• Home
  • Statistics
  • 21 Must-Know Weak Password Statistics for Utmost Security

21 Must-Know Weak Password Statistics for Utmost Security

Updated: March 30,2022

Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

How many times have you come across that message while opening an account on a website or in an app? It can be monumentally frustrating, and when you’re asked to come up with a stronger password one too many times, you start to question what the point of it all is. The thing is, passwords really are important. Without this kind of protection, our digital valuables would essentially be sitting ducks. That fact, of course, doesn’t take away the annoying nature of password prompts.

However, the weak password statistics we’ve gathered here will show you just how vital passwords can be and why you should go through the trouble of employing strong security. For a more proactive approach, you can also check out our reviews on top-notch password managers like 1Password or Dashlalne to keep the baddies away.

Editor’s Pick: Weak Password Statistics
75% of Americans find maintaining and keeping track of their passwords frustrating.
43% of Americans have once shared their passwords with someone.
An estimated 81% of data breaches are due to poor password security.
49% of employees only add a digit or change a character when updating passwords.
52% of data breaches resulted from malicious attacks, with each breach costing $3.86 million.

Weak Password Stats

1. 75% of Americans are frustrated by trying to maintain and keep track of their passwords.

(The Harris Poll)

You’d think creating and keeping track of passwords is a no-brainer. Still, three-fourths of Americans find it troublesome and ‘frustrating.’ Therefore, most create passwords using personal information that’s easy to guess. As Google and The Harris Poll’s survey reports, 24% of Americans have used common passwords, such as ‘abc123,’ ‘Password,’ and ‘123456.’

2. An estimated 81% of data breaches are due to poor password security.


According to Verizon’s 2021 Data Breach Investigations Report, poor password security contributes to 81% of all data breaches. This emphasizes the role people have in cybersecurity - 85% of breaches involve the human element, these weak password stats show.

3. 49% of employees only add a digit or change a character when prompted to update their passwords.

(Security Boulevard, The Harris Poll)

The 2019 Google and The Harris Poll’s findings depict that at least 52% of people reuse passwords across numerous, though not all, accounts. This makes for very fragile online security.

Considering most businesses require password updates about every 90 days, the amount of password reuse is staggering yet unsurprising. During password updates, nearly half of employees usually just add a number or a character to their current passwords. This is a troubling weak password statistic.

4. 62% of organizations admit that they don’t take the necessary steps in properly securing mobile data.


The mobile data scene is an entirely different ballpark from regular desktop and pc management. As the Ponemon Institute and Yubico’s 2020 report shows, 62% of organizations admit they don’t implement the needed measures for securing mobile devices. Just 31% of IT professionals confirm that their organizations use password managers to keep their passwords safe. 

5. 43% of Americans have shared their passwords with someone.

(The Harris Poll)

Some may say humans are selfish creatures, but when it comes to sharing passwords, that seems false. Fun fact: while 57% of password-sharers have shared their passwords with partners, only 11% changed passwords after breakups.

Data Breaches Statistics

6. Malicious attacks caused 52% of examined data breaches in 2020.


Not only more than half of the analyzed breaches occurred due to malicious attacks, but each one cost dearly as well. According to the Ponemon Institute and IBM’s 2020 survey, data breaches in 2020 cost companies $3.86 million on average.

7. Over 10.6 million of MGM Resorts’ hotel guests had their personal information posted on a hacking forum.


When you take a much-needed vacation at a resort, the last thing on your mind is becoming a victim of a data breach. Unfortunately, this was the reality of over 10.6 million MGM Resorts’ guests in February 2020. 

This is one of many incidents that make weak password statistics even more worrisome. Several months later, ZDNet reported that the damage was even greater - nearly 142.5 million personal details of the hotel’s guests were found on the dark web.

8. Over 280 million Microsoft customer records were left unprotected on the web in 2020.

(IdentityForce, Security Discovery)

In January 2020, Microsoft’s customer support database containing over 280 million customer records was left unprotected on the World Wide Web. The database disclosed IP addresses, email addresses, and support case details. That same month, Security Discovery found that Estee Lauder, a makeup company, exposed 440 million customer records.

Although both companies state no personal user information was compromised, it begs the question of how protected data we give really is.

9. According to password security statistics, over 500,000 credentials of Zoom teleconferencing accounts might have been sold on the dark web in 2020.

(BleepingComputer, Cyble)

Cyble, a cyber threat intelligence company, reported an alleged leak of over half a million Zoom credentials on the dark web last year. Some of them, containing email addresses, passwords, personal meeting URLs, and host keys, were sold for as little as $0.002 each.

10. Data breach costs increased by $137,000 in the US due to remote work during COVID-19.


About  76% of survey participants predicted that due to the pandemic, remote work would make responding to a potential data breach more time-consuming. They were right - data breach costs in the US increased by $137,000.

Most Commonly Used Password Statistics

You’d think your perfectly crafted password is the only one of its kind, a work of pure genius. Before you get too confident, though, you should check out the list of the most common passwords.

11. The most common name to use in a password is Eva, with 7,169,177 instances.


Maybe there are a lot of Evas in the world, or it's a very memorable name. In any event, Eva is the most used name for passwords in 2021. ‘Alex’ comes second, with 7,117,656 instances.


