You probably already know this without having to look at the latest weak password statistics.
It’s simple, a weak password increases the likelihood of your accounts being hacked.
If your account is hacked the hackers will be able to access your personal information.
Depending on which account has been hacked, they may even be able to access financial information.
Once they have this they can remove money from your accounts. They can steal your personal information and use it to steal your identity.
That can put you thousands of dollars in debt and destroy your credit score.
It can take months and even years to repair the damage.
Of course, if you’ve been hacked due to a weak password, there’s a good chance you have weak passwords on all your accounts and the hackers will try them all.
The weaker your password the easier it is for them to hack all your accounts.
You’re probably wondering if it’s worth it. After all, you’re just one person, cybercriminals go after big businesses. Unfortunately, you’d be wrong.
A hacker will hunt for weak passwords, access accounts, and then use the information found.
It doesn’t matter how big or small the account, it’s got useful information for a hacker
The better you understand the key weak password statistics, the easier you’ll find it to keep your accounts protected.
Key Statistics
- 81% of data breaches are the result of weak passwords or an inability to look after your password
- 30% of internet users suffer a data breach because they are using weak passwords
- 88% of password attacks use less than 12 characters
- 18.8% of passwords only have lowercase letters
- 75% of people find tracking passwords frustrating
- 49% of employees change or add one digit when changing a password
- 43% of Americans admit to sharing a password
- A quarter of Americans have used one of the most common passwords
- Only 34% of Americans change passwords regularly
- 36% of people record passwords on paper
- 40 million Microsoft users have reused passwords
- A 12 character password takes 62 trillion times longer to hack compared to a 6 character password
Top Weak Password Statistics in 2025
1. 81% Of Data Breaches Are The Result Of Weak Passwords Or An Inability To Look After Your Password
In 2021 the annual Verizon report found that 81% of the data breaches which had occurred within the year were a result of weak passwords.
The weak passwords made it easier for cybercriminals to access systems and take personal data.
It’s worth noting that as many as 85% of data breaches are categorized as a result of human error.
If 81% of breaches are down to weak passwords, eliminating the weak passwords would dramatically reduce the number of successful hacks.
(Verizon)
2. 30% Of Internet Users Suffer A Data Breach Because They Are Using Weak Passwords
The Goodfirms survey spoke predominantly to IT professionals.
That makes it particularly alarming that 30% of those surveyed had experienced a data breach due to using a weak password.
There are several ways to crack a weak password, hackers often use software and adjust the parameters according to what they know about a target.
Credential stuffing is also a popular option and is effective when dealing with weak passwords.
It’s worth noting, and perhaps more worrying, that 23% of those surveyed didn’t know if their accounts had been breached or not.
(Goodfirms)
3. 88% Of Password Attacks Use Less Than 12 Characters
Hackers will often attack over multiple ports, this increases their chance of success.
A recent Specops report analyzed the number of passwords collected in one week to find any standard attack approaches.
The researchers discovered, after analyzing 4.6 million passwords in one week, that 88% of all attacks on passwords were short.
Specifically, under 12 characters.
In fact, the most common character length was just eight characters. Twenty-four percent of passwords were found in this category.
The report didn’t specify how many of the attacks using short passwords were successful.
However, considering the previous statistics it’s likely several were.
(Specops)
4. 18.8% Of Passwords Only Have Lowercase Letters
Amazingly, despite most companies being able to set parameters for passwords, a significant proportion don’t.
This has made it possible for 18.8% of passwords to have lowercase letters only, nothing else.
Unfortunately, this isn’t a good thing.
Passwords with just lowercase letters are much easier to hack, making it quicker for cybercriminals to get into your private and work accounts, and then remove the data.
Passwords aren’t just weak, they are also the weakest link in any chain.
Avoiding this issue means using password managers to generate and store passwords.
This will ensure they are stronger.
Alongside this, it’s essential to make sure that all passwords should be at least 12 characters long and include mixed characters.
(Specops)
5. 75% Of People Find Tracking Passwords Frustrating
The average person now has around 100 passwords.
If you’re doing passwords properly then that means 100 unique passwords, all using upper and lowercase letters, numbers, and special characters.
The problem is, it’s hard to keep track of so many unique passwords.
It’s not surprising that the Harris Poll found 75% of American adults find it frustrating to manage all these passwords.
Put simply, even with an excellent memory it would be difficult to remember that many passwords.
Recording them on paper isn’t a great idea, it presents a significant security risk. That’s why it is so frustrating to record and track your passwords.
The only way to effectively do this is by using a password manager, such as NordPass.
(The Harris Poll)
6. 49% Of Employees Change Or Add One Digit When Changing A Password
Employers should insist that all passwords are changed periodically.
