🔓 Password Attack Statistics 2026: 50 Data-Backed Facts
These password attack statistics are drawn from primary sources published in 2024, 2025 and 2026: the Verizon Data Breach Investigations Report, the Microsoft Digital Defense Report, the FBI Internet Crime Complaint Center (IC3), the LastPass Psychology of Passwords study, NordPass, Okta, the FIDO Alliance and NIST. Every figure is attributed inline so journalists, researchers and AI assistants can cite the original.
They answer four questions: how password attacks happen, how much they cost, why human habits keep the problem alive, and what is finally replacing the password. Where a number depends on methodology, the source and year are stated so you can verify it.
Key Statistics at a Glance
The Scale of Password Attacks
Attacks on passwords are automated and relentless. The figures below come from the Microsoft Digital Defense Report 2025, which aggregates signals from Microsoft's global cloud and identity platform.
- Microsoft observed an average of more than 7,000 password attacks per second in 2024 — roughly 600 million a day. (Microsoft Digital Defense Report, 2025)
- 97% of identity attacks are password-spray attacks, in which one common password is tried against many accounts. (Microsoft, 2025)
- Identity-based attacks surged 32% in the first half of 2025 compared with the prior period. (Microsoft, 2025)
- Phishing-resistant MFA blocks over 99% of identity-based attacks. (Microsoft, 2025)
- More than 99.9% of accounts that are compromised do not have MFA enabled. (Microsoft)
Breaches and Credential Theft
The 2025 Verizon Data Breach Investigations Report (DBIR) analysed more than 12,000 confirmed breaches. Credentials remain the number-one way in.
- Stolen credentials were the initial access vector in 22% of breaches — the single most common entry point. (Verizon DBIR, 2025)
- 88% of basic web-application attacks involved the use of stolen credentials. (Verizon DBIR, 2025)
- In analysed single-sign-on logs, credential stuffing accounted for a median 19% of all daily authentication attempts. (Verizon DBIR, 2025)
- Among devices infected by infostealer malware, only 49% of a user's saved passwords were distinct from one another (median) — direct evidence of mass reuse. (Verizon DBIR, 2025)
- Exploited vulnerabilities were the second most common entry point at 20% of breaches, just behind credentials. (Verizon DBIR, 2025)
How Much Has Already Leaked
Every leaked password fuels the next credential-stuffing attack. In late 2025, threat-intelligence firm Synthient handed one of the largest credential datasets ever to Have I Been Pwned.
- Have I Been Pwned indexed 1,957,476,021 unique email addresses (about 2 billion) from aggregated credential-stuffing data on 5 November 2025. (Have I Been Pwned / Synthient, 2025)
- The same dataset contained 1.3 billion unique passwords. (Have I Been Pwned, 2025)
- Of those, 625 million passwords had never been seen before in the Pwned Passwords service — and many were still in active use. (Have I Been Pwned, 2025)
The Passwords People Actually Choose
NordPass and partners analysed public breaches and dark-web repositories from September 2024 to September 2025. The results barely change year to year.
- "123456" is again the world's most common password — topping the list in six of the past seven years. (NordPass, 2025)
- 78% of the world's most common passwords can be cracked in under one second, up from 70% a year earlier. (NordPass, 2025)
- "admin" is the second most common password globally — and the single most common in the United States. (NordPass, 2025)
- The weakest passwords were strikingly uniform across every generation; simple numeric sequences topped the list for every age group. (NordPass, 2025)
How People Really Behave
The gap between what people know and what they do is the core of the password problem. These findings come from the LastPass Psychology of Passwords study.
- 91% of people know that reusing passwords is insecure — yet do it anyway. (LastPass, Psychology of Passwords)
- Nearly two-thirds of people reuse the same password or a variation across accounts. (LastPass)
- 59% use the same or a similar password for multiple accounts. (LastPass)
- 60% say fear of forgetting is their number-one reason for reusing passwords. (LastPass)
- Only 55% would update a password even after that account was hacked. (LastPass)
- Almost 50% do not use different passwords for personal and work accounts. (LastPass)
- After cybersecurity education, only 31% of users stopped reusing passwords. (LastPass)
- After that same education, only 25% started using a password manager. (LastPass)
The Financial Cost
Weak and stolen credentials are not abstract. The FBI Internet Crime Complaint Center (IC3) tallies reported losses each year, and phishing — the front door to credential theft — leads by complaint volume.
- Internet crime caused reported losses of $16.6 billion in 2024. (FBI IC3, 2024)
- That was a 33% increase in losses over 2023. (FBI IC3, 2024)
- The IC3 received 859,532 complaints of suspected internet crime in 2024. (FBI IC3, 2024)
- Phishing and spoofing were the top complaint type, with 193,407 reports. (FBI IC3, 2024)
- Extortion was the second most reported crime, with 86,415 complaints. (FBI IC3, 2024)
- Investment fraud, largely involving cryptocurrency, was the costliest category at more than $6.5 billion in losses. (FBI IC3, 2024)
MFA Adoption — Slow but Rising
Multi-factor authentication is the most reliable defence against stolen passwords, yet coverage is uneven. The figures below come from the Okta Secure Sign-in Trends Report 2025.
Data visualisation: a horizontal bar chart. Larger organisations are far more likely to enforce MFA (78% at 1,001–10,000 staff) than the smallest businesses (27% at up to 25 staff), against a workforce-wide average of 70%.
