GITNUXREPORT 2026

Password Security Statistics

Weak and reused passwords are causing billions of accounts to be breached.

Min-ji Park

Min-ji Park

Research Analyst focused on sustainability and consumer trends.

First published: Feb 13, 2026

Our Commitment to Accuracy

Rigorous fact-checking · Reputable sources · Regular updatesLearn more

Key Statistics

Statistic 1

"123456" was the most common password in the 2023 NordPass report, used by millions across leaks

Statistic 2

"123456789" ranked second in commonality, appearing in over 7.7 million leaked passwords per NordPass 2023

Statistic 3

"guest" is the 11th most common password, found in 1.2 million instances in breaches

Statistic 4

"qwerty" appears in 7.8 million leaked passwords according to Have I Been Pwned

Statistic 5

"password" is used by 3.8 million accounts in pwned databases

Statistic 6

"12345" ranks third, cracked in seconds and common in 95% of leaks

Statistic 7

"admin" is prevalent in IoT devices, found in 2.1 million breaches

Statistic 8

"letmein" appears 376,805 times in RockYou leak

Statistic 9

"welcome" is among top 25, used in 150,000+ instances

Statistic 10

"monkey" ranks high due to keyboard patterns, in 1 million leaks

Statistic 11

"dragon" is a popular fantasy-themed weak password in 500k+ cases

Statistic 12

"iloveyou" sentimental password in 300k breaches

Statistic 13

"baseball" sports-themed, top 20 in US leaks

Statistic 14

"football" another sports entry, 200k occurrences

Statistic 15

"sunshine" nature word, common in 180k passwords

Statistic 16

"trustno1" from X-Files, ironically weak in 150k cases

Statistic 17

"ninja" gaming term, top 50 globally

Statistic 18

"abc123" sequential, in 1.5 million leaks

Statistic 19

"princess" gender-themed, popular among females

Statistic 20

"flower" simple word, 120k instances

Statistic 21

"superman" superhero, top in US

Statistic 22

"batman" another hero, 90k uses

Statistic 23

"master" authority word, common admin pass

Statistic 24

"hello" basic greeting, in 80k breaches

Statistic 25

"freedom" patriotic, US top 100

Statistic 26

"shadow" dark theme, 70k occurrences

Statistic 27

"michael" common name, pet-like password

Statistic 28

2FA blocks 99.9% of automated attacks but only 30% adoption, Google 2023

Statistic 29

MFA reduces breach risk by 99% per Microsoft 2023 study on Azure AD

Statistic 30

2023 Okta report: 37% of attacks bypassed legacy MFA like SMS

Statistic 31

Passkeys (FIDO2) prevent 100% phishing per Google 2023 trials with 1B+ accounts

Statistic 32

Only 11% of global consumers use MFA despite 70% availability, per Google 2023

Statistic 33

Enterprise MFA adoption: 52% in 2023, up from 40% in 2021, Yubico survey

Statistic 34

SMS MFA vulnerable to SIM swap, used in 15% of ATO fraud per FTC 2023

Statistic 35

Hardware keys stop 99.99% account takeovers, per Duo Security 2022

Statistic 36

Biometrics fail 1 in 50,000 but phishing resistant unlike passwords, NIST 2023

Statistic 37

Passwordless (Windows Hello) cuts helpdesk calls 90%, Microsoft 2023

Statistic 38

76% of breaches exploitable without MFA, Verizon DBIR 2023

Statistic 39

TOTP apps phishable in 10% cases vs 0% for hardware, Google 2023

Statistic 40

Passkey adoption: 7% of Chrome users by mid-2024

Statistic 41

MFA fatigue attacks succeed in 50% of targeted execs, Proofpoint 2023

Statistic 42

FIDO2 websauthn supported by 90% browsers, reduces password use 40%

Statistic 43

Biometric + PIN hybrids secure 95% faster login, Apple 2023 stats

Statistic 44

65% prefer passwordless after trial, per 1Password 2023 survey

Statistic 45

Zero-knowledge password managers encrypt 99.99% client-side, LastPass 2023

Statistic 46

SSH keys used in 80% secure dev environments vs passwords, GitHub 2023

Statistic 47

Certificate-based auth cuts credential theft 85%, Forrester 2023

Statistic 48

Risk-based MFA challenges only 2% logins, improves UX 70%, Okta 2023

Statistic 49

Hardware token reuse risk low, <0.01% compromise rate, Yubico 2024

Statistic 50

Password managers with MFA autofill prevent 95% stuffing, Bitwarden 2023

Statistic 51

In 2023, over 10 billion passwords were exposed in data breaches worldwide according to cybersecurity reports

