GITNUXREPORT 2026

Password Hacking Statistics

Weak passwords cause most data breaches, posing a constant and major security risk.

Sarah Mitchell

Sarah Mitchell

Senior Researcher specializing in consumer behavior and market trends.

First published: Feb 13, 2026

Our Commitment to Accuracy

Rigorous fact-checking · Reputable sources · Regular updatesLearn more

Key Statistics

Statistic 1

3.2 billion credentials from 100+ breaches in 2022

Statistic 2

LinkedIn breach exposed 700 million passwords in 2021

Statistic 3

Yahoo's 2013 breach leaked 3 billion accounts

Statistic 4

RockYou 2009 dump: 32 million plaintext passwords

Statistic 5

Marriott breach 2018: 500 million guest passwords

Statistic 6

Adobe 2013: 153 million encrypted passwords cracked

Statistic 7

Equifax 2017: 147 million credentials exposed

Statistic 8

MySpace 2016: 360 million passwords leaked

Statistic 9

Dropbox 2012: 68 million passwords in 2016 leak

Statistic 10

Twitter 2009: 33 million passwords from 2022 leak

Statistic 11

Sony 2011: 77 million PlayStation passwords

Statistic 12

eBay 2014: 145 million user credentials

Statistic 13

Capital One 2019: 100 million customer passwords

Statistic 14

Zynga 2019: 218 million passwords from Words with Friends

Statistic 15

Neopets 2020: 69 million passwords exposed

Statistic 16

Canva 2022: 4 million passwords stolen

Statistic 17

Twitter 2022: 5.4 million API keys and passwords

Statistic 18

LastPass 2022: Encrypted password vaults stolen

Statistic 19

MOVEit 2023: 60 million passwords from supply chain

Statistic 20

MGM Resorts 2023: 10.6 billion passwords in infostealer dump

Statistic 21

23andMe 2023: 6.9 million passwords via credential stuffing

Statistic 22

Optus 2022: 10 million Australian passwords

Statistic 23

T-Mobile 2021: 54 million passwords leaked

Statistic 24

Facebook 2019: 533 million passwords in plain text

Statistic 25

Under Armour 2020: 150 million MyFitnessPal passwords

Statistic 26

Ticketmaster 2023: 560 million passwords rumored

Statistic 27

81% of hacking-related breaches leveraged weak, default, or stolen passwords in 2023

