Password statistics for 2020 – ‘iloveyou’ and ‘sunshine’ are most common

Password statistics - Featured image

If you’ve ever used number passwords like “123456” or “123455678” to protect an online account, it wouldn’t be surprising if you’ve had a stolen password at some point.

In the age of IoT device proliferation, when your computer and your fridge are sharing data faster than you can imagine, it’s really a disgrace for the human race to still rely on passwords like “iloveyou.” Unfortunately, too many people still have poor password habits that make it super easy for hackers to access data that doesn’t belong to them. If you’d like to learn from other people’s mistakes, read on.

Key password statistics

  • 53% of people rely on their memory to manage passwords.
  • 51% of people use the same passwords for both work and personal accounts.
  • 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords.
  • 71% of accounts are protected by passwords used on multiple websites.
  • 29% of internet users have more password-protected accounts than they can keep track of.
  • 90% of internet users are worried about getting their passwords hacked.
  • The password “123456” is still used by 23 million account holders.
  • 33% of account-compromise victims have stopped doing business with companies and websites that leaked their credentials.

Interesting facts and stats about passwords

1. The world’s first digital password for a computer system was created at MIT in 1961.

(Entrepreneur)

The whole conundrum with passwords – coming up with them, remembering them, updating them – began in the 1960s. The first computer password was generated at the Massachusetts Institute of Technology for an early computer system called Compatible Time-Sharing System (CTSS). Passcodes have been around as long as computing itself.


2. 2.2 billion unique emails and passwords were exposed in the “Collection 1-5” data breach in January 2019.

(The SSL store)

Data breach statistics warn of a growing number of cyberthreats. But credential theft – stealing usernames and passwords is the oldest trick in the book. This type of theft opens endless criminal possibilities for hackers, including opening fraudulent bank accounts, buying things online, or applying for loans. Cyber criminals can also compile credentials and trade them amongst themselves.


3. 66% of computer users think it is essential to protect work passwords, and 63% feel the same way about passwords used on personal devices.

(Ponemon Institute)

According to 2019 password statistics, seven out of 10 people know the consequences of bad passwords and password breaches both in personal and business environments. Even though the majority of computer users believe that password protection is important, 51% of respondents admit that managing their multiple passcodes is difficult.


4. 53% of people rely on their memory to manage passwords.

(Ponemon Institute)

Individuals who refrain from using the same password for all accounts are faced with the challenge of keeping track of them. The most commonly used password management method is relying on one’s memory. Needless to say, this method is flawed. Saving passwords in a browser (32%) or in spreadsheets (26%) are other common approaches. Respondents also admitted to manually jotting passwords down in a notebook or on a sticky note (26%). While better than simply forgetting, none of these methods are really safe.


5. 37% of internet users say they have to request a password change once a month on at least one website due to forgetfulness.

(Entrepreneur)

It is nearly impossible to memorize every password belonging to every account. Social media, online banking, learning websites, newsletters, games – the list goes on forever. Things get especially hard if we pay attention to password security and include capital letters, numbers, and signs. So it is completely understandable that nearly 40% of users reset at least one password per month.


6. 51% of people use the same password for work and personal accounts.

(First Contact)

Password reuse statistics by First Contact reveal that more than half of internet users don’t bother coming up with different passcodes for their personal and business accounts. Understandably, this makes it easier to remember them, but it’s making users more vulnerable. If a hacker cracks your code for a single website, they might be getting access to all of your accounts. Someone who knows your Facebook password can wreak havoc on your personal life. And if the same word or string of numbers unlocks your bank account, you’re putting yourself in financial peril.


7. 78% of Gen-Z users use the same password for several online accounts.

(The Harris Poll)

Personal password reuse is the most common among Generation Z. More than three-quarters of those aged 16 to 24 admit to using the same password across multiple websites. The Harris Poll, which surveyed 3,000 adults in the United States, found that Millennials are in this bad habit too – 67% of them rely on a single password for a number of accounts. It turns out that Baby Boomers are the most conscientious about their online security. Some 60% of people from this age group have a habit of password recycling.


