120+ Password Statistics 2024-2025: Insights into Password Security and Hacking Trends

From your most personal conversations to your lifetime savings, much of your personal life relies on passwords. Because of this, hackers focus their efforts on stealing your passwords to gain access to your files, finances, or even your identity. Yet millions of us have poor password habits, making our accounts vulnerable to hacking and other breaches.

A password is an exhaustive way of authenticating access to digital systems and services to ensure that only the account owner or authorized personnel can view or modify important data.

What are the most common ways a hacker can access your account? What are the latest trends and developments in passwords? How can you improve your password security to safeguard your personal or organization’s data?

We will dive deep into all these questions and more in the following article.

Top password statistics to know in 2025

Let’s face it: we all have to handle a number of passwords in our day-to-day lives. They have become an integral part of this rapidly evolving digital world. And since passwords are so common, as you aim to stay safe online, it can be easy to let them fall the wayside.

Before deep diving into the nitty gritty details of password security statistics, here are some of the top password statistics to know in 2023:

Identity theft can impact internet users three times more likely who don’t use password managers. (Security.org, 2023)

Best practices of password security are known to only somewhat half of internet users. (Bitwarden, 2022)

Over 24 billion passwords in 2022 were exposed by hackers. (Digital Shadows, 2022)

Stolen, weak, or reused passwords are the cause of more than 80% of confirmed breaches. (LastPass, 2021)

Reusing passwords is considered a risk by 91% of people. (LastPass, 2021)

As a result of noticing unauthorized access, nearly 60% of individuals make their passwords stronger to access their devices or accounts. (Norton, 2021)

Fourteen seconds, on average, is the time to type out a password. (LastPass, 2021)

Password Trends for 2023

The explosion of internet services and digitization has overwhelmed users with passwords and accounts to remember, which has led to them reusing passwords and creating simple passwords across multiple accounts. This, in turn, gives hackers an opportunity to access sensitive data of users.

The world of hacking continues to grow more sophisticated by the minute. Individuals and organizations must keep up with these developments.

Here are some important facts about password trends in 2023: 

Multi – Factor Authentication continues to improve

Multi-factor Authentication (MFA) is a technique tailored to strengthen the authentication process by linking possession-based authentication with knowledge-based authentication. A user is only authenticated to use a service when they share evidence of the shared secret in addition to something they are or have. 

Smartphones are the ideal physical item for possession-based authentication due to their ubiquity. The service sends a challenge or a message to the phone to prove a user is in physical possession of the device.

Although MFA serves as an improvement over traditional password-based authentication, MFA techniques have their own challenges:

• Third parties can easily intercept verification messages sent via email.
• MFA based on SMS is susceptible to SIM swapping.
• Prompt bombing can compromise push notifications.

MFA also interferes with the user experience by requiring the user to go through a multi-step process: provide the password, wait for a challenge and then complete the challenge.

Passwordless authentication comes to the rescue

The intrinsic weakness of MFA and password-based authentication can be removed by eliminating shared secrets. The best alternative is a secure form of possession-based authentication. 

When a user registers with a service with FIDO passwordless authentication, the user generates a public/private key pair. The private key is stored in a hardware-based vault on the device, and the public key is shared with the service.

The service sends a challenge to the user during the authentication process, and the user encrypts the challenge using the private key. The encrypted challenge is sent back to the service. The users are authenticated if the service successfully utilizes the public key to decrypt the challenge.

What prevents hackers from using a stolen device to authenticate to the service? The user’s private keys and hardware vault are safeguarded by either a PIN or biometrics, such as facial recognition or fingerprint. Biometrics or PINs never get transmitted or shared across the network. This ensures that only a legit user accesses the private keys and proves to be in possession of the device.

Passwordless authentication in the real world

The Digital world is now transitioning to passwordless authentication. A survey by Enterprise Strategy Group (ESG), a division under TechTarget, revealed the following facts:

• Passwordless authentication, as per 31% of respondents, is the top identity-related activity.
• Passwordless authentication, as per 34% of respondents, was among the top three identity-related activities.
• Transition to passwordless authentication is in the process, as per 54% of total respondents.
• Of companies transitioning to passwordless strategies, more than half experienced a significant positive impact on improved UX and risk reduction. Almost two-thirds reported increased efficiency for security teams and IT.