Statistic 28

In 2022, credential stuffing attacks accounted for 30% of all breaches

Statistic 29

74% of breaches in 2021 involved compromised credentials

Statistic 30

Password attacks rose by 25% year-over-year in 2023 per Akamai

Statistic 31

1 in 3 data breaches start with a phishing attack targeting passwords in 2023

Statistic 32

Brute force attacks increased 300% during COVID-19 lockdowns

Statistic 33

23 billion passwords exposed in breaches as of 2023

Statistic 34

Over 500 million accounts hit by credential stuffing in 2022

Statistic 35

Password spraying attacks up 550% in 2023

Statistic 36

40% of organizations faced password breach attempts daily in 2023

Statistic 37

68% of enterprises experienced at least one password-related breach in 2022

Statistic 38

Global password attacks hit 15 billion per month in 2023

Statistic 39

29% of all breaches in 2023 were due to stolen credentials

Statistic 40

Credential abuse was factor in 50% of initial access vectors

Statistic 41

3.9 billion login attempts blocked as malicious in Q1 2023

Statistic 42

Password guessing accounts for 17% of web app attacks

Statistic 43

80 million unique passwords cracked in RockYou2021 dump

Statistic 44

Daily average of 2,000 password attacks per organization

Statistic 45

61% rise in automated password attacks in 2023

Statistic 46

123456 remains top targeted password in 85% of attacks

Statistic 47

Hybrid brute-force attacks surged 71% in 2022

Statistic 48

45% of RDP attacks target weak passwords

Statistic 49

Over 100 billion passwords leaked historically

Statistic 50

25% of breaches exploit default credentials

Statistic 51

Phishing for passwords succeeds in 1 out of 10 attempts

Statistic 52

193 million API keys and passwords exposed on GitHub in 2023

Statistic 53

Password reuse leads to 52% of breaches

Statistic 54

70% of hacked accounts use duplicate passwords

Statistic 55

1.4 billion credentials circulating on dark web in 2023

Statistic 56

MFA reduces unauthorized access by 99.9%

Statistic 57

Passwordless logins block 99% of automated attacks

Statistic 58

Password managers prevent 80% of reuse issues

Statistic 59

2FA stops 96% of account takeover attempts

Statistic 60

Hardware keys reduce phishing success by 100%

Statistic 61

Rate limiting cuts brute force by 99%

Statistic 62

Passkeys block credential stuffing entirely

Statistic 63

Biometrics reduce password attacks by 90%

Statistic 64

Zero-knowledge encryption in managers unbreakable

Statistic 65

Password auditing tools find 85% weak passwords

Statistic 66

CAPTCHA blocks 95% bot logins

Statistic 67

Account lockout after 5 fails stops 98% attacks

Statistic 68

Argon2 hashing increases crack time 1000x

Statistic 69

Monitoring dark web leaks prevents 70% breaches

Statistic 70

SSO reduces password surface by 50%

Statistic 71

Behavioral biometrics detects 99% anomalies

Statistic 72

PKI certs eliminate password needs

Statistic 73

Passwordless adoption grew 300% in 2023

Statistic 74

Training reduces phishing clicks by 40%

Statistic 75

WebAuthn standard resists phishing 100%

Statistic 76

Entropy checks block 75% weak entries

Statistic 77

Breach alerts change 60% of passwords proactively

Statistic 78

YubiKey reduces breaches by 99.9% in tests

Statistic 79

Adaptive auth blocks 92% risky logins

Statistic 80

No plain-text storage cuts leak impact 100%

Statistic 81

Peppering salts boosts security 50x

Statistic 82

Automated rotation cuts exposure 80%

Statistic 83

FIDO2 adoption halves support tickets

Statistic 84

Honeypot accounts trap 85% attackers

Statistic 85

Quantum-resistant hashing in dev 10x slower

Statistic 86

Average password cracked in 7 seconds with modern hardware

Statistic 87

83% of passwords can be cracked in under a day

Statistic 88

Top 10,000 passwords crack 98% of attempts offline

Statistic 89

51% of passwords contain personal info like names

Statistic 90

Only 8 characters long passwords crack in minutes

Statistic 91

Dictionary attacks succeed on 30% of hashed passwords

Statistic 92

91% of passwords fail basic NIST standards

Statistic 93

Rainbow tables crack NTLM hashes in seconds

Statistic 94

76% of users have passwords under 12 characters

Statistic 95

GPU cracking speed hits 100 billion hashes/sec for MD5

Statistic 96

24% of passwords use sequential keys like qwerty

Statistic 97

SHA-1 hashes crackable for 40% of passwords under 8 chars

Statistic 98

65% of passwords vulnerable to hybrid attacks

Statistic 99

Common passwords like 'password123' crack instantly

Statistic 100

42% of breached passwords were less than 8 characters

Statistic 101

bcrypt with low rounds cracks 20% faster on ASICs

Statistic 102

88% of passwords reuse top 1000 common ones

Statistic 103

Password entropy below 40 bits for 70% of users

Statistic 104

LLM-generated passwords crack 15% easier due to patterns

Statistic 105

55% of passwords include dates like birthdays

Statistic 106

Argon2 recommended as 50% slower to crack than scrypt

Statistic 107