The timescale isn’t related to what data you hold, it simply makes it harder for cybercriminals to find their way into your system.
Ideally, employees should change their passwords once a month.
Unfortunately, the Harris Poll notes that most employers don’t set the password parameters properly.
Out of all the respondents, 49% admitted to just changing one character on an old password to create a new one.
On top of this, the poll discovered that 52% of people simply reuse passwords across multiple accounts.
In some cases it’s the same password as they use personally and leaves them very exposed.
(The Harris Poll)
7. 43% Of Americans Admit To Sharing A Password
The latest Harris Poll also looked at how many people have shared a password in the last year.
Unsurprisingly, most people in a committed relationship have shared their password or passwords with their partner.
Assuming you trust your partner this isn’t an issue.
However, if you and your partner split up it’s advisable to change your password, just in case.
Unfortunately, while 57% of the people that like to share passwords do so in good faith, only 11% change it after splitting up with their partner.
That means your password is accessible by your ex-partner and creates an easy way for them to access your accounts, even if you don’t want them to.
This is more likely to happen if it was a bad break-up.
(The Harris Poll)
8. A Quarter Of Americans Have Used One Of The Most Common Passwords
The 2022 NordPass survey highlighted how often common passwords are used.
Surprisingly, the statistics showed that a quarter of all Americans have used a common password at one point or another.
The most common passwords at present are
- Password
- 123456
- Qwerty
- Welcome
- 123456
- 111111
If you’re currently using one of these passwords you need to change it instantly?
Cybercriminals have specialized software which allows them to locate an account from the password.
That will give them access to your account, potentially multiple accounts if you use the same password on more than one account.
(NordPass)
9. Only 34% Of Americans Change Passwords Regularly
The annual Google survey discovered that just 34% of Americans change their passwords regularly.
That’s despite over 80% knowing that they should be changed regularly.
Combine this fact with the use of weak passwords and you create an array of opportunities for any cybercriminal.
You couldn’t make it easier for them unless you just told them your password.
Changing your password regularly makes it harder for a hacker to guess your password.
In effect, any password can be cracked, it’s simply having enough time to run all the possible combinations.
If you change your passwords every month, and you use strong passwords, the hackers won’t have the time they need to access your accounts.
(Google)
10. 36% Of People Record Passwords On Paper
The Google survey also illustrated that 36% of people still record passwords on paper and store the paper at home.
This seems fairly safe, until you experience a break-in and find your passwords have been taken.
At present, just 15% of people use a password manager like NordPass.
That figure needs to change until everyone is using a password manager.
It’s safer and will reduce the number of successful data breaches.
Remember, the password is always the weakest link. Making it strong and changing it regularly will help to keep your data away from cyber criminals.
(Google)
11. 44 Million Microsoft Users Have Reused Passwords
A Microsoft Security Intelligence Report completed in 2019 showed that 44 million Microsoft accounts were using passwords that had been previously involved in a data breach.
It is possible that users weren’t monitoring data breaches and weren’t aware the password had been leaked.
However, all this confirms is that users don’t change passwords.
Assuming the data breaches were known about then 44 million Microsoft user accounts have reused passwords and made themselves vulnerable to being hacked.
After all, the passwords are already leaked, a hacker simply has to compare the breached passwords to user accounts and then apply them to the right Microsoft account.
That’s surprisingly easy for a good hacker and illustrates why passwords should always be changed after a breach and never reused.
(Microsoft)
12. A 12 Character Password Takes 62 Trillion Times Longer To Hack Compared To A 6 Character Password
The longer the password is, the harder it is for a cybercriminal to find the right combination.
Of course, it’s more difficult again if you mix numbers with lower and uppercase letters and special characters.
Better still, use a password generator and it won’t even be a recognizable word.
Scientific American recently worked out the number of possible solutions for different password lengths.
For example, a six-character password using just lowercase letters on a standard alphabet will have 3*108 possible solutions.
In contrast, a 12-character password, (which uses upper and lowercase letters with numbers and symbols), will have 19*1024 possible combinations
In short, it will take a computer 62 trillion times longer to crack the 12-character password simply because there are so many possible combinations.
Of course, supercomputers can still do this relatively quickly, that’s why you should change your passwords monthly.
Hackers will never have enough time to break your password.
(Scientific American)
Summing Up
The weak password statistics could make you wary of using any password-protected account.
However, the truth is that these statistics remind users that strong passwords are the best way to protect all your accounts.
Generate passwords that are at least 12 characters long, use lower and uppercase letters with numbers and symbols, and make them unique for each account.
The easiest way to do this and avoid becoming a weak password statistic is to use a good password manager.
They will handle everything for you.