Statistic 52

The 2023 Verizon Data Breach Investigations Report (DBIR) found that 81% of breaches involved weak, default, or stolen credentials

Statistic 53

RockYou2021 leak contained 8.4 billion unique passwords, the largest compilation ever

Statistic 54

In 2022, 24 billion passwords were leaked across various breaches tracked by Cybernews

Statistic 55

Have I Been Pwned database now includes over 12 billion accounts from 861 breached sites as of 2024

Statistic 56

The 2013 Yahoo breach exposed 3 billion accounts, including hashed passwords

Statistic 57

LinkedIn 2021 scrape leak affected 700 million users' passwords and data

Statistic 58

MySpace 360 million password dump from 2008 breach surfaced in 2016

Statistic 59

Adobe 2013 breach leaked 153 million usernames and encrypted passwords

Statistic 60

Equifax 2017 breach impacted 147 million people, including some credential data

Statistic 61

23andMe data breach in 2023 exposed 6.9 million users' ancestry and health data linked to credentials

Statistic 62

Twitter (X) 2022 breach leaked 200 million email-password pairs

Statistic 63

Dropbox 2012 breach affected 68 million accounts with passwords dumped in 2016

Statistic 64

Zynga 2019 breach exposed 173 million poker game users' credentials

Statistic 65

Under Armour MyFitnessPal 2018 breach impacted 150 million users' emails and hashed passwords

Statistic 66

Marriott 2018-2020 breaches exposed 500 million guest records including passport and payment data

Statistic 67

Capital One 2019 breach affected 106 million customers' data including login credentials

Statistic 68

eBay 2014 breach compromised 145 million user credentials

Statistic 69

Home Depot 2014 breach stole 56 million payment cards and 53 million emails

Statistic 70

Sony Pictures 2014 hack leaked employee credentials and executive data

Statistic 71

Target 2013 breach exposed 40 million cards and 70 million customer credentials

Statistic 72

Anthem 2015 breach hit 78.8 million records including health and login data

Statistic 73

AdultFriendFinder 2016 breach leaked 412 million accounts' details

Statistic 74

Ashley Madison 2015 hack exposed 37 million users' sensitive data

Statistic 75

Canva 2019 breach affected 139 million users with email-password combos

Statistic 76

Neopets 2020 breach dumped 69 million users' passwords from 2006

Statistic 77

Parler 2021 scrape leaked 70 million user posts and credentials

Statistic 78

Trello 2019 leak exposed 15 million workspace credentials via third-party

Statistic 79

NetEase 2015 breach leaked 235 million email-password pairs

Statistic 80

59% of users reuse the exact same password across multiple accounts per 2023 Google survey

Statistic 81

Keeper Security 2023 report: 69% of people reuse passwords on work and personal accounts

Statistic 82

NordPass 2023: 82% of users have reused passwords, leading to credential stuffing attacks

Statistic 83

2022 LastPass breach showed 30% of users reused passwords across services

Statistic 84

Specops 2023 study: 40% of enterprises have employees reusing passwords banned by policy

