GITNUXREPORT 2026

Password Statistics

Weak passwords are a leading cause of data breaches and cyberattacks.

Min-ji Park

Min-ji Park

Research Analyst focused on sustainability and consumer trends.

First published: Feb 13, 2026

Our Commitment to Accuracy

Rigorous fact-checking · Reputable sources · Regular updatesLearn more

Key Statistics

Statistic 1

The password "123456" was used by 2.5% of all accounts in the 2023 SplashData report.

Statistic 2

Password "password" ranks #1 in breaches, appearing in 0.54% of leaked credentials.

Statistic 3

"qwerty" is the second most common password, used by over 1 million accounts yearly.

Statistic 4

"123456789" accounts for 0.41% of all pwned passwords.

Statistic 5

Password "admin" appears in 0.12% of breached databases.

Statistic 6

"Password1" is the 5th most common, used by 0.2% of accounts.

Statistic 7

"abc123" ranks #7, cracked instantly in rainbow tables.

Statistic 8

25% of passwords are "12345678" or variations.

Statistic 9

"iloveyou" used by 0.15% globally per annual reports.

Statistic 10

"monkey" ranks top 10 pet-named passwords.

Statistic 11

"football" top sports password, 0.08% usage.

Statistic 12

"welcome" common default, used in 0.1% breaches.

Statistic 13

"sunshine" weather-themed, top 20 common.

Statistic 14

"princess" top female-named password.

Statistic 15

In 2023, 81% of confirmed data breaches involved compromised credentials, primarily weak passwords.

Statistic 16

Over 15 billion passwords have been exposed in data breaches as of 2023.

Statistic 17

In 2022, 74% of breaches exploited weak passwords per IBM Cost of a Data Breach Report.

Statistic 18

Data breaches rose 20% in 2023, with passwords involved in 95% of initial access.

Statistic 19

Microsoft accounts saw 300 million password attacks daily in 2023.

Statistic 20

LinkedIn breach 2012 exposed 167 million unique passwords.

Statistic 21

Yahoo breach 2013-2016 leaked 3 billion passwords, many unsalted.

Statistic 22

Adobe breach 2013 exposed 153 million passwords, mostly MD5 hashed.

Statistic 23

RockYou.txt leak contains 32 million unique plaintext passwords.

Statistic 24

47% increase in password spraying attacks in 2023.

Statistic 25

MySpace 2016 breach dumped 360 million passwords.

Statistic 26

81% of hacking-related breaches use stolen or weak credentials.

Statistic 27

Dropbox 2012 breach affected 68 million accounts' passwords.

Statistic 28

Equifax 2017 breach indirectly led to password resets for millions.

Statistic 29

Twitter 2022 breach leaked 200 million emails and passwords.

Statistic 30

LinkedIn 2021 scrape exposed 700 million user passwords indirectly.

Statistic 31

Ashley Madison 2015 breach revealed 36 million passwords.

Statistic 32

67% of breaches start with phishing leading to password theft.

Statistic 33

3.9 billion passwords leaked cumulatively by 2023.

Statistic 34

Marriott 2018 breach hit 500 million guest passwords.

Statistic 35

Zynga 2019 breach exposed 218 million passwords.

Statistic 36

Capital One 2019 breach involved stolen AWS credentials passwords.

Statistic 37

Desarrollos 2021 leak: 61 million passwords.

Statistic 38

Facebook 2019 breach: 533 million passwords scraped.

Statistic 39

Collection #1-5 leaks: 22 billion password pairs.

Statistic 40

Canva 2023 breach: 4 billion lines, millions passwords.

Statistic 41

NetEase 2015: 235 million passwords leaked.

Statistic 42

Dubsmash 2020: 162 million passwords exposed.

Statistic 43

Wattpad 2020: 270 million accounts passwords.

Statistic 44

Average password length across internet users is 8.6 characters per a 2023 NordPass analysis.

Statistic 45

Only 15% of passwords meet minimum complexity requirements (upper, lower, number, symbol).

Statistic 46

Entropy of a 12-character random password is about 72 bits, sufficient for most uses.

Statistic 47

Top 25 passwords crack in under 1 second with modern GPU hashing.

Statistic 48

Average time to crack an 8-char password with numbers only: 2 hours on RTX 4090.

Statistic 49

73% of passwords contain at least one dictionary word.

Statistic 50

8-character passwords with mixed case crack in 1 day average.

