Although they rarely cross our thoughts, passwords play a huge role in our lives. We use them repeatedly every day, whether that’s to unlock phones or access online banking.
As credential theft becomes an increasing concern, we’re rethinking how we protect our accounts.
There have already been radical shifts in password use including biometric authentication and zero trust policies.
2024 will bring more changes to the world of cybersecurity. Stay updated by reading our list of the most revealing password statistics and trends.
Top Password Stats
Here’s a glance at the most compelling statistics from our password security report:
- 49% of all data breaches involve passwords.
- The most popular password is ‘123456’.)
- Around nine in ten IT leaders are worried about passwords getting stolen.
- One third of people have fallen victim to a data breach due to a weak password.
- Almost half of US citizens “rarely” reset their password.
The state of password security
More and more businesses are adopting cloud technology which means people can log into their accounts from anywhere in the world.
All they need is the password. However, this convenience comes at a cost. Hackers can easily access systems if they have the right credentials.
Once inside a network, they can damage or steal digital assets and leave before anyone notices.
Individuals and organizations are waking up to the emerging threat and reconsidering how they use passwords.
Passwords play a role in almost half of all data breaches. (Verizon)
Using stolen credentials is a popular way to gain unauthorized access to a network.
By posing as an account holder, hackers can avoid triggering security alerts and move around undetected.
One in three people has experienced a data breach due to weak credentials.
A further one in five respondents wasn’t sure whether using a simple password had led to a security issue.
91% of IT leaders are concerned about stolen credentials. (Ping Identity)
Many experts agree passwords are a “deceptively weak” way to safeguard data.
There are calls for leaders to adapt company culture to address vulnerabilities in password security.
The ideal password has 16 to 20 characters with a combination of different letters, numbers, and symbols. (Security.org)
Experts say passwords shouldn’t include any personal information, either.
Hackers might spot details like your pet’s name or favorite song on social media and use the information to guess your credentials.
30% of websites don’t support special characters and 17% don’t have length requirements. (Georgia Tech)
A study discovered around a third of websites don’t support complex passwords.
That means, even if users want to, they can’t secure their accounts with strong credentials.
The majority of US citizens say they rarely reset their passwords. (Statista)
It’s best practice to change your credentials every 30 to 90 days. If criminals learn your login details, they’ll only have a limited time to access your account.
76% of users say they’ve been locked out of an account after forgetting a password.
Respondents say the experience is more frustrating than losing their car keys or sitting in traffic.
That’s understandable when you know most people forget their banking or social media login details which hinders them from doing important tasks.
Statistics about password formats
Credentials can be any combination of letters, numbers, and characters. This section looks at which password formats are best and the ones people tend to use.
Complex passwords would take up to 34,000 years to decrypt. (Security.org)
Hackers are unlikely to guess a combination of numbers, letters, and characters like ‘f0JB^B5sjmXl’ in their lifetime.
By comparison, simple passwords like ‘picture’ only take a few hours to crack.
76% of people use passwords with a minimum of nine characters.
However, 52% include common words and phrases in their credentials that are easy to decrypt.
You’re most likely to find the names of loved ones and pets in people’s passwords if they use common phrasing.
The most popular password of 2023 was ‘123456’. (Nordpass)
‘123456’ only takes a second for hackers to decrypt. Despite its vulnerability, over 4 million people used it throughout the year.
“Amazon” is the fourth most popular ecommerce password.
On a similar note, “netflix” is the fifth most popular streaming password. Using brand names related to the account’s industry or service is risky as they’re easy to guess.
79% of people create passwords by randomly choosing words or characters.
Of these users, 19% used sentences, 17% picked words out of books, and 13% rolled word dice.
Although random word selection is safer than some methods, hackers can still crack these passwords in hours.
Password management statistics
Many users have turned to password managers to generate and store all their login details.
In this section, we’ll explore people’s attitudes toward this software and whether it’s becoming standard practice.
Experts predict password managers will hit over $7 billion in global revenue by 2023.
However, as passwordless technology has become more popular, the future of this industry has come into question.
If fewer people use credentials to access accounts, the demand for password managers could drop.
Around a third of US citizens have a password manager.
With identity theft cases on the rise, more and more Americans are becoming aware of the risk.
The number of people who use a password manager increased by 60% between 2022 and 2023.
One in seven people started using a password manager because they got hacked.
While this number may sound alarming, the most popular reason for adopting the software was preference.