Statistic 85

Google 2020: 65% of users have reused passwords, 13% use same everywhere

Statistic 86

TeamPassword 2023: 91% of users acknowledge reusing passwords despite risks

Statistic 87

52% of people use same password for email and banking per Dashlane 2022

Statistic 88

Cybersecurity Ventures: 81% credential breaches due to reuse in stuffing attacks

Statistic 89

2023 Bitwarden survey: 70% of respondents reuse at least 2-3 passwords

Statistic 90

Proofpoint 2022: 66% reuse passwords across personal and work

Statistic 91

1Password 2023: 60% admit to password reuse after breaches

Statistic 92

Harris Poll for Aura 2023: 47% use same password for multiple financial sites

Statistic 93

73% of users reuse passwords on social media and email, per Kaspersky 2022

Statistic 94

Enterprise average: 50% password reuse rate in AD environments, Specops 2023

Statistic 95

88% of breaches involve reused credentials per SpyCloud 2022

Statistic 96

55% of millennials reuse passwords frequently, JumpCloud 2023

Statistic 97

62% of Gen Z reuse due to convenience, per NordPass 2023 youth survey

Statistic 98

Corporate reuse: 45% use same password for VPN and email, Ponemon 2022

Statistic 99

76% of hacked accounts had reused passwords from prior breaches, HIBP 2023

Statistic 100

Average user has 100+ passwords but reuses top 5 across sites, per Dashlane 2023

Statistic 101

67% reuse after password manager recommendation ignored, LastPass 2023

Statistic 102

NIST estimates 80% of breaches from weak/reused passwords

Statistic 103

71% of users share reused passwords with family, Aura 2023

Statistic 104

A 12-character password with uppercase, lowercase, numbers, symbols takes 34 years to crack with modern GPU

Statistic 105

8-character lowercase-only password cracks in 2.5 hours on single GPU per Hive Systems 2023

Statistic 106

Passwords under 8 characters represent 20% of all leaked but crack 100% faster

Statistic 107

Average password length in breaches is 9.2 characters, per Specops 2023 analysis

Statistic 108

Only 15% of passwords use all character types (upper, lower, num, sym), NordPass 2023

Statistic 109

Dictionary words alone crack in under 1 second with 14 trillion wordlists like RockYou2021

Statistic 110

95% of passwords crackable within 24 hours if under 10 chars without complexity

Statistic 111

Entropy of 12-char random password: 71 bits, resistant to brute force till 2030

Statistic 112

43% of passwords contain only lowercase letters, crack time <1 minute

Statistic 113

Uppercase inclusion boosts strength by 37x, but only 58% use it

Statistic 114

Numbers in 72% but sequential like 123 in 40%, reducing strength 90%

Statistic 115

Symbols used in just 28% of passwords, increasing crack time 50x when included

Statistic 116

Keyboard patterns (qwerty, 123) in 13% of passwords, crack <10 seconds

Statistic 117

Personal info (names, DOB) in 22%, guessed easily via social engineering

Statistic 118

Passphrases of 4 random words (20 chars) have 40+ bits entropy, better than complex 8-char

Statistic 119

67% of enterprise passwords fail NIST 800-63B strength checks

Statistic 120

GPU cluster cracks 100 billion hashes/sec for MD5, weak hashes on 80% old breaches

Statistic 121

Average crack time for top 1 million common passwords: instant

Statistic 122

Leet speak (p@ssw0rd) only delays crack by 2-5x, still weak

Statistic 123

8-char complex password cracks in 7 hours on RTX 4090, per Hive 2024 update

Statistic 124

Passwords with repeats (aaa123) 50% weaker per entropy calc

Statistic 125

25% of passwords are 6 chars or less, 100% crackable offline

Statistic 126

Diceware 6-word passphrase: 77 bits, secure for 100+ years

Statistic 127

Only 5% of users change passwords annually without breach force

Sources
Trusted by 500+ publications
Harvard Business ReviewThe GuardianFortune+497
Imagine your 123456 password has already been sold a thousand times in the 10 billion-strong password bazaar of the dark web—a shocking reality given that 81% of data breaches are fueled by weak, stolen, or reused credentials.