The NBA's Phoenix Suns are the most used team name on the common password list. Password statistics also show that the second most used team in passwords in 2021 is the Miami Heat (909,558 instances), making basketball the most popular sport, at least when it comes to passwords. With Liverpool as the fifth most used sports team (631,076 cases), soccer also found its place, behind MLB’s Cincinnati Reds and NBA’s Orlando Magic.

With just three instances, Wolverhampton Wanderers is the least popular team name to use in passwords.

13. The most commonly used curse word in a password is ‘ass,’ with 26,832,002 instances.


Curse words are also a common occurrence in a lot of passwords - 152,933,335 of them, to be precise. The most common one is ‘ass’ (26,832,002 uses).

14. As password reuse statistics show, approximately 76% of millennials recycled their passwords in 2020.


According to Security.org’s 2020 study on which generations are more likely to put themselves and their security online at risk showed that 76 percent of millennials recycled their passwords. Millennials are also the generation that is most likely to rely on their own memory instead of a password manager to store their credentials. When it comes to baby boomers, a little bit over half of the surveyed ones, 56 percent, recycle their passwords.

Hacking Statistics

15. 27% of Americans admit to having tried to guess someone’s password at least once.

(The Harris Poll)

Everyone has probably attempted to gain access to something online by trying to guess someone else’s password. Well, of the 27% of Americans that have, 17% guessed the password correctly.

16. It takes 62 trillion times longer to crack a complex 12-character password than a 6-character one composed of lowercase letters.

(Scientific American)

The greater the ‘space of possibilities’ - uppercase and lowercase letters, numbers, and symbols - the harder it is to crack a password. If you used all the options in a 12-character password, a computer would have to devote two million years to examining each of the passwords in the 12-character space, hacker statistics state.

17. There is a hacker attack every 39 seconds.

(Security Magazine)

That’s about the same time it takes to upload a selfie on Instagram. The examined computers were attacked 2,244 times a day on average. 

18. 66% of businesses that hackers attacked weren’t confident they could recover from it.


They always say that when you get knocked down, you should get back up. Sometimes, that’s easier said than done. 75% of 2,400 security and IT professionals admitted in 2016 that their organizations did not have a formal cybersecurity incident response plan in place. About two-thirds of participants didn’t think their companies could recover from a hacker attack.

Data Breach Statistics by Industry


Verizon’s 2021 Data Breach Investigations Report examined 29,207 security incidents. The research, which covered various industries, found that more than one-fifth of these incidents were confirmed data breaches.

20. Healthcare had the highest data breach cost in 2020 - $7.13 million.


Dissecting industry trends, the industry average cost of a data breach reached $7.13 million in 2020 in the healthcare department. The energy sector followed with $6.4 million, and the financial industry came in third, with $5.9 million.

21. Hospitals spend 64% more annually on advertising over the two years following a breach.

(American Journal of Managed Care)

According to cyber hacking statistics, the aftermath of an attack can be very taxing on industries and organizations in various ways. As a 2019 American Journal of Managed Care report shows, The financial toll can be especially grave for hospitals, as they have to spend about 64% more funds annually on advertising expenses in the two years that follow an attack or breach. Affected hospitals spend about $688,000 yearly on marketing, while those that haven’t been breached spend approximately $238,000.

Final Thoughts on Weak Password Statistics

As annoying and troublesome as having different passwords for every account can be, using one password across the board is an even bigger problem. Seeing as how there is a lot that can be lost to a cyber breach, it is better to be safe than sorry. As mentioned earlier, you can always use a password manager to help you maintain password safety.


How are passwords hacked?

To hack a password, an attacker usually downloads a dictionary attack tool first. With this piece of code, they will attempt to log in using a list of passwords.

Is it safe to use the same password for everything?

That’s risky because if that one password is compromised, according to internet security statistics, then all your online profiles or accounts are at risk.

Why are passwords weak?

Some people maintain that passwords are the most flawed form of protection. This is because passwords rely on what is considered the weakest link in the computer and network security chain - the human user.

What percent of people forget their passwords?

According to a Digital Information World study, about 78% of people forget their passwords and then have to reset them to regain access to their accounts.

How common are password breaches?

81% of hacking incidents involve passwords being compromised, implying that password breaches happen a lot.

What is a weak password?

Judging from weak password statistics, a weak password is one with any of the following characteristics:

  • Contains fewer than eight characters.
  • Is a word found in a dictionary (English or foreign).
  • Includes names of family members, pets, friends, fantasy characters, etc.
  • Is made from computer terms and names, site or company names, commands.
  • Contains birthdays and other personal information such as addresses and phone numbers.
  • Consists of word or number patterns like aaabbb, zyxwvuts, qwerty, 123321, etc.
  • Contains any of the above spelled backward.
  • Is made from any of the above preceded or followed by a digit (secret1 > 1secret).
  • Leave your comment

    Your email address will not be published.


    With a degree in humanities and a knack for the history of tech, Jovan was always interested in how technology shapes both us as human beings and our social landscapes. When he isn't binging on news and trying to predict the latest tech fads, you may find him trapped within the covers of a generic 80s cyberpunk thriller.

    Selected 1 items
    Clear All