Statistic 51

Passphrases of 4 random words provide 40+ bits entropy easily.

Statistic 52

Passwords with 14+ chars resist brute force for centuries.

Statistic 53

SHA-1 hashed passwords crack 2.5x faster than bcrypt.

Statistic 54

76% of accounts use passwords weaker than policy allows.

Statistic 55

Diceware method generates passwords crackable only after 10^18 guesses.

Statistic 56

11-char passwords with symbols take 34 years to crack offline.

Statistic 57

GPU clusters crack NTLM hashes at 100B/s speeds.

Statistic 58

Biometrics fail 1.2% vs passwords 0.5% false positives.

Statistic 59

15-char random password entropy: 90 bits, unbreakable.

Statistic 60

Leetspeak passwords crack 40% faster with rulesets.

Statistic 61

10-char lower+upper+digit: 1 week crack time.

Statistic 62

Argon2 hashing slows cracks by 1000x vs MD5.

Statistic 63

9-char passwords crack in seconds with wordlists.

Statistic 64

16-char passphrase: 10^30 guesses needed.

Statistic 65

Hybrid attacks guess 10^9 passwords/sec.

Statistic 66

12-char mixed: 550 years crack time est.

Statistic 67

NIST recommends passwords of at least 8 characters but ideally 12-16 for better entropy.

Statistic 68

42% of people use passwords longer than 12 characters post-2022 awareness campaigns.

Statistic 69

Only 26% of organizations enforce password managers.

Statistic 70

Multi-factor authentication reduces password breach risk by 99%.

Statistic 71

34% of enterprises still mandate password rotation quarterly.

Statistic 72

93% of users know password hygiene but only 40% practice it.

Statistic 73

MFA adoption jumped to 37% in SMBs by 2023.

Statistic 74

Passwordless login reduces risk by 99.9% per Microsoft.

Statistic 75

Zero-knowledge password managers adopted by 28% users.

Statistic 76

56% organizations ban password reuse now per NIST shift.

Statistic 77

Passkeys adopted in 10% of Apple logins by 2024.

Statistic 78

Biweekly password changes harm security per NIST.

Statistic 79

65% enterprises moved to 365-day expiry.

Statistic 80

23% of users still use their birth year as part of their password according to a 2022 Google study.

Statistic 81

52% of Americans reuse the same password across multiple sites per 2023 Keeper report.

Statistic 82

Users change passwords every 90 days on average in enterprises, but 60% reuse old ones.

Statistic 83

68% of users pick passwords based on names of pets or family members.

Statistic 84

91% of cybersecurity professionals worry about password reuse.

Statistic 85

59% of users admit sharing passwords with family or friends.

Statistic 86

Users check passwords 150 times per month on average via managers.

Statistic 87

62% of users never change default router passwords.

Statistic 88

Women use 7.4 avg length passwords, men 7.8 per 2022 study.

Statistic 89

55% of millennials use social media info in passwords.

Statistic 90

Boomers reuse passwords 2.1x more than Gen Z.

Statistic 91

49% of users write down passwords due to forgetting.

Statistic 92

Teens use emojis in 18% of passwords, weakening them.

Statistic 93

72% of employees share passwords with colleagues.

Statistic 94

41% use birthday in password, easy for social engineering.

Statistic 95

Average user has 100+ passwords to manage.

Statistic 96

63% forget password weekly, triggering resets.

Statistic 97

78% SMBs lack password policy enforcement.

Statistic 98

Gen Z uses 9.2 avg length, better than avg.

Statistic 99

29% use same password everywhere knowingly.

Statistic 100

51% store passwords in browsers unsafely.

Statistic 101

Elderly (65+) use weakest passwords, avg 7 chars.

Statistic 102

Remote workers reuse 3x more passwords.

Sources
Trusted by 500+ publications
Harvard Business ReviewThe GuardianFortune+497
If you're still using a weak password, you're not alone—and you're part of the reason weak passwords are the leading cause of data breaches, implicated in over 80% of security incidents last year.

