Password Statistics 2026: Reuse, Breaches & MFA Adoption


Microsoft now blocks more than 7,000 password attacks every second — a twelvefold increase since 2021. Stolen and reused passwords remain the cheapest way into a corporate network, which is why credentials sit at or near the top of every major breach report. This page compiles 60 password statistics from Verizon, Microsoft, IBM, Google, NordPass, the FIDO Alliance, and other primary sources, covering attack volume, reuse habits, the weakest passwords in circulation, password manager and MFA adoption, passkeys, and what credential breaches cost.
Table of Contents
Password Attack Volume
Credential attacks are automated, cheap, and constant. The volume numbers below explain why stolen passwords dominate the initial-access column in breach investigations — a pattern that also runs through our data breach statistics and the broader cybersecurity statistics for 2026.
- Microsoft blocks more than 7,000 password attacks per second, according to the Microsoft Digital Defense Report 2024.
- That rate has grown from 579 attacks per second in 2021 to roughly 4,000 in 2023 and over 7,000 in 2024 — a twelvefold increase in three years (Microsoft Digital Defense Reports, 2021–2024).
- Stolen credentials were the initial access vector in about 22% of breaches, the single most common entry point tracked in the Verizon 2025 Data Breach Investigations Report.
- In Verizon's 2020 DBIR, over 80% of hacking-related breaches involved brute force or the use of lost or stolen credentials — a share that has stayed stubbornly high in web application attacks ever since.
- More than 24 billion username-and-password combinations were circulating on cybercriminal marketplaces as of 2022 — roughly four sets of credentials for every person on earth (Digital Shadows).
- The RockYou2024 compilation, posted to a hacking forum in July 2024, contained nearly 10 billion unique plaintext passwords in a single file (Cybernews).
- 41% of successful logins across websites protected by Cloudflare involve compromised passwords, based on Cloudflare traffic analysis published in 2024.
- Credential stuffing accounted for 34% of all authentication traffic observed across Okta's platform — meaning a third of login attempts were attacks, not users (Okta State of Secure Identity Report, 2022).
- Abuse of valid account credentials was the entry point in 30% of all incidents IBM X-Force responded to, tied with phishing as the top initial access vector (IBM X-Force Threat Intelligence Index 2024).
Password Reuse Habits
Reuse converts one breached account into many. When a password stolen from a low-value forum also opens a corporate mailbox, attackers get enterprise access for the price of a database dump — which is exactly how many of the campaigns in our phishing statistics end up as full account takeovers.
- 65% of people reuse passwords across multiple accounts, according to a Google/Harris Poll survey of 3,000 US adults.
- 13% reuse the same password for every account they own (Google/Harris Poll).
- 62% of respondents say they almost always or mostly use the same password or a close variation of it (LastPass Psychology of Passwords, 2022).
- SpyCloud's 2024 Identity Exposure Report found a 74% password reuse rate among users exposed in two or more breaches — recaptured breach data shows people rarely change habits even after being compromised.
- The average person now manages 168 personal passwords plus 87 work passwords, up from roughly 100 total in 2020 (NordPass, 2024).
- 24% of Americans have used a password from the most-common list — strings like password, 123456, or Qwerty (Google/Harris Poll).
- 59% of US adults have built a password around a name or birthday — data points that are trivially discoverable on social media (Google/Harris Poll).
- The average employee reuses each password 13 times across work accounts (LastPass Global Password Security Report, 2019).
The Weakest Passwords
NordPass analyzes a multi-terabyte corpus of breached credentials each year with independent researchers. The 2024 edition, covering 44 countries, shows the same strings topping the list for the sixth consecutive year — and nearly all of them fall to cracking tools instantly.
| Rank | Password | Time to Crack | Source |
|---|---|---|---|
| 1 | 123456 | Under 1 second | NordPass 2024 |
| 2 | 123456789 | Under 1 second | NordPass 2024 |
| 3 | 12345678 | Under 1 second | NordPass 2024 |
| 4 | password | Under 1 second | NordPass 2024 |
| 5 | qwerty123 | Under 1 second | NordPass 2024 |
| 6 | qwerty1 | Under 1 second | NordPass 2024 |
| 7 | 111111 | Under 1 second | NordPass 2024 |
| 8 | 12345 | Under 1 second | NordPass 2024 |
| 9 | secret | Under 1 second | NordPass 2024 |
| 10 | 123123 | Under 1 second | NordPass 2024 |
- The string 123456 ranked as the world's most common password for the sixth year running, appearing more than 3 million times in the research dataset and crackable in under one second (NordPass Top 200 Most Common Passwords, 2024).
- 78% of the world's 200 most common passwords can be cracked in less than one second (NordPass, 2024).
- The password 123456 appears tens of millions of times in Have I Been Pwned's Pwned Passwords corpus of real-world breach data — the single most repeated credential ever leaked.
- Keyboard-walk passwords remain a fixture: qwerty123 and qwerty1 rank fifth and sixth globally (NordPass, 2024).
- The word secret entered the global top 10 in 2024, cracked as instantly as the numeric strings around it (NordPass).