8. 71% of Gen-Z respondents believe they wouldn’t fall for a phishing scam even though only 44% know what “phishing” means.

(The Harris Poll)

Phishing attacks lead to password theft. Fraudsters obtain their victims’ passwords by sending them spam emails that prompt them to log in to seemingly legitimate websites. When their target takes the bait and enters their credentials into a fake website, the cybercriminal uses them to engage in further illegal activity. Due to their overconfidence, Gen-Z users are more susceptible to these attacks. While only 44% of them understand what phishing is, 71% think they would be able to recognize it and avoid it.


9. 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords.

(First Contact)

First Contact’s latest password statistics from 2019 reveal that the majority of internet users who fall prey to phishing attacks keep their passwords unchanged. This puts them at a huge risk of becoming victims of other cyberattacks, especially if they don’t have different passwords for other accounts. The best case scenario for victims is that they will lose some money. The worst case would be a stolen identity. The consequences of corporate phishing attacks are even more dire. Just one naive employee can open the door to the company network, exposing it to a data breach that would cause thousands of password breaches and leaks of other types of data.


10. Media and advertising employees manage more passwords than those in any other industry – 97 passwords per person on average.

(LastPass)

If you work in media or advertising, you can’t live without a password manager. It takes a computer processor to remember passwords for 97 accounts that media managers and advertisers use. They manage multiple clients so they need to memorize more than just their own social media passwords. They also use passwords for sites and apps for team communication, project management, and productivity tracking. Government employees also have a lot to memorize – about 54 different passwords for their work operations.


11. In the future, 57% of internet users would prefer a passwordless method of protecting their identity.

(Ponemon Institute)

Taking into account the number of forgotten and stolen passwords out there, this doesn’t come as a surprise. People have a hard time coming up with passwords that work. And when they create strong passcodes, they tend to forget them easily. If we came up with another way of proving our identity when entering websites and software products, six out of 10 users would gladly embrace the change.


12. 30% of mobile-device users never lock their gadgets because re-entering passwords annoys them.

(First Contact)

Some users of mobile phones and tablets are so sick and tired of entering passwords into devices and programs that they avoid it whenever possible. Nearly a third of people who own these gadgets set them up to be accessible without a password. They might view it as a convenience. However, cybercriminals see it as an opportunity.


Password Security Statistics

13. 71% of accounts are protected by passwords used on multiple websites.

(Lawless Research, TeleSign)

First the internet, then smartphones and apps, and now IoT devices have made multiple passcodes a necessity. Anyone would agree that they have too many passwords to remember. So when an average person registers for yet another website or app, they often reuse old passwords.


14. A single password is used to access five accounts on average.

(Ponemon Institute)

If you were wondering how often passcodes are reused, here’s your answer. Thankfully, the days of relying on a single password for all accounts are behind us. Yet, password use statistics published by Ponemon Institute show we still have a long way to go. Ideally, we should be using unique and complex passwords; a different one for each account.


15. 59% of Americans have included a name or date of birth in their passwords for online accounts.

(Google)

Incorporating a piece of information that can be found on your social media accounts is a common password-management mistake. Unfortunately, almost 60% of US adults have this bad habit. Out of those who do it, 33% use a pet’s name, 22% include their own name, 15% put down the name of their partner. Kids’ names are also in the mix, with 14% of US adults using them in their passwords. If you follow the same logic, you are making it super easy for social engineers to uncover your password.


16. 73% of respondents consider forgetting passwords the most frustrating aspect of account security.

(Lawless Research, TeleSign)

Even though the importance of passwords is absolutely clear, internet users are annoyed by the fact that they keep forgetting them. This is especially true for those who meet the complex password requirements. Other frustrating aspects of safeguarding accounts are answering security questions (35%), entering usernames and passwords (29%), entering a PIN on a phone (19%), and entering a one-time passcode (16%).


