A password is a standard way of authenticating access to digital services and systems. It is supposed to be secret to ensure that only the account owner or those granted rights can view or modify important data. Unfortunately, there are individuals who can be lazy in safekeeping passwords, making their accounts vulnerable to hacking and other attacks.
With the following password statistics, we can see how crucial it is to elect a strong password. Furthermore, there are figures that show how important it is to have proper IT security software for organizational and personal uses.
General Cybersecurity Statistics
Internet users trust enterprises to protect their accounts. Unfortunately, there remain security holes that can lead to breaches. For example, in May 2018, a bug on Twitter stored passwords in plain text.
- People can have as many as 85 passwords for all their accounts. (Cnet, 2020)
- 336 million users were affected by a Twitter bug that saved passwords in plain text. (SecureLink, 2021)
- 70% of consumers are concerned about being a target of a cyberattack. (SecureLink, 2021)
- Having eight characters in a string makes for a strong password though longer logins are much better. (Cnet, 2020)
- A 12-character password is 62 trillion times more difficult to crack compared to a 6-character password. (Scientific American, 2019)
- But a truly strong password would be a 16-character password derived from a set of 200 characters. (Scientific American, 2019)
- 62% of organizations do not believe they have taken the necessary steps to secure information on mobile devices. (Ponemon Institute, 2020)
- One-third of malware breaches are caused by password dumper malware. (Verizon, 2020)
- Multi-factor authentication blocks 99.9% of all attacks. (Microsoft, 2020)
Password Breach Statistics
The latest cybercrime statistics show that 1.67% of Android malware are password Trojans. The following password breach statistics also demonstrate that there are a variety of ways that cyberattackers can access accounts or obtain passwords.
- Hackers have published as many as 555 million stolen passwords on the dark web since 2017. (Cnet, 2020)
- 27% have tried to guess other people’s passwords. (Google, 2019)
- 17% have managed correct guesses. (Google, 2019)
- 80% of hacking incidents are caused by stolen and reused login information. (Verizon, 2020)
- 81% of company data breaches are caused by poor passwords. (TraceSecurity)
- Hacking attacks using scripts that try to guess usernames and passwords happen every 39 seconds, globally. (WebsiteBuilder.org, 2021)
Password Management Statistics
Most Popular Passwords
Passwords should be unique to prevent unauthorized access. However, there are exact passwords or password variations that are popular.
- An analysis showed that there are nearly 10 million variations of the year 2010 being used in passwords.
- The second most-used year in passwords is the year 1987 with almost 8.4 million variations. (Cybernews, 2021)
- 1991 is the third most popular year used in passwords. It has nearly 8.3 million recorded use. (Cybernews, 2021)
- Of the 2.2 billion passwords analyzed, 7% contained curse words. (Cybernews, 2021)
- “Ass” is used in 27 million passwords, making it the most popular curse word in passwords. (Cybernews, 2021)
- “Sex” only has over 5 million uses in passwords. (Cybernews, 2021)
- The “F” word is present in below 5 million passwords. (Cybernews, 2021)
- “Abu” is the most used city in passwords, with 2.3 million iterations. It most likely stands for UAE’s Abu Dhabi. (Cybernews, 2021)
People have their own habits when making passwords. But surprisingly, there are habits that span the globe when it comes to creating passwords for online services.
- Around 50% of Internet users still use the same password for all their accounts. (LastPass, 2021)
- Older people aged 50+ are more likely to use unique passwords for each online service. (Comparitech, 2020)
- 60% of people say they get lazy when creating passwords so they use the same passwords often. (MSN, 2021)
- Disturbingly, 19% of adults in France use one or two passwords for all or almost all of their online accounts. (Proofpoint, 2020)
- But the case is worse in Japan, as 21% of respondents from the country have the same habit or attitude in password management. (Proofpoint, 2020)
- Admirably, 40% of respondents from Germany manually enter a different password for every account they have. (Proofpoint, 2020)
- 44% of US respondents use a password manager to take care of their accounts. (Proofpoint, 2020)
- 33% of respondents from Spain and Germany rotate the use of 5 to 10 passwords. (Proofpoint, 2020)
- Two-thirds of people make new passwords that are similar to the ones they already have. (MSN, 2021)
- 35% of respondents choose convenience over security when electing a password. (SecureLink, 2021)
Twenty-four percent of Americans have used the following common passwords or another form:
Password Practice at Work
Work and personal accounts should be kept separate for security purposes. However, there are still a large number of people who use the same passwords for work and personal logins. On top of that, some workers and even organizations can be lax with regard to password sharing in the workplace. A few password reuse statistics also show that people can fall into the bad habit of reusing passwords across many accounts.