With these benefits and the ability for businesses to shift to a passwordless approach for their applications and IAM systems, 2023 can and should be the year of passwordless authentication.

Password breach statistics

Hackers may utilize cyberattacks like website spoofing or smishing,  so much important information is locked behind passwords to try and steal your password. A data breach could also expose your passwords, which could leave your account vulnerable to attacks.

To get a clear picture of how your passwords might get compromised, pore over these password-hacking statistics:

Password Breach Statistics 2022-2023

Here are some password breach statistics for the year 2022-2023:

As per 38% of Americans,  at least one of their passwords was guessed or cracked. (Security.org, 2023)

In the last 18 months, nearly 1 in 4 individuals were affected by a data breach. (Bitwarden, 2022)

In 2022, as compared to 2020, 65% more passwords were compromised. (Digital Shadows, 2022)

Compromised credentials were involved in 63% of social engineering attacks, such as passwords. (Verizon, 2022)

The romantic partner’s password was used to access online accounts for every 1 in 10 adults, such as social media profiles. (Norton, 2022)

The use of stolen credentials in social engineering breaches is the most common action by hackers. (Verizon, 2022)

In 2022, out of the 24 billion credentials compromised, only 6.7 billion of them were unique pairings of passwords and usernames. (Digital Shadows, 2022)

Stolen passwords are the cause of over 80% of basic web application attacks. (Verizon, 2022)

Password manager notified 34% of those affected by a data breach. (Bitwarden, 2022)

Stolen passwords are the cause of 8 in 10 mail server attacks. (Verizon, 2022)

The use of stolen credentials, such as passwords, was the cause of over 40% of breaches. (Verizon, 2022)

The breach of user credentials, including passwords, was the cause of nearly 70% of basic web application attacks. (Verizon, 2022)

Password Breach Statistics 2021

Here are some password breach statistics from the year 2021:

More than one-third of people involved in the survey admitted to attempting to guess someone’s password. (Beyond Identity, 2021)

As per 26% of individuals, they’ve never had any of their passwords breached knowingly. (Beyond Identity, 2021)

Personal email accounts of over 23% of individuals were compromised. (Beyond Identity, 2021)

Online banking accounts for nearly 18% of individuals were compromised. (Beyond Identity, 2021)

More than 25% of individuals reported having their password breached knowingly three to four times. (Beyond Identity, 2021)

4% of people trying to guess someone else’s password looked through the social media profiles of the concerned person beforehand to find helpful information. (Beyond Identity, 2021)

Over half of the people who have admitted to trying to guess a password were the ones who wanted to get the password of their significant other. (Beyond Identity, 2021)

Almost 1 in 4 individuals have tried to guess the password of their child out of people who’ve tried to guess someone else’s password. (Beyond Identity, 2021)

15.6% of the people out of those who’ve tried to guess someone else’s password looked through the individual’s personal files for helpful information. (Beyond Identity, 2021)

Password Breach Statistics 2020

Here are some password breach statistics from the year 2020:

As per 12% of individuals, they are familiar with someone who has been a target of a password breach. (Ponemon Institute, 2020)

As per 37% of IT security professionals, potential risks to the security and privacy of their private information are their top concern. (Ponemon Institute, 2020)

On average, on criminal marketplaces, brute-force password-cracking tools cost hackers $4. (Digital Shadows, 2020)

As per 60% of IT security professionals, account takeovers have been used to target their customers’ accounts. (Ponemon Institute, 2020)

Login credentials for financial accounts and banking on cybercriminal marketplaces sell for an average price of $70.91. (Digital Shadows, 2020)

35% of individuals impacted by an account takeover start using multi factor authentication (MFA) and two-factor authentication (2FA) when possible.

Identity theft has affected over 32% of individuals. 

An account takeover has affected over 35% of survey respondents. 

