Password Security
We've curated 29 cybersecurity statistics about Password Security to help you understand how evolving threats, advanced authentication methods, and best practices are shaping the way we protect our digital identities in 2025.
Showing 1-20 of 29 results
31% of users in monitored SMB environments are exposed to compromised passwords each month.
66% of Australians reuse passwords across multiple online accounts.
The password '2025' appears 4.1 million times in exposed credentials.
Passwords containing 'sweet', 'cookie', 'candy', 'cake', or 'pie' appear 5.7 million times in exposed credentials.
Passwords containing 'chiefs' or 'kansas city chiefs' appear 5 million times in exposed credentials.
Passwords containing 'apple', 'banana', 'orange', 'strawberry', or 'fruit' appear 2.6 million times in exposed credentials.
The password '67' or 'sixseven' appears 140.4 million times in exposed credentials.
53% of Americans use strong passwords.
44% of New Yorkers use unique passwords for all of their accounts, while 56% reported reusing passwords across multiple accounts.
58% of the world's top 1,000 most visited websites do not require special characters for their passwords.
Only 1%, or five websites, among the top 1,000 most visited websites met all best-practice password criteria.
42% of the world's top 1,000 most visited websites do not enforce any minimum password length requirements.
The most commonly used keyboard walk pattern was “Qwerty,” which appeared over 1 million times in a list of compromised passwords.
Keyboard walks such as ‘qwerty’ are weak passwords used by millions of end users.
After analysing 1.8 million breached administrator credentials, 40,000 admin portal accounts were found to be using ‘admin’ as a password.
Requiring an Active Directory password length of at least 13 characters would significantly reduce the risk of cloud application password reuse.
83% of compromised passwords satisfied the length and complexity requirements of regulatory password standards.
88% of organisations still use passwords as their primary method of authentication.
Only 12% of organisations have moved away from using passwords as their primary method of authentication.
Over 31 million of the breached passwords were over 16 characters in length.