The second biggest reason was that users kept forgetting their passwords.
Of the people who don’t use password managers, 32% said they don’t want to pay.
Over a fifth of respondents said they “don’t know which one to use” and “don’t know to get started”.
Perhaps, as people learn more about password managers, we’ll see an increase in user adoption.
27.1% of people believe password management is a waste of time.
Good Firms noted the remaining two-thirds of respondents found password management easy and considered it to be worthwhile.
They suggested there’s a correlation—tech-savvy people are more likely to see the benefits of the software.
Google was the most popular password manager of 2023.
Google and Apple knocked LastPass off the top spot. Half of the survey respondents said they use one of these two platforms.
The majority of people use a free password manager but that number is declining.
63% of users rely on a free version of the software. A growing number are willing to pay up to $60 to manage their credentials.
Statistics about corporate password security
Cybersecurity is a top concern for businesses that store sensitive employee and customer information.
Here, we’ll look at secure password management across different industries:
76% of companies still use password authentication. (LastPass)
Less than half have adopted alternative methods such as multi-factor authentication, one-time passcodes, and single sign-on.
26% of employees say they’re unsure when they last changed their professional email login. (PC Matic)
Only 30% are confident they’ve reset their password within the last month.
Updating your professional credentials is important—hackers often target employees to gain access to company systems.
“Passwords are alive and kicking! Our customers prefer them to biometrics, especially in the healthcare field because they wear masks and gloves.
We are pushing MFA to safeguard their most vulnerable data but everything else remains password protected.
Over time, we’ve been able to get clients on board with frequent password changes but it’s an uphill battle. Many SMB owners think that because they’re a small company, nobody will bother attacking them.”Len Kaplan, owner of CDML
Almost half of teams admit to sharing passwords. (Keeper)
Having multiple users on the same account makes it harder to track individual actions.
If there’s a security breach, management won’t know which user was the source.
Only a fifth of employees say their manager sets their password. (PC Matic)
When leaders decide the passwords, they can prevent teams from using weak credentials.
They can also control how often the organization updates login details.
31% of workers say they write down passwords.
However, older employees are bringing up the average—baby boomers are almost twice as likely to make notes with their credentials than millennials.
Writing down passwords is bad practice as unauthorized individuals could use them to access company accounts.
A third of IT’s tickets are related to passwords. (Ping Identity)
If organizations can improve password security, they can free up their IT department’s time to look at big-picture strategies.
For example, they’d have more capacity to proactively look for threats or upgrade security protocols.
The majority of IT leaders agree hybrid work has made employees less cautious with passwords.
Now teams work outside the office, devices are more vulnerable to opportunistic attacks.
If criminals steal a laptop or mobile, and it’s logged into company accounts, they can easily access the system.
“Passwords alone no longer offer enough protection against today’s hackers. Customers feel most comfortable sharing their personal information when companies use multi-factor authentication.
Businesses have long been instructed on the importance of password best practices, but many turn a blind eye.
That’s why penalties for data breaches are good news for customers. The hefty fines incentivize these companies to back up their password security with other technology like tokens.”Todd Greenbaum, CEO at Input 1
Statistics about personal password security
As well as our phones and computers, many household devices require credentials.
Here’s a look at people’s attitudes and habits toward password security outside of work.
Most people manually enter passwords at work but save login details at home. (Statista)
Many companies have policies about storing credentials on devices to manage access to their system.
Whereas families are less likely to be concerned about sharing devices and accounts.
37% of people haven’t changed their WiFi password since it was set up.
Another 9% say they don’t know how to change their login details. A small but significant minority of users aren’t even sure whether their WiFi is password protected.
Streaming site passwords get shared the most. (Bitwarden)
36% of users give login details to their Netflix or Hulu accounts to friends and family.
However, the majority of people don’t share any credentials for personal apps.
The most popular way to log into social networking apps is manual password entry. (YouGov)
However, biometrics isn’t far behind with just a two-point difference. Authentication apps are by far the least popular method to unlock apps like Facebook and Instagram.
Surveys indicate biometrics is the most popular way to unlock banking apps.
Around a third of respondents from six key markets said they preferred biometric security.
However, the majority still favor manual password entry.
Password breach statistics
Stolen or missing credentials are behind many data breaches. Here’s a look at the extent of the issue including how hackers get hold of passwords and what they do with them.
Around a third of hackers use valid credentials to access accounts in the Cloud. (IBM)
IBM is one of the leading providers of cloud cybersecurity. They reported that stolen credentials are the source of breaches in 36% of the cases they handle.
