50+ Password Statistics: The State of Password Security in 2024
The average internet user has over a dozen online accounts. Depending on their career, they could have another dozen or more work accounts. Each of those accounts holds sensitive information, often protected by a user-created password.
Passwords are the guardians of personal data. Yet millions of users rely on — and reuse — weak passwords that can be hacked in a matter of minutes. Even strong passwords are vulnerable to a cyber attack. Still, most people rarely change their passwords.
What is the state of passwords today? Keep reading to learn the latest password statistics and see how poor password habits could be putting consumer and business data at risk.
Contents
- Top Password Statistics
- Password Habit Statistics
- Weak Password Statistics
- Password Manager Statistics
- MFA And Passwordless Security Statistics
Top Password Statistics
Before exploring the full list, here are our top 5 password statistics:
- 30% of internet users have experienced a data breach due to a weak password.
- Two-thirds of Americans use the same password across multiple accounts.
- The most commonly used password is “123456.”
- 59% of US adults use birthdays or names in their passwords.
- 13% of Americans use the same password for every account.
Password Habit Statistics
In a world of multiple devices, apps, and streaming channels, the average person has dozens of passwords. Remembering and keeping track of a growing list of passwords is inconvenient, to say the least. The result? Poor password habits.
These are the top password bad habits putting users at risk today.
3 in 10 users have been victims of data breaches due to weak passwords (GoodFirms)
Weak passwords are short, easy to guess, or can be cracked in minutes using methods like credential stuffing. GoodFirms’ survey found that 30% of respondents — all IT professionals — experienced a data breach because of a weak password. An additional 23% were unsure whether they were involved in a data breach.
Two-thirds of Americans use the same password across multiple accounts (Google, Harris Poll)
Most Americans are hesitant to take measures that would strengthen their passwords and protect their data online. A 2019 Google/Harris Poll survey of 3,419 US adults found that only:
- 37% used two-factor authentication.
- 36% kept track of passwords on paper.
- 34% regularly changed passwords.
- 15% used a password manager.
Reusing passwords makes users vulnerable to data breaches. In the first three months of 2019 alone, Microsoft discovered that 44 billion accounts were reusing the same password credentials.
Around 1 in 10 Americans use the same password for every account (Google, Harris Poll)
A Google poll found that 1 in 8 US adults used the same password for every single one of their online accounts. An additional 52% reused the same password for some of their accounts, while 35% used unique passwords for every account.
43% of US adults have shared a password with someone (Google, Harris Poll)
Is password sharing the ultimate display of trust? It might be, but relationships — both romantic and platonic — don’t last forever. 6% of American adults say they still have access to a password belonging to a former romantic partner, roommate, or colleague.
The most common passwords people share are streaming services (22%), email accounts (20%), social media accounts (17%), and online shopping accounts (17%).
44% of internet users rarely reset their passwords (bitwarden)
Most people should aim to change their passwords every three months, according to McAfee. In reality, almost half of internet users rarely, if ever, change their passwords. On the bright side, 34% of internet users change their passwords around once per month, 15% multiple times per week, and 6% change them every day.
Approximately 2 in 5 internet users manage passwords across 10 to 25 websites and apps (bitwarden)
Internet users can have dozens of password-protected online accounts. And while inconvenient, the best way to keep those accounts safe is to use unique login credentials for each. Despite that, 32% of internet users reuse the same password across 5 to 10 websites and apps.
The average adult created 15 new online accounts during the COVID-19 pandemic (IBM)
That’s 15 new username and password combinations per adult worldwide over the course of the pandemic. Millennials opened an average of 18 new accounts — the highest rate — while Gen Zers opened an average of 16. IBM’s global survey found that among adults who opened new accounts during the pandemic:
- 44% don’t plan on deleting any new accounts once the pandemic is over.
- 82% reuse the same username and password at least some of the time.
- 21% reuse the same username and password for every new account.
53% of IT professionals use email to share passwords with colleagues (bitwarden)
With remote and hybrid workforces on the rise, bitwarden surveyed 400 IT leaders to learn how they share passwords with employees. 53% said they used email, a jump from 39% one year prior. Other password-sharing methods include sharing online documents (43%), messaging (41%), verbally (31%), and paper (21%). 24% of respondents said they never share passwords.
Weak Password Statistics
Strong passwords have 8 or more characters, a combination of letters, numbers, and symbols, and contain no personal information that can be easily guessed by hackers. Some of this might seem like common sense, but weak passwords still proliferate. Here are the latest weak password statistics.
The most commonly used password is “123456” (Cybernews)
Cybernews analyzed over 15 billion passwords found in public data breaches. The most common passwords were startlingly weak. The top 10 were:
- 123456
- 123456789
- qwerty
- password
- 12345
- qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
Around 3 in 5 US adults use birthdays or names in their passwords (Google, Harris Poll)
Strong passwords combine letters, numbers, and characters to make them harder to guess. Despite that, the majority of Americans use easy-to-guess names and birthdays as part of their passwords. A Google/Harris Poll survey found that:
- 33% use a pet’s name.
- 22% use their own name.
- 15% use a spouse or partner’s name.
- 14% use their children’s names.