Key Takeaways

  • In 2023, over 10 billion passwords were exposed in data breaches worldwide according to cybersecurity reports
  • The 2023 Verizon Data Breach Investigations Report (DBIR) found that 81% of breaches involved weak, default, or stolen credentials
  • RockYou2021 leak contained 8.4 billion unique passwords, the largest compilation ever
  • "123456" was the most common password in the 2023 NordPass report, used by millions across leaks
  • "123456789" ranked second in commonality, appearing in over 7.7 million leaked passwords per NordPass 2023
  • "guest" is the 11th most common password, found in 1.2 million instances in breaches
  • 59% of users reuse the exact same password across multiple accounts per 2023 Google survey
  • Keeper Security 2023 report: 69% of people reuse passwords on work and personal accounts
  • NordPass 2023: 82% of users have reused passwords, leading to credential stuffing attacks
  • A 12-character password with uppercase, lowercase, numbers, symbols takes 34 years to crack with modern GPU
  • 8-character lowercase-only password cracks in 2.5 hours on single GPU per Hive Systems 2023
  • Passwords under 8 characters represent 20% of all leaked but crack 100% faster
  • 2FA blocks 99.9% of automated attacks but only 30% adoption, Google 2023
  • MFA reduces breach risk by 99% per Microsoft 2023 study on Azure AD
  • 2023 Okta report: 37% of attacks bypassed legacy MFA like SMS

Weak and reused passwords are causing billions of accounts to be breached.

Common Weak Passwords

  • "123456" was the most common password in the 2023 NordPass report, used by millions across leaks
  • "123456789" ranked second in commonality, appearing in over 7.7 million leaked passwords per NordPass 2023
  • "guest" is the 11th most common password, found in 1.2 million instances in breaches
  • "qwerty" appears in 7.8 million leaked passwords according to Have I Been Pwned
  • "password" is used by 3.8 million accounts in pwned databases
  • "12345" ranks third, cracked in seconds and common in 95% of leaks
  • "admin" is prevalent in IoT devices, found in 2.1 million breaches
  • "letmein" appears 376,805 times in RockYou leak
  • "welcome" is among top 25, used in 150,000+ instances
  • "monkey" ranks high due to keyboard patterns, in 1 million leaks
  • "dragon" is a popular fantasy-themed weak password in 500k+ cases
  • "iloveyou" sentimental password in 300k breaches
  • "baseball" sports-themed, top 20 in US leaks
  • "football" another sports entry, 200k occurrences
  • "sunshine" nature word, common in 180k passwords
  • "trustno1" from X-Files, ironically weak in 150k cases
  • "ninja" gaming term, top 50 globally
  • "abc123" sequential, in 1.5 million leaks
  • "princess" gender-themed, popular among females
  • "flower" simple word, 120k instances
  • "superman" superhero, top in US
  • "batman" another hero, 90k uses
  • "master" authority word, common admin pass
  • "hello" basic greeting, in 80k breaches
  • "freedom" patriotic, US top 100
  • "shadow" dark theme, 70k occurrences
  • "michael" common name, pet-like password

Common Weak Passwords Interpretation

Despite humanity’s endless creativity, our favorite passwords remain a tragically predictable parade of keyboard strolls, pop culture nods, and wishful thinking, leaving our digital doors wide open.

Multi-Factor Authentication and Alternatives

  • 2FA blocks 99.9% of automated attacks but only 30% adoption, Google 2023
  • MFA reduces breach risk by 99% per Microsoft 2023 study on Azure AD
  • 2023 Okta report: 37% of attacks bypassed legacy MFA like SMS
  • Passkeys (FIDO2) prevent 100% phishing per Google 2023 trials with 1B+ accounts
  • Only 11% of global consumers use MFA despite 70% availability, per Google 2023
  • Enterprise MFA adoption: 52% in 2023, up from 40% in 2021, Yubico survey
  • SMS MFA vulnerable to SIM swap, used in 15% of ATO fraud per FTC 2023
  • Hardware keys stop 99.99% account takeovers, per Duo Security 2022
  • Biometrics fail 1 in 50,000 but phishing resistant unlike passwords, NIST 2023
  • Passwordless (Windows Hello) cuts helpdesk calls 90%, Microsoft 2023
  • 76% of breaches exploitable without MFA, Verizon DBIR 2023
  • TOTP apps phishable in 10% cases vs 0% for hardware, Google 2023
  • Passkey adoption: 7% of Chrome users by mid-2024
  • MFA fatigue attacks succeed in 50% of targeted execs, Proofpoint 2023
  • FIDO2 websauthn supported by 90% browsers, reduces password use 40%
  • Biometric + PIN hybrids secure 95% faster login, Apple 2023 stats
  • 65% prefer passwordless after trial, per 1Password 2023 survey
  • Zero-knowledge password managers encrypt 99.99% client-side, LastPass 2023
  • SSH keys used in 80% secure dev environments vs passwords, GitHub 2023
  • Certificate-based auth cuts credential theft 85%, Forrester 2023
  • Risk-based MFA challenges only 2% logins, improves UX 70%, Okta 2023
  • Hardware token reuse risk low, <0.01% compromise rate, Yubico 2024
  • Password managers with MFA autofill prevent 95% stuffing, Bitwarden 2023