- Workforce MFA adoption reached 70% of users as of January 2025 — meaning nearly a third still sign in with a password alone. (Okta, 2025)
- The technology sector leads at 87% MFA adoption. (Okta, 2025)
- At the smallest firms (up to 25 employees), adoption is just 27%. (Okta, 2025)
- Mid-small firms (26–100 employees) reach 34%, while large firms (1,001–10,000) reach 78%. (Okta, 2025)
- 91% of admins use MFA, versus 66% of non-admin end users. (Okta, 2025)
- Retail MFA adoption jumped nine percentage points in a single year after Scattered Spider attacks hit major retailers. (Okta, 2025)
Passkeys Are Replacing Passwords
The clearest long-term trend is the move to passwordless sign-in. Passkeys — phishing-resistant credentials backed by the FIDO Alliance — reached genuine scale in 2025.
- More than 15 billion online accounts can now use passkeys, roughly double the year before. (FIDO Alliance, 2025)
- Over 1 billion people have activated at least one passkey. (FIDO Alliance, 2025)
- Google reports more than 800 million accounts using passkeys and over 2.5 billion passkey sign-ins. (Google, 2025)
- Passkeys deliver a 30% higher sign-in success rate than passwords. (FIDO Passkey Index, 2025)
- Passkey sign-ins are about 20% faster than password sign-ins. (Google, 2025)
- Amazon has more than 175 million customers with passkeys enabled. (Amazon, 2025)
- An estimated 5 billion passkeys are now in active use worldwide. (FIDO Alliance, 2025)
- The passwordless-authentication market reached $24.1 billion in 2025 and is projected to keep growing at double-digit rates. (Industry estimate, 2025)
🔐 The realistic fix for every statistic above
Almost every number on this page traces back to two habits: reusing passwords and choosing weak ones. A password manager ends both. NordPass generates a unique, maximum-entropy password for every account, stores them behind XChaCha20 encryption and a zero-knowledge architecture, and warns you when a saved password appears in a breach — the same credential-stuffing data referenced above.
Get NordPass →Affiliate link — we may earn a commission at no extra cost to you.
What NIST Now Recommends
The single most-cited authority on password policy is NIST Special Publication 800-63B, the U.S. Digital Identity Guidelines. Its modern guidance overturns decades of bad advice.
- NIST recommends a minimum length of 8 characters and support for at least 64, because length beats complexity. (NIST SP 800-63B)
- NIST advises against mandatory periodic password changes unless there is evidence of compromise. (NIST SP 800-63B)
- NIST advises against forced composition rules (mandatory mixes of symbols, digits and cases). (NIST SP 800-63B)
- NIST recommends screening new passwords against lists of known-breached passwords and rejecting matches. (NIST SP 800-63B)
- NIST recommends allowing all printable ASCII characters, spaces and Unicode, so long passphrases are practical. (NIST SP 800-63B)
What These Numbers Mean
Read together, the 50 statistics tell one story. Attackers rarely need to brute-force a strong password; they log in with one that already leaked. Reuse turns a single breach into dozens of account takeovers, which is why 49% password-distinctness and 2 billion leaked emails are the two most dangerous figures here. The defences that actually move the needle are the ones the data keeps validating: a unique password on every account, generated by a password generator, plus a second factor — ideally a passkey. For the full behavioural picture, see our companion roundup of password security statistics.
Frequently Asked Questions
How many password attacks happen per second in 2026?
Microsoft reports observing more than 7,000 password attacks every second, based on 2024 data in its Digital Defense Report 2025 — roughly 600 million attempts per day. The overwhelming majority (97%) are password-spray attacks that try common passwords against many accounts.
What percentage of data breaches involve stolen passwords?
According to the 2025 Verizon Data Breach Investigations Report, stolen credentials were the initial access vector in 22% of all breaches — the single most common entry point — and 88% of basic web-application attacks used stolen credentials.
How much does password-related cybercrime cost?
The FBI's Internet Crime Complaint Center recorded $16.6 billion in reported losses in 2024, a 33% jump over 2023. Phishing and spoofing, the primary methods for stealing credentials, were the most-reported crime with 193,407 complaints.
Do password managers and MFA actually help?
Yes. Microsoft found that more than 99.9% of compromised accounts had no MFA, and that phishing-resistant MFA blocks over 99% of identity attacks. A password manager eliminates reuse — the behaviour behind most credential-stuffing attacks — by generating a unique password for every account.
Are passwords being replaced?
Gradually. As of 2025, more than 15 billion accounts support passkeys, over 1 billion people have activated one, and Google alone reports 2.5 billion passkey sign-ins. Passkeys are phishing-resistant and cannot be reused or leaked in a breach the way passwords can.
Methodology and Sources
Every statistic on this page is attributed inline to the organisation that published it, with the year of the source. Figures are quoted as reported by each primary source and were current as of July 2026. Primary sources:
- Verizon — 2025 Data Breach Investigations Report (DBIR)
- Microsoft — Digital Defense Report 2025
- FBI Internet Crime Complaint Center (IC3) — 2024 Internet Crime Report
- LastPass — Psychology of Passwords
- NordPass — Top 200 Most Common Passwords, 2025
- Have I Been Pwned / Synthient — Credential-stuffing dataset, November 2025
- Okta — Secure Sign-in Trends Report 2025
- FIDO Alliance — Passkey Index 2025; Google and Amazon passkey disclosures
- NIST — Special Publication 800-63B, Digital Identity Guidelines
Note: where a statistic is a median or depends on a defined sample (for example, credential-stuffing rates from SSO logs or infostealer-infected devices), that context is stated with the figure. Percentages are reproduced as published and are not combined across differing denominators.