- Corporate credentials are barely stronger than personal ones: NordPass found the most common work passwords are nearly identical to the consumer list, with 123456 and password dominating both.
- The pattern holds worldwide — NordPass studied breach data across 44 countries, and simple numeric sequences topped the list in the large majority of them.
Password Manager Adoption
Password managers eliminate reuse by generating a unique credential per site. Adoption is rising, but most adults still rely on memory, browsers, or paper.
- Only about 36% of American adults use a password manager (security.org annual password manager survey, 2024).
- Pew Research Center puts adoption at 32% of US adults as of 2023 — up from just 12% in its 2016 cybersecurity survey, a near-tripling in seven years.
- People who do not use a password manager are three times more likely to experience identity theft than those who do (security.org).
- That leaves roughly 64% of US adults managing logins through memory, browser autofill, notebooks, or spreadsheets (security.org, 2024).
- Inside companies, 59% of organizations rely on human memory as a primary method for managing passwords, and 42% still use sticky notes (Ponemon Institute and Yubico, State of Password and Authentication Security Behaviors).
MFA Adoption & Effectiveness
Multi-factor authentication is the single highest-leverage control against credential attacks — the data on effectiveness is unambiguous. Adoption, however, lags badly, especially outside the enterprise. Because most credential phishing arrives by email, MFA numbers pair naturally with our email security statistics.
- Enabling MFA reduces the risk of account compromise by 99.22% across all accounts, and by 98.56% even when the attacker already holds leaked credentials (Microsoft study of Entra ID sign-in data, 2023).
- Microsoft's earlier and widely cited figure holds up: accounts with MFA are 99.9% less likely to be compromised (Microsoft, 2019).
- More than 99.9% of compromised Microsoft accounts did not have MFA enabled at the time of compromise (Microsoft identity security team).
- MFA usage among Microsoft Entra ID enterprise accounts reached about 41% in 2024, up from roughly 22% in early 2022 (Microsoft).
- 79% of consumers reported using two-factor authentication on at least one account in 2021, up from 53% in 2019 and 28% in 2017 (Duo Labs State of the Auth).
- SMS remains the most common second factor even though it is the weakest: about 85% of 2FA users have received codes by text message (Duo Labs, 2021).
- Google research with NYU and UCSD found that on-device prompts blocked 100% of automated bots, 99% of bulk phishing attacks, and 90% of targeted attacks; even SMS codes stopped 96% of bulk phishing.
- Before its rebrand, Twitter disclosed that only 2.3% of active accounts had any form of 2FA enabled — and nearly 80% of those relied on SMS (Twitter Account Security Report, 2021).
- Attackers are adapting: adversary-in-the-middle phishing, which steals session tokens to bypass MFA, rose 146% year over year (Microsoft Digital Defense Report 2024).
Passkeys & the Passwordless Shift
Passkeys replace the shared secret entirely with device-bound cryptographic keys, making phishing and credential stuffing structurally impossible. Platform support arrived fast; user adoption is now compounding.
- More than 15 billion online accounts can now sign in with passkeys, according to the FIDO Alliance (2024).
- Over 800 million Google accounts have set up passkeys, which have been used for more than 2.5 billion sign-ins (Google, 2024).
- Google's data shows passkey sign-ins take roughly half the time of password sign-ins and succeed more often on the first attempt.
- Amazon reported 175 million customers had enabled passkeys within a year of launch (Amazon, 2024).
- Consumer awareness of passkeys climbed to 57% in 2024, up from 39% in 2022 (FIDO Alliance Online Authentication Barometer).
- The FIDO Alliance reports passkey adoption is roughly doubling year over year as banks, retailers, and platforms move it from an option to a default (2024).
- Microsoft counted more than 200 million users signing in to its consumer accounts each month without a password as early as late 2021, before passkey standards matured (Microsoft).
Enterprise Credential Policy
Enterprise credential sprawl is a math problem: hundreds of apps multiplied by thousands of employees produces a password estate no policy document can control by itself. Note that not every credential incident starts outside the firewall — our insider threat statistics cover the misuse that originates within. Many mid-sized firms close this gap by handing identity hygiene, patching, and helpdesk to managed IT services providers rather than staffing it internally.
| Metric | Value | Source |
|---|---|---|
| Passwords tracked per business employee | 191 | LastPass |
| Employees reusing passwords across work and personal | 51% | Ponemon/Yubico |
| Weekly time lost per employee to password entry/resets | 12.6 minutes | Ponemon/Yubico |
| Help desk tickets that are password resets | 20–50% | Gartner |
| Labor cost per password reset | ~$70 | Forrester |
- The average business employee keeps track of 191 passwords (LastPass enterprise research).
- 51% of employees reuse the same passwords across business and personal accounts (Ponemon Institute and Yubico).
- Employees lose an average of 12.6 minutes per week entering or resetting passwords, which Ponemon values at $5.2 million a year in lost productivity for the average large company.