96% of 4-digit PINs crackable in under 20 hours

Statistic 108

Keyboard patterns cover 10% of all passwords

Statistic 109

Weak salts allow 90% mass cracking

Statistic 110

67% of corporate passwords crackable offline

Statistic 111

Passphrases with 4 words average 44 bits entropy

Statistic 112

73% vulnerable to rule-based mutations

Statistic 113

MD5 collision attacks bypass 25% of hashes

Statistic 114

12-character passwords take 34 years to crack online

Statistic 115

82% of passwords fail zxcvbn strength test

Statistic 116

GPU farms crack 10^12 hashes/sec for SHA256

Statistic 117

68% of people reuse passwords across accounts

Statistic 118

59% of users share passwords with others

Statistic 119

Only 24% use password managers regularly

Statistic 120

52% of users write down passwords insecurely

Statistic 121

Average user has 100+ passwords to manage

Statistic 122

91% of users know password hygiene but ignore it

Statistic 123

73% reuse passwords from work to personal

Statistic 124

44% use pet names in passwords

Statistic 125

69% of millennials use social media info in passwords

Statistic 126

Only 35% change passwords after breach notification

Statistic 127

81% of consumers use same password everywhere

Statistic 128

57% admit to using 'password' or variations

Statistic 129

Average password age is 146 days before change

Statistic 130

62% of users pick passwords based on ease, not security

Statistic 131

48% share passwords with family members

Statistic 132

Only 12% enable 2FA everywhere possible

Statistic 133

77% of users have 5 or fewer unique passwords

Statistic 134

65% use birthdays in passwords

Statistic 135

39% never change default router passwords

Statistic 136

84% of remote workers reuse passwords insecurely

Statistic 137

70% of Gen Z use same password for streaming/social

Statistic 138

55% store passwords in browsers unencrypted

Statistic 139

67% ignore password expiration policies

Statistic 140

Average person forgets 3 passwords per month

Statistic 141

76% use names of loved ones in passphrases

Statistic 142

Only 28% test password strength before using

Statistic 143

61% of users pick sports teams for passwords

Statistic 144

49% use phone numbers in passwords

Statistic 145

82% don't use unique passwords for banking

Statistic 146

71% of parents share passwords with kids

Sources
Trusted by 500+ publications
Harvard Business ReviewThe GuardianFortune+497
While the daunting reality that 81% of hacking-related breaches leverage stolen or weak passwords might seem like just another statistic, this simple gateway remains the overwhelming favorite for cybercriminals who are launching billions of automated attacks every single month.

Key Takeaways

  • 81% of hacking-related breaches leveraged weak, default, or stolen passwords in 2023
  • In 2022, credential stuffing attacks accounted for 30% of all breaches
  • 74% of breaches in 2021 involved compromised credentials
  • Average password cracked in 7 seconds with modern hardware
  • 83% of passwords can be cracked in under a day
  • Top 10,000 passwords crack 98% of attempts offline
  • 3.2 billion credentials from 100+ breaches in 2022
  • LinkedIn breach exposed 700 million passwords in 2021
  • Yahoo's 2013 breach leaked 3 billion accounts
  • 68% of people reuse passwords across accounts
  • 59% of users share passwords with others
  • Only 24% use password managers regularly
  • MFA reduces unauthorized access by 99.9%
  • Passwordless logins block 99% of automated attacks
  • Password managers prevent 80% of reuse issues

Weak passwords cause most data breaches, posing a constant and major security risk.

Data Breaches Involving Passwords

  • 3.2 billion credentials from 100+ breaches in 2022
  • LinkedIn breach exposed 700 million passwords in 2021
  • Yahoo's 2013 breach leaked 3 billion accounts
  • RockYou 2009 dump: 32 million plaintext passwords
  • Marriott breach 2018: 500 million guest passwords
  • Adobe 2013: 153 million encrypted passwords cracked
  • Equifax 2017: 147 million credentials exposed
  • MySpace 2016: 360 million passwords leaked
  • Dropbox 2012: 68 million passwords in 2016 leak
  • Twitter 2009: 33 million passwords from 2022 leak
  • Sony 2011: 77 million PlayStation passwords
  • eBay 2014: 145 million user credentials
  • Capital One 2019: 100 million customer passwords
  • Zynga 2019: 218 million passwords from Words with Friends
  • Neopets 2020: 69 million passwords exposed
  • Canva 2022: 4 million passwords stolen
  • Twitter 2022: 5.4 million API keys and passwords
  • LastPass 2022: Encrypted password vaults stolen
  • MOVEit 2023: 60 million passwords from supply chain
  • MGM Resorts 2023: 10.6 billion passwords in infostealer dump
  • 23andMe 2023: 6.9 million passwords via credential stuffing
  • Optus 2022: 10 million Australian passwords
  • T-Mobile 2021: 54 million passwords leaked
  • Facebook 2019: 533 million passwords in plain text
  • Under Armour 2020: 150 million MyFitnessPal passwords
  • Ticketmaster 2023: 560 million passwords rumored