37% of US employees use their employer’s name in a work-related password (Keeper Security)
People aren’t just creating weak passwords for their personal accounts, they’re creating them for work-related accounts too. Employees commonly use their significant others’ (34%) or their children’s (31%) names or birthdays for work-related passwords.
Even more alarming: 44% of employees say they use the same login credentials across both personal and work-related accounts.
Fewer than 1 in 3 US adults use a random password generator to create new passwords (Security.org)
When creating a new account that requires a password, random password generators can offer the best chance of keeping data secure. Despite that, just over a quarter of users use password generators. They’re far more likely to mix and match words and numbers (79%) or use a variation of a previous password (57%).
Password Manager Statistics
How do you maintain strong and unique passwords across multiple accounts? Memorization might work for a handful of very gifted individuals. Pen and paper is an option, but that has its own risks as well.
Password managers offer users a secure way to store all of their login credentials and access them across multiple devices. But how many people are actually using password managers? Here are the latest stats.
It is estimated that the global password management market will hit $2.9 billion by 2027 (Research and Markets)
In 2020, the password management market was valued at just $1.25 billion in revenue. By 2027, that figure is set to more than double to $2.9 billion. Over that time frame, the password management market is expected to grow at a 20.7% CAGR.
LastPass is the most popular password manager in the United States (Security.org)
Password managers offer users a way to create and store strong, unique passwords for all their accounts. 21% of Americans who use a password manager use LastPass. Other popular password managers are Keeper (10%), McAfee True Key (8%), Bitwarden (8%), and Google Chrome password manager (8%).
30% of internet users use password managers to keep track of their passwords (bitwarden)
When users have dozens of online accounts and don’t want to reuse the same passwords over and over, they need some way to keep track. Password managers are helpful tools that allow users to store all their passwords in one secure place.
Unfortunately, most users rely on less secure ways to manage their passwords. 55% of internet users rely on password memorization, which suggests their passwords are likely reused or easy to guess. 32% keep track with pen and paper, 23% with a computer document, and 20% with their email account.
Half of all users claim that security was a primary reason for adopting a password manager (bitwarden)
Strong passwords help keep data secure. They’re also nearly impossible to memorize. That’s why half of password manager users are mindful of keeping their data safe. 44% of users also said they started using password managers because they kept forgetting their passwords.
38% of non-users don’t use a password manager because they believe their current system works (bitwarden)
If strong passwords are difficult to memorize and password managers offer the best way to keep track, why do people still refuse to use them? Bitwarden’s 2022 password survey revealed the top reasons people don’t use password managers:
- They believe their current system works (38%).
- They don’t want to pay for a password manager (32%).
- They don’t know which password manager to use (27%).
- They’re afraid their password manager will get hacked (27%).
- They don’t know how to get started (21%).
38% of security and IT professionals say their organization does not use password managers (SANS Institute)
It would seem that in the corporate world, where organizations have hundreds or thousands of employees, password managers would be the norm. That’s not the case for more than one-third of organizations.
What’s stopping organizations from using password managers? According to the SANS Institute’s 2021 Password Management Survey, convenience is the main barrier to adoption. 33% of respondents said password managers negatively impacted productivity and user-friendliness, 30% said they were difficult to manage, and 26% said they were difficult to implement.
MFA and Passwordless Security Statistics
With data breaches on the rise, the writing is on the wall about passwords. To mitigate risk, organizations implement extra security steps to protect accounts.
Two-factor (2FA) and multi-factor (MFA) authentication require users to enter a one-time code sent via SMS or email in addition to their login credentials. Passwordless security grants access to accounts using biometrics, hardware tokens, and other means.
46% of IT professionals use two-factor authentication to log in to work accounts (Ponemon)
Of the organizations that require two-factor authentication, 28% use SMS codes. Not all employees appreciate this extra security step — 54% of IT professionals feel that SMS authentication disrupts their workflow, and 47% find it irritating.
Two-factor authentication services like Authy can help boost the security of user accounts.
The passwordless authentication market is expected to reach $53 billion by 2030 (Next Move Strategy Consulting)
With passwordless authentication, users gain access to their accounts with fingerprint scans, hardware tokens, SMS codes, and more. The passwordless authentication market was worth $12.79 billion in 2021 and is slated to hit $53.64 billion by 2030 — a 16.7% CAGR.
87% of IT professionals believe that moving toward passwordless infrastructure is very important to improve security (Teleport)
The vast majority of IT professionals recognize the benefits of adopting a passwordless infrastructure model. Despite that, 80% admit to still using passwords in their organizations.
Only 3 in 5 organizations use passwordless methods to access IT infrastructure (Teleport)
While 80% of organizations still use passwords to access certain infrastructure types, 60% are using passwordless authentication methods to some degree:
- 60% use hardware security tokens.
- 48% use one-time email links.
- 43% use certificate-based authentication.
- 42% use public and private key pairs.
Conclusion
For better or worse, passwords play a significant role in our digital lives. To keep our data safe and secure, we must learn to create stronger passwords and manage those passwords in an intelligent way.
Until MFA and passwordless security become standard, using password managers and regularly changing passwords offer the best security for the average user.