- Password resets consume 20% to 50% of all help desk calls (Gartner), at a labor cost Forrester estimates at about $70 per reset.
- Attacks using valid credentials as the entry point rose 71% year over year in IBM X-Force incident data (X-Force Threat Intelligence Index 2024).
- Microsoft Entra ID data shows more than 600 million identity attacks per day, and over 99% of them are password-based (Microsoft Digital Defense Report 2024).
- The attack surface keeps widening: the average organization now deploys more than 90 discrete applications, each a separate credential store unless federated (Okta Businesses at Work).
The Cost of Credential Breaches
Credential breaches are quiet. An attacker logging in with a valid password looks like a user, which is why these incidents take the longest of any breach type to find. Continuous monitoring is the countermeasure — for MSPs and mid-market firms without a 24/7 team, that is the case for white label SOC services that watch identity telemetry around the clock. The financial figures below sit alongside the fuller picture in our data breach statistics.
| Metric | Value | Source |
|---|---|---|
| Time to identify and contain stolen-credential breaches | 292 days | IBM 2024 |
| Global average cost of a data breach | $4.88 million | IBM 2024 |
| Breaches starting with stolen credentials | 15% | IBM 2023 |
| US account takeover fraud losses (2023) | ~$13 billion | Javelin |
| Ransom paid after one compromised VPN password | $4.4 million | Colonial Pipeline, 2021 |
- Breaches that begin with stolen or compromised credentials take an average of 292 days to identify and contain — the longest lifecycle of any initial attack vector (IBM Cost of a Data Breach Report 2024).
- The global average cost of a data breach reached $4.88 million in 2024, the highest total on record at the time (IBM).
- Stolen or compromised credentials were the initial vector in 15% of breaches, among the most common and most expensive entry points at $4.62 million per incident (IBM Cost of a Data Breach Report 2023).
- Account takeover fraud cost US consumers and institutions roughly $13 billion in 2023 (Javelin Strategy & Research Identity Fraud Study).
- The Colonial Pipeline shutdown — which halted fuel supply across the US East Coast — began with a single compromised VPN password on an account without MFA, and ended with a $4.4 million ransom payment (2021).
- Credential stuffing alone costs businesses an average of $6 million per year in application downtime, lost customers, and IT overhead (Akamai/Ponemon, Cost of Credential Stuffing).
- The 23andMe breach exposed data tied to 6.9 million users, and the company attributed the intrusion to credential stuffing against accounts reusing passwords from earlier leaks (2023).
- The 2024 Snowflake customer campaign compromised data at roughly 165 organizations — Mandiant found the common thread was stolen credentials on accounts with no MFA enforced.
Sources
These statistics are compiled from the following research publications and primary sources:
- Microsoft Digital Defense Report (2021–2024)
- Microsoft, How Effective Is Multifactor Authentication at Deterring Cyberattacks? (2023)
- Verizon Data Breach Investigations Report (2020, 2025)
- IBM Cost of a Data Breach Report (2023, 2024)
- IBM X-Force Threat Intelligence Index 2024
- Google/Harris Poll Online Security Survey
- Google, NYU & UCSD account-hijacking prevention research
- NordPass Top 200 Most Common Passwords (2024)
- Digital Shadows, Account Takeover in 2022
- security.org Password Manager Annual Report (2024)
- Pew Research Center surveys on password habits (2016, 2023)
- Duo Labs State of the Auth (2017–2021)
- LastPass Psychology of Passwords (2022) and Global Password Security Report (2019)
- Ponemon Institute & Yubico, State of Password and Authentication Security Behaviors
- SpyCloud Identity Exposure Report 2024
- Okta State of Secure Identity Report (2022) and Businesses at Work
- Cloudflare password-security traffic analysis (2024)
- FIDO Alliance Online Authentication Barometer (2022–2024)
- Amazon and Google passkey adoption announcements (2024)
- Twitter Account Security Transparency Report (2021)
- Javelin Strategy & Research Identity Fraud Study
- Akamai/Ponemon, The Cost of Credential Stuffing
- Mandiant analysis of the 2024 Snowflake customer campaign
- Cybernews RockYou2024 analysis; Have I Been Pwned Pwned Passwords
Statistics are updated as new data becomes available. Last updated: July 2026.
Protect your organization with expert healthcare IT support designed for HIPAA compliance.
Secure Healthcare IT ManagementTopics

Sreenivasa Reddy G
Founder & CEO • 15+ years
Sreenivasa Reddy is the Founder and CEO of Medha Cloud, recognized as "Startup of the Year 2024" by The CEO Magazine. With over 15 years of experience in cloud infrastructure and IT services, he leads the company's vision to deliver enterprise-grade cloud solutions to businesses worldwide.
More in Cybersecurity
View all
Insider Threat Statistics 2026: Cost, Frequency & Detection
16 min read

Cloud Security Statistics 2026: Breaches, Spending & Trends
18 min read

Small Business Cybersecurity Statistics 2026: Attacks, Costs & Readiness
19 min read

Data Breach Statistics 2026: Costs, Causes & Records Exposed
18 min read

42 Cyber Insurance Statistics for 2026 — Premiums & Claims Data
16 min read

52 Email Security Statistics for 2026 — BEC, Spam & Phishing
19 min read