Data Breaches Involving Passwords Interpretation

We've apparently decided that the most convenient way to manage our billions of collective online passwords is to store them in a series of easily hackable public spreadsheets.

Incidence Rates

  • 81% of hacking-related breaches leveraged weak, default, or stolen passwords in 2023
  • In 2022, credential stuffing attacks accounted for 30% of all breaches
  • 74% of breaches in 2021 involved compromised credentials
  • Password attacks rose by 25% year-over-year in 2023 per Akamai
  • 1 in 3 data breaches start with a phishing attack targeting passwords in 2023
  • Brute force attacks increased 300% during COVID-19 lockdowns
  • 23 billion passwords exposed in breaches as of 2023
  • Over 500 million accounts hit by credential stuffing in 2022
  • Password spraying attacks up 550% in 2023
  • 40% of organizations faced password breach attempts daily in 2023
  • 68% of enterprises experienced at least one password-related breach in 2022
  • Global password attacks hit 15 billion per month in 2023
  • 29% of all breaches in 2023 were due to stolen credentials
  • Credential abuse was factor in 50% of initial access vectors
  • 3.9 billion login attempts blocked as malicious in Q1 2023
  • Password guessing accounts for 17% of web app attacks
  • 80 million unique passwords cracked in RockYou2021 dump
  • Daily average of 2,000 password attacks per organization
  • 61% rise in automated password attacks in 2023
  • 123456 remains top targeted password in 85% of attacks
  • Hybrid brute-force attacks surged 71% in 2022
  • 45% of RDP attacks target weak passwords
  • Over 100 billion passwords leaked historically
  • 25% of breaches exploit default credentials
  • Phishing for passwords succeeds in 1 out of 10 attempts
  • 193 million API keys and passwords exposed on GitHub in 2023
  • Password reuse leads to 52% of breaches
  • 70% of hacked accounts use duplicate passwords
  • 1.4 billion credentials circulating on dark web in 2023

Incidence Rates Interpretation

Despite the glaring and relentless evidence that passwords are humanity's favorite digital liability, we seem oddly committed to treating them like a dull knife in a gunfight.

Mitigation Strategies

  • MFA reduces unauthorized access by 99.9%
  • Passwordless logins block 99% of automated attacks
  • Password managers prevent 80% of reuse issues
  • 2FA stops 96% of account takeover attempts
  • Hardware keys reduce phishing success by 100%
  • Rate limiting cuts brute force by 99%
  • Passkeys block credential stuffing entirely
  • Biometrics reduce password attacks by 90%
  • Zero-knowledge encryption in managers unbreakable
  • Password auditing tools find 85% weak passwords
  • CAPTCHA blocks 95% bot logins
  • Account lockout after 5 fails stops 98% attacks
  • Argon2 hashing increases crack time 1000x
  • Monitoring dark web leaks prevents 70% breaches
  • SSO reduces password surface by 50%
  • Behavioral biometrics detects 99% anomalies
  • PKI certs eliminate password needs
  • Passwordless adoption grew 300% in 2023
  • Training reduces phishing clicks by 40%
  • WebAuthn standard resists phishing 100%
  • Entropy checks block 75% weak entries
  • Breach alerts change 60% of passwords proactively
  • YubiKey reduces breaches by 99.9% in tests
  • Adaptive auth blocks 92% risky logins
  • No plain-text storage cuts leak impact 100%
  • Peppering salts boosts security 50x
  • Automated rotation cuts exposure 80%
  • FIDO2 adoption halves support tickets
  • Honeypot accounts trap 85% attackers
  • Quantum-resistant hashing in dev 10x slower

Mitigation Strategies Interpretation

While the modern password still stubbornly exists, the statistics prove we've brilliantly built an entire digital moat around it, filled with biometric alligators, cryptographic sharks, and the occasional YubiKey-guided laser.