For a single account on criminal marketplaces, the average cost of login credentials is $15.43. (Digital Shadows, 2020)

 $3,217 is the average cost of a login credential related to local government. (Digital Shadows, 2020)

Weak password statistics 

Strength is key when it comes to establishing a hack-proof password. You should also establish unique passwords for each of your devices and accounts. Take a look at these weak password facts and statistics to help you better understand the dangers of using a weak password:

Weak password statistics 2023

Here are some weak password statistics from the year 2023:

12% of people have their partner’s name as part of their passwords. (Security.org, 2023)

 “123456” is the most frequent password used by users. (Reader’s Digest, 2023)

As per 18% of individuals, their pet’s name is in their passwords. (Security.org, 2023)

61% of those impacted by password hacking admitted to having passwords shorter than eight characters. (Security.org, 2023)

Nearly 40% of people admitted to sharing their personal passwords with other people. (Security.org, 2023)

64% of passwords are only 8 to 11 characters long. (Security.org, 2023)

As per 21% of individuals, their birth year was part of their password. (Security.org, 2023)

Less than 50% of Americans strongly trust that their passwords are safe. (Security.org, 2023)

Weak password statistics 2022

Here are some weak password statistics from the year 2022:

As per 13% of people they put the same level of effort into setting passwords, no matter what kind of account it is for. (LastPass, 2022)

Only 11% of consumers, in the past 60 days, report using a password to log in to their streaming accounts. (FIDO Alliance, 2022)

About half of the IT leaders believe that passwords are too inadequate a security measure. (Ping Identity, 2022)

Reusing passwords was admitted by more than 6 in 10 people. (LastPass, 2022)

Only 12% of individuals always establish unique passwords. (LastPass, 2022)

Gen Z, 69% of the time, uses some variation of a single password. (LastPass, 2022)

In less than one second, hacking tools can crack 96% of the most common passwords. (Digital Shadows, 2022)

More than 25% of individuals are unaware as to when they last changed their email password. (PC Matic, 2022)

Although 89% of people are aware that using the same password is a security risk, only 12% of them change passwords between accounts. (LastPass, 2022)

As per 40% of individuals, their Wi-Fi password has been unchanged since the day they set it up. (PC Matic, 2022)

The time it takes for hackers to crack your password can be increased by 1.5 hours by adding a single special character to a common 10-character password. (Digital Shadows, 2022)

In the past 60 days, only 10% of consumers reported using a password to log in to their social media accounts. (FIDO Alliance, 2022)

Weak password statistics 2021

Here are some weak password statistics from the year 2021 and before:

Almost 75% of people out of those who’ve tried to guess someone’s password have been successful. (Beyond Identity, 2021)

As per 27.5% of individuals, their oldest password is as old as three to five years old. (Beyond Identity, 2021)

As per 10% of people, they have used the same password since high or middle school. (Beyond Identity, 2021)

Less than half of the individuals trust that the password to their music streaming account is protected. (Beyond Identity, 2021)

1 in 10 individuals believe that, just by looking at their social media accounts, someone could correctly guess their passwords. (Beyond Identity, 2021)

More than 30% of individuals admit they’d be embarrassed if they had to speak out their password. (Beyond Identity, 2021)

As per 2.2% of people, they have a password that is over 21 years old. (Beyond Identity, 2021)

Nearly 25% of individuals admitted that they’d share their password with a roommate. (Beyond Identity, 2021)

As per 13% of people they have the exact same password for each of their accounts. (Google, 2019)

Business password statistics

The increase of remote work and the rapid developments in the world of hacking have brought their own set of password security challenges. Read on to learn more about the challenges your company may face when trying to keep sensitive data safe during today’s shifting business environment:

$480 per employee is the cost on average to employers on time wasted due to password issues alone. (Beyond Identity)

 51% of individuals and 49% of IT security professionals share passwords with coworkers to access business accounts. (Yubico and Ponemon Institute) 

Nearly half, or 46%, of IT security and cybersecurity leaders still store passwords in shared office documents. (Bravura Security)

57% of surveyed respondents admit to jotting down work-related online passwords on paper or sticky notes, with 67% of those confessing to having lost these notes. (Keeper Security)

59% of IT security professionals declared that their organization relies on human memory to manage passwords. (Yubico and Ponemon Institute)

Only 5% of cybersecurity and IT security leaders were extremely confident about an employee leaving the company and not taking passwords with them. (Bravura Security)

If they have to urgently terminate the services of an employee, only 7% of IT security as well as cybersecurity leaders are extremely confident they can terminate access, transfer passwords and credentials, and maintain business continuity. (Bravura Security)