Multi-Factor Authentication and Alternatives Interpretation

Despite the cybersecurity world offering a suite of solutions from 2FA to passkeys that could drastically reduce breaches, we collectively treat them like an optional seatbelt, diligently installing them in only half our digital cars while most people still prefer to just hope the crash never happens.

Password Breaches and Leaks

  • In 2023, over 10 billion passwords were exposed in data breaches worldwide according to cybersecurity reports
  • The 2023 Verizon Data Breach Investigations Report (DBIR) found that 81% of breaches involved weak, default, or stolen credentials
  • RockYou2021 leak contained 8.4 billion unique passwords, the largest compilation ever
  • In 2022, 24 billion passwords were leaked across various breaches tracked by Cybernews
  • Have I Been Pwned database now includes over 12 billion accounts from 861 breached sites as of 2024
  • The 2013 Yahoo breach exposed 3 billion accounts, including hashed passwords
  • LinkedIn 2021 scrape leak affected 700 million users' passwords and data
  • MySpace 360 million password dump from 2008 breach surfaced in 2016
  • Adobe 2013 breach leaked 153 million usernames and encrypted passwords
  • Equifax 2017 breach impacted 147 million people, including some credential data
  • 23andMe data breach in 2023 exposed 6.9 million users' ancestry and health data linked to credentials
  • Twitter (X) 2022 breach leaked 200 million email-password pairs
  • Dropbox 2012 breach affected 68 million accounts with passwords dumped in 2016
  • Zynga 2019 breach exposed 173 million poker game users' credentials
  • Under Armour MyFitnessPal 2018 breach impacted 150 million users' emails and hashed passwords
  • Marriott 2018-2020 breaches exposed 500 million guest records including passport and payment data
  • Capital One 2019 breach affected 106 million customers' data including login credentials
  • eBay 2014 breach compromised 145 million user credentials
  • Home Depot 2014 breach stole 56 million payment cards and 53 million emails
  • Sony Pictures 2014 hack leaked employee credentials and executive data
  • Target 2013 breach exposed 40 million cards and 70 million customer credentials
  • Anthem 2015 breach hit 78.8 million records including health and login data
  • AdultFriendFinder 2016 breach leaked 412 million accounts' details
  • Ashley Madison 2015 hack exposed 37 million users' sensitive data
  • Canva 2019 breach affected 139 million users with email-password combos
  • Neopets 2020 breach dumped 69 million users' passwords from 2006
  • Parler 2021 scrape leaked 70 million user posts and credentials
  • Trello 2019 leak exposed 15 million workspace credentials via third-party
  • NetEase 2015 breach leaked 235 million email-password pairs

Password Breaches and Leaks Interpretation

Despite the staggering billions of passwords leaked and the fact that stolen credentials are the master key to most breaches, humanity's collective security strategy still seems to be hoping our personal "password123" is the one needle the hackers won't find in their ever-growing digital haystack.

