are very stringent about password management. 

• About 76% of companies continue to use traditional password authentication for most systems​. Fewer than half have widely adopted alternatives such as MFA, single sign-on, or passwordless methods for their employees​. 
• Many organizations don’t insist on modern password management. Only 25% of survey respondents said their employer mandates password managers at work​. Employees now manage an average of 87 passwords for their jobs​, yet many companies still make individuals responsible for handling them securely.
• Only about 20% of employees have their manager assign their passwords​. Most staff create their own (often weak) passwords for company accounts, and many never change them unless compelled to​.
• Roughly one-third of IT help desk tickets are password-related (resets, lockouts, forgotten passwords)​. 
• In an effort to improve password security, 60% of IT and cybersecurity leaders in the United States use a Privileged Access Management (PAM) solution to centrally control admin passwords and high-level accounts​. 
• With only about one-quarter of businesses highly confident that former employees cannot access company accounts, 32.4% of workers admit they have accessed a former employer’s account.

These figures may be alarming, but you can take some simple measures to bolster password security. Here are the most important ones:

1. Use strong, unique passwords: Avoid common words, personal information, and simple sequences. Mix uppercase and lowercase letters, numbers, and symbols.
2. Use a password manager: Because these tools generate and store your passwords securely, you only have to remember one master password.
3. Enable MFA: Reinforce security by demanding a second form of verification, such as a code sent to your phone.
4. Update passwords regularly: Change your passwords periodically, especially for important accounts.
5. Keep up-to-date: Stay informed about password security best practices and share your learnings with friends, family, and colleagues.

The trajectory of authentication suggests passwords may not have a future. Methods such as biometrics and hardware keys are gaining popularity, and the momentum is clearly toward less reliance on passwords. However, until MFA and passwordless methods become the dominant methods of authentication, strong passwords and MFA are essential.

It is vital to understand the risks of sloppy password practices and adopt better habits to protect your online presence and information.

Sources:

• 30+ Password Statistics
• 125+ Password Statistics to Inspire Better Security Practices
• 139 password statistics to help you stay safe
• 50+ Password Statistics: The State of Password Security in 2024
• 2022 World Password Day Global Survey Full Report
• 120+ Password Statistics 2024-2025: Insights into Password Security and Hacking Trends
• Password security – statistics & facts
• 40+ Password Statistics: The Industry Security Report