- 31% of workers use their child’s name or birthday for their passwords. (Keeper Security, 2021)
- 44% of workers reuse passwords across personal and work-related accounts. (TechRepublic, 2021)
- 14% of professionals have shared their work passwords with a partner. (TechRepublic, 2021)
- 11% have done the same with a family member. (TechRepublic, 2021)
- 34% have shared passwords with colleagues in the same group. (TechRepublic, 2021)
- 46% of workers said that their company disseminates login information for accounts being used by several individuals. (TechRepublic, 2021)
- 57% of workers write down passwords on sticky notes. (Keeper Security, 2021)
- 62% share passwords via SMS and email. (Keeper Security, 2021)
- 49% note passwords in unprotected plain-text documents. (Keeper Security, 2021)
- A report shows that employees reuse passwords 13 times on average. (LastPass, 2019)
- 59% of companies have more than 500 passwords that do not expire. (Varonis, 2021)
Online services require users to create unique and strong passwords. In the process, organizations present certain password requirements that users must meet. Apart from that, they necessitate users to change their passwords frequently.
- Organizations in the finance sector require users to change passwords 7.17 times per year. However, the frequency of actual password changes is 7.33. (MobileIron & EMA, 2019)
- High technology is another sector where the actual frequency of password changes is higher compared to the required frequency (7.62 times vs. 5.07 times). (MobileIron & EMA, 2019)
- Professional services require password change at least 7.03 times per year but people only do it 4.6 times in a year. (MobileIron & EMA, 2019)
- 37% of EU respondents changed their email passwords in the last 12 months. (European Commission, 2020)
- For mobile banking, 30% of EU residents made changes to their passwords in the same period. (European Commission, 2020)
- Online games get the least attention for password security, with only 7% changing passwords in the past 12 months. (European Commission, 2020)
- Concerningly, 31% have not changed passwords for any online service they use during the time. (European Commission, 2020)
- Only 1 in 5 Americans would change their passwords even after finding out about a bug or a security incident. (SecureLink, 2021)
- 57% of individuals share their passwords with a significant other but only 11% change their passwords after a breakup. (Google, 2019)
- 34% of Americans change their passwords regularly. (Google, 2019)
- 78% of people had to reset their password in the last three months. Among those, 57% had to do it for work while 78% had to do it for their personal accounts. (Comparitech, 2020)
Will passwords die?
Passwords are a major security problem. Despite that, and the numerous authentication models that have been developed, they continue to be ubiquitous. A report once predicted that there would be over 300 billion passwords in use by 2020. That forecast may have come to pass. And that means there are now more than 300 billion passwords at risk.
As the password statistics above showed, even strong passwords can fail. Fortunately, there are safeguards such as multi-factor authentication. Nevertheless, even that is not completely foolproof as cyber attackers have ways to go around or intercept one-time passwords. That is why it is best to always have unique sets of characters for each online service for high security. This means to say people should not reuse passwords or use ones that can be easily guessed by others like birthdays and children’s names.
Moreover, individuals and organizations have to be on guard against cybercrime trends. While new types of cyberthreats do not surface often, various cybercrimes can be popular at any point depending on the situation. Case in point, phishing has become more common because of the COVID-19 pandemic. Thus, everyone must be on guard and take steps to improve cybersecurity.
- Colby, C., & Profis, S. (2020, August 6). 9 rules for strong passwords: How to create and remember your login credentials. Cnet.
- Neveux, E. (2021, January 20). Consumer password habits: Concerning, not surprising. SecureLink.
- Delahaye, J. (2019, April 12). The mathematics of (hacking) passwords. Scientific American.
- Ponemon Institute. (2020). The 2020 state of passwords and authentication security behaviors report. Businesswire.
- Google, & Harris Poll. (2019, October 6). The United States of P@ssw0rd$. Google.
- Verizon. (2020, May 19). SMB data breach statistics. Verizon.
- TraceSecurity. (2018, August 14). 81% of company data breaches due to poor passwords. TraceSecurity.
- WebsiteBuilder.org. (2021, March 20). 30 key cybersecurity statistics to be aware of in 2021. WebsiteBuilder.org.
- Weinert, A. (2020, August 3). Your Pa$$word doesn’t matter. Microsoft.
- Crafford, L. (2021, January 25). 7 bad password habits to break now. LastPass.
- Varonis. (2021, 1). 2021 data risk report: Financial services. Varonis.
- O’Driscoll, A. (2020, August 28). 25+ password statistics that may change your password habits. Comparitech.
- Meyer, B. (2021, April 9). Most common passwords: Latest 2021 statistics. Cybernews.
- Proofpoint. (2020, January). State of the Phish 2020. Proofpoint.
- The Wake Up. (2021, April 10). Your habits on passwords. MSN.
- Whitney, L. (2021, April 6). How poor password habits put your organization at risk. TechRepublic.
- Pollfish, & Keeper Security. (2021, April). Workplace password malpractice report. Keeper Security.
- LastPass. (2019). 2019 global password security report. LastPass.
- MobileIron, & EMA. (2019, July). Passwordless authentication: Bridging the gap between high-security and low-friction identity management. MobileIron.
- European Commission. (2020, January). Special Eurobarometer: Europeans’ attitude towards cyber security. Statista.