Key Takeaways

  • In 2023, 81% of confirmed data breaches involved compromised credentials, primarily weak passwords.
  • Over 15 billion passwords have been exposed in data breaches as of 2023.
  • In 2022, 74% of breaches exploited weak passwords per IBM Cost of a Data Breach Report.
  • The password "123456" was used by 2.5% of all accounts in the 2023 SplashData report.
  • Password "password" ranks #1 in breaches, appearing in 0.54% of leaked credentials.
  • "qwerty" is the second most common password, used by over 1 million accounts yearly.
  • 23% of users still use their birth year as part of their password according to a 2022 Google study.
  • 52% of Americans reuse the same password across multiple sites per 2023 Keeper report.
  • Users change passwords every 90 days on average in enterprises, but 60% reuse old ones.
  • Average password length across internet users is 8.6 characters per a 2023 NordPass analysis.
  • Only 15% of passwords meet minimum complexity requirements (upper, lower, number, symbol).
  • Entropy of a 12-character random password is about 72 bits, sufficient for most uses.
  • NIST recommends passwords of at least 8 characters but ideally 12-16 for better entropy.
  • 42% of people use passwords longer than 12 characters post-2022 awareness campaigns.
  • Only 26% of organizations enforce password managers.

Weak passwords are a leading cause of data breaches and cyberattacks.

Common Passwords

  • The password "123456" was used by 2.5% of all accounts in the 2023 SplashData report.
  • Password "password" ranks #1 in breaches, appearing in 0.54% of leaked credentials.
  • "qwerty" is the second most common password, used by over 1 million accounts yearly.
  • "123456789" accounts for 0.41% of all pwned passwords.
  • Password "admin" appears in 0.12% of breached databases.
  • "Password1" is the 5th most common, used by 0.2% of accounts.
  • "abc123" ranks #7, cracked instantly in rainbow tables.
  • 25% of passwords are "12345678" or variations.
  • "iloveyou" used by 0.15% globally per annual reports.
  • "monkey" ranks top 10 pet-named passwords.
  • "football" top sports password, 0.08% usage.
  • "welcome" common default, used in 0.1% breaches.
  • "sunshine" weather-themed, top 20 common.
  • "princess" top female-named password.

Common Passwords Interpretation

Humanity's collective digital front door is secured by the intellectual might of a pet rock.

Password Breaches and Leaks

  • In 2023, 81% of confirmed data breaches involved compromised credentials, primarily weak passwords.
  • Over 15 billion passwords have been exposed in data breaches as of 2023.
  • In 2022, 74% of breaches exploited weak passwords per IBM Cost of a Data Breach Report.
  • Data breaches rose 20% in 2023, with passwords involved in 95% of initial access.
  • Microsoft accounts saw 300 million password attacks daily in 2023.
  • LinkedIn breach 2012 exposed 167 million unique passwords.
  • Yahoo breach 2013-2016 leaked 3 billion passwords, many unsalted.
  • Adobe breach 2013 exposed 153 million passwords, mostly MD5 hashed.
  • RockYou.txt leak contains 32 million unique plaintext passwords.
  • 47% increase in password spraying attacks in 2023.
  • MySpace 2016 breach dumped 360 million passwords.
  • 81% of hacking-related breaches use stolen or weak credentials.
  • Dropbox 2012 breach affected 68 million accounts' passwords.
  • Equifax 2017 breach indirectly led to password resets for millions.
  • Twitter 2022 breach leaked 200 million emails and passwords.
  • LinkedIn 2021 scrape exposed 700 million user passwords indirectly.
  • Ashley Madison 2015 breach revealed 36 million passwords.
  • 67% of breaches start with phishing leading to password theft.
  • 3.9 billion passwords leaked cumulatively by 2023.
  • Marriott 2018 breach hit 500 million guest passwords.
  • Zynga 2019 breach exposed 218 million passwords.
  • Capital One 2019 breach involved stolen AWS credentials passwords.
  • Desarrollos 2021 leak: 61 million passwords.
  • Facebook 2019 breach: 533 million passwords scraped.
  • Collection #1-5 leaks: 22 billion password pairs.
  • Canva 2023 breach: 4 billion lines, millions passwords.
  • NetEase 2015: 235 million passwords leaked.
  • Dubsmash 2020: 162 million passwords exposed.
  • Wattpad 2020: 270 million accounts passwords.

Password Breaches and Leaks Interpretation

The startling statistics reveal that our collective password hygiene is so disastrously lax, it's essentially a global open invitation for cybercriminals, who RSVP millions of times a day by using our own embarrassingly predictable or stolen credentials against us.