Password Vulnerabilities

  • Average password cracked in 7 seconds with modern hardware
  • 83% of passwords can be cracked in under a day
  • Top 10,000 passwords crack 98% of attempts offline
  • 51% of passwords contain personal info like names
  • Only 8 characters long passwords crack in minutes
  • Dictionary attacks succeed on 30% of hashed passwords
  • 91% of passwords fail basic NIST standards
  • Rainbow tables crack NTLM hashes in seconds
  • 76% of users have passwords under 12 characters
  • GPU cracking speed hits 100 billion hashes/sec for MD5
  • 24% of passwords use sequential keys like qwerty
  • SHA-1 hashes crackable for 40% of passwords under 8 chars
  • 65% of passwords vulnerable to hybrid attacks
  • Common passwords like 'password123' crack instantly
  • 42% of breached passwords were less than 8 characters
  • bcrypt with low rounds cracks 20% faster on ASICs
  • 88% of passwords reuse top 1000 common ones
  • Password entropy below 40 bits for 70% of users
  • LLM-generated passwords crack 15% easier due to patterns
  • 55% of passwords include dates like birthdays
  • Argon2 recommended as 50% slower to crack than scrypt
  • 96% of 4-digit PINs crackable in under 20 hours
  • Keyboard patterns cover 10% of all passwords
  • Weak salts allow 90% mass cracking
  • 67% of corporate passwords crackable offline
  • Passphrases with 4 words average 44 bits entropy
  • 73% vulnerable to rule-based mutations
  • MD5 collision attacks bypass 25% of hashes
  • 12-character passwords take 34 years to crack online
  • 82% of passwords fail zxcvbn strength test
  • GPU farms crack 10^12 hashes/sec for SHA256

Password Vulnerabilities Interpretation

The brutal truth hidden in these statistics is that we are all essentially leaving our digital doors unlocked with passwords so predictable they might as well be written on a post-it note stuck to the front of our houses.

User Habits

  • 68% of people reuse passwords across accounts
  • 59% of users share passwords with others
  • Only 24% use password managers regularly
  • 52% of users write down passwords insecurely
  • Average user has 100+ passwords to manage
  • 91% of users know password hygiene but ignore it
  • 73% reuse passwords from work to personal
  • 44% use pet names in passwords
  • 69% of millennials use social media info in passwords
  • Only 35% change passwords after breach notification
  • 81% of consumers use same password everywhere
  • 57% admit to using 'password' or variations
  • Average password age is 146 days before change
  • 62% of users pick passwords based on ease, not security
  • 48% share passwords with family members
  • Only 12% enable 2FA everywhere possible
  • 77% of users have 5 or fewer unique passwords
  • 65% use birthdays in passwords
  • 39% never change default router passwords
  • 84% of remote workers reuse passwords insecurely
  • 70% of Gen Z use same password for streaming/social
  • 55% store passwords in browsers unencrypted
  • 67% ignore password expiration policies
  • Average person forgets 3 passwords per month
  • 76% use names of loved ones in passphrases
  • Only 28% test password strength before using
  • 61% of users pick sports teams for passwords
  • 49% use phone numbers in passwords
  • 82% don't use unique passwords for banking
  • 71% of parents share passwords with kids

User Habits Interpretation

It's frankly staggering that we've become a society both drowning in a sea of passwords and yet so determined to use the same leaky bucket to bail ourselves out, as if digital security were a charming quirk rather than a critical lifeline.

Sources & References

Logos provided by Logo.dev