17. When in need of a unique password, three out of four people change only one letter to a character.

(Entrepreneur)

When typical passwords like “password” or “football” get rejected, 75% of people resort to a simple alteration. According to weak password statistics, changing “a” to “@” in “p@ssword” or “o” to “0” in “fo0tball” doesn’t make your password that much better. It barely enables you to pass the strength test.


18. Only 45% of US adults change their password of an online account following a data breach.

(Google)

A surprisingly large percentage of Americans takes no action to protect their online accounts after a breach. According to Google, almost half of US computer users ignore the news of a data breach at a company they have an account with. This is even more surprising since 40% of Americans have already had their personal information compromised online, and 38% say they lost time due to a data breach.


19. A quarter of Americans admit to having used one of the easy-to-crack passwords like “123456” and “qwerty.”

(Google)

Some other combinations that have been used by 24% of US adults include: “abc123,” “password,” “welcome,” “admin,” “Iloveyou,” and “11111.” These would definitely not make the unique password list. In a brute force attack – where a computer program tries to guess a password by entering every possible combination of letters and numbers until it cracks it – these number passwords come up very quickly. If a person had the same goal, they would also try these right away.


20. The password “123456” is still used by about 23 million account holders.

(First Contact)

Articles on hacking reported the danger of this password years ago, but it is still commonly used. Apparently, 23 million people “protect” their accounts with it. If you are one of them, we advise you to change your password immediately. Otherwise, it’s only a matter of time before you become just another number in password compromise statistics.


21. 90% of internet users are worried about getting their passwords hacked.

(Avast)

There’s a large discrepancy between users’ password protection behavior and their feelings and awareness. Most people know they should take better care of their online security. That’s why nine out of 10 internet users find themselves fearful of becoming password theft victims. Avast’s research shows that 46% would say they are “very worried” about somebody hacking their passwords, and 44% are “a little worried.” Very few people are not concerned – 8% are “not particularly worried,” while 2% are “not worried at all.”


22. It only takes 10 minutes to crack a lowercase password that is six characters long.

(Avast)

If you choose to ignore the recommendations for creating a strong password (a combination of lowercase and capital letters, at least one number, at least one sign), your password becomes so weak that it takes a computer only 10 minutes to figure it out. To avoid falling into this trap, you should follow these rules, keeping in mind that the longer the password, the harder it is to guess. That’s why a combination of four random words that make sense to you – with numbers, signs, and capital letters – make for a password you can remember and one that others can’t crack.


23. 51% of respondents have fallen prey to a phishing attack on a personal account, while 44% of respondents have been a victim of the same attack at work.

(Ponemon Institute)

Ponemon Institute’s survey of more than 1,700 IT practitioners suggests that people are more likely to fall for a phishing scam in their personal lives than in a business environment. Security-awareness training at work educates employees to not click on any suspicious-looking links when logged into a corporate email account. Corporate IT security measures also help by filtering out phishing emails, preventing them from landing in a work inbox. Our personal email accounts, on the other hand, are often checked in a hurry from our mobile phones when we’re on the go. Our lack of focus makes us fall for scams more easily.


24. 57% of people who have experienced a phishing attack have not changed their password management techniques.

(Ponemon Institute)

Password safety statistics confirm that old habits die hard, no matter how harmful they are. Even if people have suffered the consequences of their own careless behavior – entering their credentials into a bogus website and giving them away to cybercriminals – they continue to behave pretty much the same. They continue reusing passwords, writing them down on sticky notes or spreadsheets, and sharing them with co-workers.


25. 67% of IT security practitioners do not use any form of two-factor authentication in their personal lives and 55% of them do not use one at work.

(Ponemon Institute)

The fact that the average user’s password isn’t protected by two-factor authentication isn’t all that shocking. However, it’s surprising that people working in IT security – a sample of over 1,700 technicians, managers, directors, supervisors, and executives from IT departments in the US, UK, France, and Germany – would avoid this precautionary measure.