Across an average of 16 workplace accounts, individuals reuse the same passwords. As per IT security respondents, they reuse the same passwords across an average of 12 workplace accounts. (Yubico and Ponemon Institute)

When working remotely, 39% of American employees didn’t feel the need to alter their online security habits because they were already strong. (LastPass)

When working from home, 66% of employees say that they’re more likely to jot down work-related passwords than they are while working in the office. (Keeper Security)

44% of employees surveyed said they shared passwords and sensitive information for professional accounts while operating remotely. (LastPass)

Only 35% of employers surveyed agreed they made employees update their passwords more frequently when working remotely. (LastPass)

51% of individuals admitted to using their personal mobile devices to access work-related items, and of those respondents, 56% did not implement 2FA. (Yubico and Ponemon Institute)

Password management statistics 

Password management is an important step towards safeguarding accounts and passwords. Here are some Password management statistics to highlight the same:

• Around 70% of password managers employ non-monetized password managers.

• 2 out of 3 internet users use memory or handwritten notes to manage their passwords.

• One out of four internet users employ the use of a password manager for multiple accounts.

• For three out of ten password managers, using a password management tool enables easy access to the passwords.

• The use of passwords guarantees security across multiple accounts by 35% of password managers.

• Account takeover impacted how over 3 out of 4 people managed their passwords.

• Passwords are memorized by 47% of people born between the 1980s and 1990s.

• Software is utilized by up to 50% of password managers for their private accounts.

• Password manager is considered insecure by 28% of people (non-users).

• Documents are utilized on their PCs by nearly 25% of password manager users.  

• Passwords were monitored by over 45 million individuals against password hackers using password managers.

• One to twenty dollars is spent by up to 10% of internet users on password managers yearly.

• Over 39% of organizations reported that password managers are critical to them.

Tips for improving your password security

Now that you understand the significance of strong password security and the many ways hackers try to exploit it, you may wonder how you can upgrade your password security.

Follow these password security best practices to help ensure you’re doing the best you can to enhance your Cyber Safety:

• Avoid using personal information when setting a password, such as your name, pet’s name, or birthday.

• Use a unique password for every account so that if a hacker knows one of your passwords, your other accounts are still secure.

• Enable 2-FA to have an additional layer of security between your personal information and a hacker.

• Don’t share your passwords with anyone to ensure your passwords never end up in the wrong hands.

• Increase your password length to make it harder for hackers to guess them. A password longer than 16 characters is recommended.

• Avoid jotting your passwords down, which could put your online security at risk.

• Use special characters and numbers to create more secure passwords that are harder to crack.

• Avoid using common words and phrases. Instead, use random patterns to help safeguard your passwords from hacking methods like dictionary attacks.

• Regularly monitor your accounts and keep an eye out for login alerts or any suspicious activity that may be a result of a compromised password.

• Change your passwords frequently to maximize your security to ensure you’re staying ahead of any hackers as well as any potentially unknown data breaches.

• Start making use of a password manager to help you safely keep track of all your unique passwords.

Conclusion

Brute force attacks, bad passwords, hacking-related breaches, and poor password security practices have led to the compromise of personal accounts as well as led to company data breaches. Passwords are our digital guardian, and we must invest in some of the following password practices:

• Create complex passwords with a combination of letters(upper case and lower case), special characters, and numbers.

• Create stronger passwords, which are at least 12-character passwords.

• Enable one-time passwords and SMS authentication

• Choose a secure password manager from the password management market.

• Passwordless authentication methods such as biometrics can be implemented.

FAQs

What are the 4 main rules for creating strong passwords?

The 4 main rules for creating strong passwords are:

• The password should be at least 12 characters (needed for your Muhlenberg password).
• A mixture of both lowercase as well as uppercase letters.
• A mixture of numbers and letters.
• At least one special character, e.g.,! # @ ? ], should be included.

What are the statistics of password cracking?

38% of Americans revealed having at least one of their passwords guessed or cracked. (Security.org, 2023). 12% of people know someone who has been impacted by password breaches. (Ponemon Institute, 2020)

What is the strongest password format?

A combination of uppercase letters, symbols, lowercase letters, and numbers. A word from the dictionary or the name of a person, product, character, or organization should not be used. Also, it should not be the same as your previous passwords.