Password Reuse Statistics

  • 59% of users reuse the exact same password across multiple accounts per 2023 Google survey
  • Keeper Security 2023 report: 69% of people reuse passwords on work and personal accounts
  • NordPass 2023: 82% of users have reused passwords, leading to credential stuffing attacks
  • 2022 LastPass breach showed 30% of users reused passwords across services
  • Specops 2023 study: 40% of enterprises have employees reusing passwords banned by policy
  • Google 2020: 65% of users have reused passwords, 13% use same everywhere
  • TeamPassword 2023: 91% of users acknowledge reusing passwords despite risks
  • 52% of people use same password for email and banking per Dashlane 2022
  • Cybersecurity Ventures: 81% credential breaches due to reuse in stuffing attacks
  • 2023 Bitwarden survey: 70% of respondents reuse at least 2-3 passwords
  • Proofpoint 2022: 66% reuse passwords across personal and work
  • 1Password 2023: 60% admit to password reuse after breaches
  • Harris Poll for Aura 2023: 47% use same password for multiple financial sites
  • 73% of users reuse passwords on social media and email, per Kaspersky 2022
  • Enterprise average: 50% password reuse rate in AD environments, Specops 2023
  • 88% of breaches involve reused credentials per SpyCloud 2022
  • 55% of millennials reuse passwords frequently, JumpCloud 2023
  • 62% of Gen Z reuse due to convenience, per NordPass 2023 youth survey
  • Corporate reuse: 45% use same password for VPN and email, Ponemon 2022
  • 76% of hacked accounts had reused passwords from prior breaches, HIBP 2023
  • Average user has 100+ passwords but reuses top 5 across sites, per Dashlane 2023
  • 67% reuse after password manager recommendation ignored, LastPass 2023
  • NIST estimates 80% of breaches from weak/reused passwords
  • 71% of users share reused passwords with family, Aura 2023

Password Reuse Statistics Interpretation

When the password "Fluffy123" becomes the master key to your entire digital life—from banking to social media—it’s no wonder that over half of all breaches involve reused credentials, turning a personal shortcut into a universal skeleton key for cybercriminals.

Password Strength Metrics

  • A 12-character password with uppercase, lowercase, numbers, symbols takes 34 years to crack with modern GPU
  • 8-character lowercase-only password cracks in 2.5 hours on single GPU per Hive Systems 2023
  • Passwords under 8 characters represent 20% of all leaked but crack 100% faster
  • Average password length in breaches is 9.2 characters, per Specops 2023 analysis
  • Only 15% of passwords use all character types (upper, lower, num, sym), NordPass 2023
  • Dictionary words alone crack in under 1 second with 14 trillion wordlists like RockYou2021
  • 95% of passwords crackable within 24 hours if under 10 chars without complexity
  • Entropy of 12-char random password: 71 bits, resistant to brute force till 2030
  • 43% of passwords contain only lowercase letters, crack time <1 minute
  • Uppercase inclusion boosts strength by 37x, but only 58% use it
  • Numbers in 72% but sequential like 123 in 40%, reducing strength 90%
  • Symbols used in just 28% of passwords, increasing crack time 50x when included
  • Keyboard patterns (qwerty, 123) in 13% of passwords, crack <10 seconds
  • Personal info (names, DOB) in 22%, guessed easily via social engineering
  • Passphrases of 4 random words (20 chars) have 40+ bits entropy, better than complex 8-char
  • 67% of enterprise passwords fail NIST 800-63B strength checks
  • GPU cluster cracks 100 billion hashes/sec for MD5, weak hashes on 80% old breaches
  • Average crack time for top 1 million common passwords: instant
  • Leet speak (p@ssw0rd) only delays crack by 2-5x, still weak
  • 8-char complex password cracks in 7 hours on RTX 4090, per Hive 2024 update
  • Passwords with repeats (aaa123) 50% weaker per entropy calc
  • 25% of passwords are 6 chars or less, 100% crackable offline
  • Diceware 6-word passphrase: 77 bits, secure for 100+ years
  • Only 5% of users change passwords annually without breach force

Password Strength Metrics Interpretation

While the statistics reveal a woefully predictable human tendency towards simplicity—choosing a laughably weak eight-letter password that cracks in the time it takes to watch a long movie over a robust twelve-character one that outlasts many mortgages—our collective security posture remains a masterclass in willful vulnerability.

Sources & References

Logos provided by Logo.dev