Password Strength

  • Average password length across internet users is 8.6 characters per a 2023 NordPass analysis.
  • Only 15% of passwords meet minimum complexity requirements (upper, lower, number, symbol).
  • Entropy of a 12-character random password is about 72 bits, sufficient for most uses.
  • Top 25 passwords crack in under 1 second with modern GPU hashing.
  • Average time to crack an 8-char password with numbers only: 2 hours on RTX 4090.
  • 73% of passwords contain at least one dictionary word.
  • 8-character passwords with mixed case crack in 1 day average.
  • Passphrases of 4 random words provide 40+ bits entropy easily.
  • Passwords with 14+ chars resist brute force for centuries.
  • SHA-1 hashed passwords crack 2.5x faster than bcrypt.
  • 76% of accounts use passwords weaker than policy allows.
  • Diceware method generates passwords crackable only after 10^18 guesses.
  • 11-char passwords with symbols take 34 years to crack offline.
  • GPU clusters crack NTLM hashes at 100B/s speeds.
  • Biometrics fail 1.2% vs passwords 0.5% false positives.
  • 15-char random password entropy: 90 bits, unbreakable.
  • Leetspeak passwords crack 40% faster with rulesets.
  • 10-char lower+upper+digit: 1 week crack time.
  • Argon2 hashing slows cracks by 1000x vs MD5.
  • 9-char passwords crack in seconds with wordlists.
  • 16-char passphrase: 10^30 guesses needed.
  • Hybrid attacks guess 10^9 passwords/sec.
  • 12-char mixed: 550 years crack time est.

Password Strength Interpretation

Here is a one-sentence interpretation: The collective password security of the internet is a fragile, mostly fictional concept built on the naïve hope that attackers won't bother using the very common tools and obvious shortcuts that can obliterate our pathetic 8-character passwords in seconds.

Security Recommendations

  • NIST recommends passwords of at least 8 characters but ideally 12-16 for better entropy.
  • 42% of people use passwords longer than 12 characters post-2022 awareness campaigns.
  • Only 26% of organizations enforce password managers.
  • Multi-factor authentication reduces password breach risk by 99%.
  • 34% of enterprises still mandate password rotation quarterly.
  • 93% of users know password hygiene but only 40% practice it.
  • MFA adoption jumped to 37% in SMBs by 2023.
  • Passwordless login reduces risk by 99.9% per Microsoft.
  • Zero-knowledge password managers adopted by 28% users.
  • 56% organizations ban password reuse now per NIST shift.
  • Passkeys adopted in 10% of Apple logins by 2024.
  • Biweekly password changes harm security per NIST.
  • 65% enterprises moved to 365-day expiry.

Security Recommendations Interpretation

Despite widespread knowledge that a strong password is like a good secret—best kept long and unchanged, then protected by a second lock and ideally forgotten entirely—our collective digital hygiene remains a tragicomedy where good intentions are routinely betrayed by laziness, outdated corporate rituals, and the stubborn hope that 'password123' is still a clever insider code.

User Habits

  • 23% of users still use their birth year as part of their password according to a 2022 Google study.
  • 52% of Americans reuse the same password across multiple sites per 2023 Keeper report.
  • Users change passwords every 90 days on average in enterprises, but 60% reuse old ones.
  • 68% of users pick passwords based on names of pets or family members.
  • 91% of cybersecurity professionals worry about password reuse.
  • 59% of users admit sharing passwords with family or friends.
  • Users check passwords 150 times per month on average via managers.
  • 62% of users never change default router passwords.
  • Women use 7.4 avg length passwords, men 7.8 per 2022 study.
  • 55% of millennials use social media info in passwords.
  • Boomers reuse passwords 2.1x more than Gen Z.
  • 49% of users write down passwords due to forgetting.
  • Teens use emojis in 18% of passwords, weakening them.
  • 72% of employees share passwords with colleagues.
  • 41% use birthday in password, easy for social engineering.
  • Average user has 100+ passwords to manage.
  • 63% forget password weekly, triggering resets.
  • 78% SMBs lack password policy enforcement.
  • Gen Z uses 9.2 avg length, better than avg.
  • 29% use same password everywhere knowingly.
  • 51% store passwords in browsers unsafely.
  • Elderly (65+) use weakest passwords, avg 7 chars.
  • Remote workers reuse 3x more passwords.

User Habits Interpretation

Despite living in an age where we can summon food with a phone and store our lives in the cloud, the human password strategy remains a tragically predictable and communal affair, as if we’re still protecting a treehouse with a secret word that is, invariably, someone’s birthday.

Sources & References

Logos provided by Logo.dev