26. Gen-Z users follow the two-step authentication measure more than any other demographic group (76%).

(The Harris Poll)

Young internet users are more accustomed to the two-factor authentication process than their older counterparts. As many as three-quarters of Gen-Z users employ it. According to Harris Poll, 74% of Millenials use it, while 62% of Baby Boomers follow the two-step authentication security feature.


27. SMS codes (35%) and mobile authentication apps (30%) are the preferred types of two-factor authentication used in corporate environments.

(Ponemon Institute)

Recent password breaches have inspired business owners to take IT safety more seriously. Two-step authentication is an extra layer of security that can keep malicious actors at bay. According to two factor authentication statistics, text messages with a one-time code and mobile authentication apps fare the best with business users.


Personal Password Statistics

28. 10% of Californians still have access to a password that belongs to an ex-lover, former roommate or colleague.

(Google)

A password infographic shared by Google shows that Americans have a habit of sharing their credentials with people they are close to, like roommates, co-workers, and romantic partners. And they don’t tend to change users password after those relationships grow cold.  The infographic shows that one in 10 California residents still know the passwords of people they no longer maintain close relationships with.


29. 43% of US adults have shared their personal passwords with a partner or family member.

(Google)

Sharing a password with a loved one is something nearly half of Americans have done at some point. Google’s research shows that the most popular user credentials to get passed around are the ones used for entertainment, like TV or movie streaming websites. As many as 22% of US adults have given their Netflix or Hulu password to a partner or family member. In the second place of most-shared password we have email accounts (20%) followed by social media (17%) and shopping accounts (17%).


30. 29% of internet users have more password-protected accounts than they can keep track of.

(Digital Guardian)

When asked how many passwords they have, almost 30% of respondents said “too many to count.” About 14% of internet users have more than 25 password-protected accounts, and 28% of respondents have between 11 and 25. Another 30% of internet users said they have less than 10 accounts that require a password. Having too many passwords makes people reuse the same one over and over again, compromising their online security.


31. 31.3% of internet users change their passwords only once or twice a year.

(Digital Guardian)

A survey by Digital Guardian suggests that almost a third of internet users reset their passwords infrequently – mostly only when they forget them. This is good news for malicious actors who can exploit credentials for longer periods. Only 17% of respondents change their passwords every few months, while 22.4% change them more than five times a year. As the password resetting frequency goes up, the percentage of users who do it declines. When you change your passwords regularly and apply security recommendations, the risk of having your credentials abused is minimized.


32. When changing password management habits, 47% of people do so by selecting a stronger password, while 43% update passwords more frequently.

(Ponemon Institute)

The 2019 State of Password and Authentication Security Behaviors Report compiled by the Ponemon Institute shows that 43% of respondents have recently changed the way they manage passwords. The change, mostly brought on by data-breach news and hacking statistics, usually entails stronger passwords (47%) and more regular password updates (43%). This is a positive and long-awaited shift in user behavior.


Business Password Statistics

33. In the US corporate world, 41.4% of companies use up to 25 apps that require individual passwords.

(OneLogin)

Doing business today requires plenty of apps. Gone are the days when people relied on pen and paper to get things done. Now there’s an app for everything, and we couldn’t be happier about this. Except for one small detail – every app requires a password. Companies that use multiple apps need to invest in a password manager tool to ensure their data security. Without this tool, people store usernames and passwords in unsecure places (post-its, notebooks, spreadsheets), not to mention they reuse weak passwords. This leads to data breaches and financial damage some businesses never recover from.


34. 55% of consumers feel that businesses are responsible for providing account security and 72% would like additional security beyond passwords.

(Lawless Research, TeleSign)

More than half of the 1,300 surveyed US consumers say their companies are responsible for their online and mobile account security. Using a password like “12345” and holding someone else accountable for your information security is unrealistic. Luckily, 44% of respondents realize they are the ones who have the primary responsibility for keeping their information safe. And 1% of internet users think the US government should take care of this matter.


35. 33% of account-compromise victims have stopped doing business with companies and websites that have leaked their credentials.