Weak or missing passwords are a factor in 54.8% of Google Cloud breaches.
When you factor in leaked credentials, passwords are responsible for over 60% of incidents on Google Cloud.
Stolen credentials are worth around $10 on the dark web.
Criminals can buy account login details for a low amount if they know where to look.
Credentials make up 90% of access types sold online which often includes the username, password, and IP address.
32.4% of workers admit to accessing their former employer’s accounts after they left the job. (Keeper)
Businesses shouldn’t just be wary of hackers. If they forget to revoke permissions, employees may continue to log into their systems.
Only a quarter of businesses are sure their former employees no longer have access to accounts.
Most IT leaders say they are very concerned about workers leaving the company with passwords.
If people hold a grudge against their former employer, they could get revenge by stealing or damaging digital assets.
Around two-thirds of employees think they could spot a phishing email or phony social message.
However, these statistics may say more about people’s casual attitudes towards cyberattacks than their ability to notice scams.
“Security analysts warn of a surge in password-stealing malware, which is especially threatening to organizations that lack proper safeguards. This malware persists even after users change their passwords.
The best line of defense against these threats is a robust security approach including password policies, multi-factor authentication, and consistent user education.
Recognizing the vulnerability of password security is crucial.”Ronan Kavanagh, CEO of TitanHQ
How the media is reporting on password security
Trends in password security often make the headlines. Here are some of the top stories to know about:
Group-IB has identified user logs from over 100 thousand ChatGPT accounts on the dark web. (Group-IB)
The cybersecurity specialists found the information for sale on dark web marketplaces.
Criminals had used password-stealing malware to infect devices and access accounts.
Orange Espana experienced a 50% loss in Internet traffic after a breach. (Infostealers)
A hacker guessed the password and broke into the system. Later, using a pseudonym, they explained how they’d gained access to Orange on X.
After Netflix banned password sharing, it gained 9 million new users. (Netflix)
The TV streaming service cracked down on password sharing in 2023. Although the move was unpopular, Netflix has increased its membership count and revenue.
Users race to change their passwords after the so-called ‘Mother of All Breaches’. (CyberNews)
Cybersecurity experts found a record-breaking 26 million records online. They contained sensitive data including personal information and credentials from popular sites like Twitter and LinkedIn.
Recent and upcoming password trends
As technology advances and new threats emerge, we can expect radical changes to password security in 2024.
Here’s a look at the main trends to watch out for:
87% of companies say they’re moving toward passwordless authentication. (Teleport)
Instead of asking users to enter credentials, they’ll authenticate using a combination of biometrics, devices, and hardware.
For example, employees could use fingerprint recognition, smartphone codes, and key cards.
56% of people are excited about passwordless technology.
Most would prefer to use biometric authentication such as iris scanners and voice recognition.
As biometrics are almost impossible to copy or steal, criminals couldn’t use them to hack accounts.
The global revenue from passwordless technology is expected to hit $53 billion by 2023. (Statista)
15% of companies across Africa, Europe, and North America have already introduced the system. A further 3% said they intend to implement passwordless authentication within the next 18 months.
Around 80% of phones already have built-in biometric scanners. (Cisco)
Many smartphones already have passwordless authentication enabled. Many have thumbprint scanners but some also have facial recognition.
55% of IT leaders think training is the biggest barrier to adopting passwordless authentication. (LastPass)
Another 23% of respondents aren’t convinced by the technology—they say it’s unproven as it hasn’t yet been adopted marketwide.
Password security is improving around the world.
Dashlane assigns global users a score for their password health. In 2023, the average score for each region had increased by two points.
“SMBs must recognize that passwords cannot be made safe. It is 60-year-old technology and from an era before microwaves, PCs, mobile phones, even the internet as we know it.
With Ransomware-as-a-Service and Generative AI, cybercriminals will start targeting SMBs with the same attacks used on large organizations, and being small will no longer be a viable cyber defense strategy.
All organizations will need to implement next generation multi-factor authentication or put their futures at significant risk.”John Gunn, CEO at Token Ring
Password technology is advancing at an incredible pace and we’re beginning to realize its potential.
We’re also becoming more mindful of its weaknesses and recognizing when we need to have other systems like tokens and multi-factor authentication in place.
In the near future, it’s possible passwordless technology will become standard practice.
However, for the time being, passwords remain the most popular way to protect our accounts.