(Lawless Research, TeleSign)

Companies that expose customer information have to suffer the consequences. And losing business is one of the biggest. According to TeleSign, a third of consumers whose usernames and passwords were impacted in a data breach stopped doing business with those companies and websites.


36. Only 15% of IT administrators enforce the use of two-factor authentication.

(LastPass)

LastPass’s most recent password statistics from 2019 indicate that 85% of security specialists do not require multi-factor authentication. This is discouraging since the survey included 47,000 companies from various locations across the globe. Safeguarding company data with more than just passwords is a great additional layer of protection. If more organizations implemented it, there would be fewer data compromises.


37. Only 18% of respondents say that using a password manager is required by their employer.

(Ponemon Institute)

When creating a password, users tend to use short words or strings of numbers, mostly omitting capital letters, numbers, and signs. However, a password manager identifies such passcodes as weak and it generates long, strong passwords that are hard to crack. It’s clear that this tool is beneficial to the IT security of a company and data safety of that company’s clients. What’s unclear is why so few organizations use a password management app.


38. 57% of employees find password management a nuisance that stops them from doing their jobs.

(First Contact)

According to First Contact, when password management in accordance with IT security regulations isn’t enforced by the employer, workers don’t even bother with it.

Instead, employees create common number passwords or easy passcodes to remember, endangering the company data and reputation. That’s why employers need to pick up the slack by training their staff on information security, and apply stricter password management requirements if they want to end the vicious data-breach cycle.


39. Employees report spending an average of 12.6 minutes per week entering and/or resetting passwords.

(Ponemon Institute)

Password management is pretty time consuming. Ponemon Institute’s survey found that it takes modern workers an average of almost 13 minutes a week to enter and/or reset passwords for the apps they use at work. Multiply that number with the number of working weeks in a year and you’ll realize that this effort takes employees 10.9 hours per year. Depending on the number of employees, the cost of lost productivity can really add up and surpass the cost of investing in a password manager.


40. 69% of employees share passwords with co-workers to access information.

(First Contact)

Password statistics published by First Contact in 2019 reveal that too many employees still have the bad habit of sharing their work passwords with their colleagues. The list of recent data breaches in 2019 explains why this is dangerous. This practice can lead employees to lose their job or cost their company money.


Frequently Asked Questions

What is a password?

A password is the most commonly used method of identity verification used for gaining access to digital and computing devices and services. It consists of letters, numbers, and signs, or a combination of all of these. Normally, it is combined with a specific username connected to the password. Synonyms for password are passcode, pass phrase, secret code, and PIN.

How secure is my password?

If your most complex password is “Iloveyou,” we can tell you right away it isn’t secure. But if it’s better than that and you’d still like to see how strong it is, you can use a password security checker to find out. We recommend LastPass.

How common is my password?

If you can find it on the SplashData’s list of most used passwords in 2018, it’s too common. The software company analyzed five million passwords that were breached last year and found that people use terrible passcodes. The top runners on the list of most common passwords are “iloveyou,” “qwerty,” “sunshine,” “1234567,” “111111,” “12345,” “12345678,” “123456789,” “password,” and “123456.”

How many passwords does the average person have?

According to McAfee’s password statistics from 2018 an average person has 23 online accounts that require a password.

What is password security?

The term password security refers to the measures computer users can take to prevent third-parties from obtaining their passcodes. To ensure password security, you should use unique passcodes for every account. This is especially important when it comes to accounts that contain your personally identifiable information (Social Security number or passport number). Secure passwords need to be long and versatile in terms of letters, numbers and signs. They mustn’t be written down on paper or saved on electronic devices. Using two-factor authentication and changing passwords regularly also contributes to their security.

How often should you change passwords?

If you hear of security breach examples in a company that you have an account with, you should go ahead and change your password right away. Otherwise, doing so a few times a year is adequate. You shouldn’t do it too often though if you don’t have a password manager because it will only make matters worse for you.

Which five words are among the most commonly used passwords?

According to DataSplash’s password statistics, the most commonly used words are “password,” “sunshine,” “princess,” “admin,” and “welcome.”

Sources