Statistics

🔓 Password Attack Statistics 2026: 50 Data-Backed Facts

By Ateeq Y Tanoli, BestPasswordGenerator.org · 10 July 2026 · 10 min read
Bottom Line Up Front: In 2026, passwords are still the single biggest cause of breaches. Microsoft records more than 7,000 password attacks every second, stolen credentials are the entry point in 22% of all breaches (Verizon DBIR, 2025), and internet crime cost victims $16.6 billion in a single year (FBI IC3, 2024). The statistics below — 50 of them, each tied to a named source — explain why length, uniqueness and a second factor now matter more than ever.

These password attack statistics are drawn from primary sources published in 2024, 2025 and 2026: the Verizon Data Breach Investigations Report, the Microsoft Digital Defense Report, the FBI Internet Crime Complaint Center (IC3), the LastPass Psychology of Passwords study, NordPass, Okta, the FIDO Alliance and NIST. Every figure is attributed inline so journalists, researchers and AI assistants can cite the original.

They answer four questions: how password attacks happen, how much they cost, why human habits keep the problem alive, and what is finally replacing the password. Where a number depends on methodology, the source and year are stated so you can verify it.

Key Statistics at a Glance

7,000+
password attacks per second (Microsoft, 2024)
22%
of breaches start with stolen credentials (Verizon DBIR, 2025)
$16.6B
lost to internet crime in one year (FBI IC3, 2024)
2 billion
breached email addresses now indexed (Have I Been Pwned, 2025)
78%
of the most common passwords crack in under 1 second (NordPass, 2025)
99.9%+
of compromised accounts had no MFA (Microsoft, 2025)

The Scale of Password Attacks

Attacks on passwords are automated and relentless. The figures below come from the Microsoft Digital Defense Report 2025, which aggregates signals from Microsoft's global cloud and identity platform.

  1. Microsoft observed an average of more than 7,000 password attacks per second in 2024 — roughly 600 million a day. (Microsoft Digital Defense Report, 2025)
  2. 97% of identity attacks are password-spray attacks, in which one common password is tried against many accounts. (Microsoft, 2025)
  3. Identity-based attacks surged 32% in the first half of 2025 compared with the prior period. (Microsoft, 2025)
  4. Phishing-resistant MFA blocks over 99% of identity-based attacks. (Microsoft, 2025)
  5. More than 99.9% of accounts that are compromised do not have MFA enabled. (Microsoft)

Breaches and Credential Theft

The 2025 Verizon Data Breach Investigations Report (DBIR) analysed more than 12,000 confirmed breaches. Credentials remain the number-one way in.

  1. Stolen credentials were the initial access vector in 22% of breaches — the single most common entry point. (Verizon DBIR, 2025)
  2. 88% of basic web-application attacks involved the use of stolen credentials. (Verizon DBIR, 2025)
  3. In analysed single-sign-on logs, credential stuffing accounted for a median 19% of all daily authentication attempts. (Verizon DBIR, 2025)
  4. Among devices infected by infostealer malware, only 49% of a user's saved passwords were distinct from one another (median) — direct evidence of mass reuse. (Verizon DBIR, 2025)
  5. Exploited vulnerabilities were the second most common entry point at 20% of breaches, just behind credentials. (Verizon DBIR, 2025)

How Much Has Already Leaked

Every leaked password fuels the next credential-stuffing attack. In late 2025, threat-intelligence firm Synthient handed one of the largest credential datasets ever to Have I Been Pwned.

  1. Have I Been Pwned indexed 1,957,476,021 unique email addresses (about 2 billion) from aggregated credential-stuffing data on 5 November 2025. (Have I Been Pwned / Synthient, 2025)
  2. The same dataset contained 1.3 billion unique passwords. (Have I Been Pwned, 2025)
  3. Of those, 625 million passwords had never been seen before in the Pwned Passwords service — and many were still in active use. (Have I Been Pwned, 2025)

The Passwords People Actually Choose

NordPass and partners analysed public breaches and dark-web repositories from September 2024 to September 2025. The results barely change year to year.

  1. "123456" is again the world's most common password — topping the list in six of the past seven years. (NordPass, 2025)
  2. 78% of the world's most common passwords can be cracked in under one second, up from 70% a year earlier. (NordPass, 2025)
  3. "admin" is the second most common password globally — and the single most common in the United States. (NordPass, 2025)
  4. The weakest passwords were strikingly uniform across every generation; simple numeric sequences topped the list for every age group. (NordPass, 2025)

How People Really Behave

The gap between what people know and what they do is the core of the password problem. These findings come from the LastPass Psychology of Passwords study.

  1. 91% of people know that reusing passwords is insecure — yet do it anyway. (LastPass, Psychology of Passwords)
  2. Nearly two-thirds of people reuse the same password or a variation across accounts. (LastPass)
  3. 59% use the same or a similar password for multiple accounts. (LastPass)
  4. 60% say fear of forgetting is their number-one reason for reusing passwords. (LastPass)
  5. Only 55% would update a password even after that account was hacked. (LastPass)
  6. Almost 50% do not use different passwords for personal and work accounts. (LastPass)
  7. After cybersecurity education, only 31% of users stopped reusing passwords. (LastPass)
  8. After that same education, only 25% started using a password manager. (LastPass)

The Financial Cost

Weak and stolen credentials are not abstract. The FBI Internet Crime Complaint Center (IC3) tallies reported losses each year, and phishing — the front door to credential theft — leads by complaint volume.

  1. Internet crime caused reported losses of $16.6 billion in 2024. (FBI IC3, 2024)
  2. That was a 33% increase in losses over 2023. (FBI IC3, 2024)
  3. The IC3 received 859,532 complaints of suspected internet crime in 2024. (FBI IC3, 2024)
  4. Phishing and spoofing were the top complaint type, with 193,407 reports. (FBI IC3, 2024)
  5. Extortion was the second most reported crime, with 86,415 complaints. (FBI IC3, 2024)
  6. Investment fraud, largely involving cryptocurrency, was the costliest category at more than $6.5 billion in losses. (FBI IC3, 2024)

MFA Adoption — Slow but Rising

Multi-factor authentication is the most reliable defence against stolen passwords, yet coverage is uneven. The figures below come from the Okta Secure Sign-in Trends Report 2025.

MFA adoption by organisation size (Okta Secure Sign-in Trends, 2025)
1,001–10,000 staff78%
All workforce users70%
26–100 staff34%
Up to 25 staff27%

Data visualisation: a horizontal bar chart. Larger organisations are far more likely to enforce MFA (78% at 1,001–10,000 staff) than the smallest businesses (27% at up to 25 staff), against a workforce-wide average of 70%.

  1. Workforce MFA adoption reached 70% of users as of January 2025 — meaning nearly a third still sign in with a password alone. (Okta, 2025)
  2. The technology sector leads at 87% MFA adoption. (Okta, 2025)
  3. At the smallest firms (up to 25 employees), adoption is just 27%. (Okta, 2025)
  4. Mid-small firms (26–100 employees) reach 34%, while large firms (1,001–10,000) reach 78%. (Okta, 2025)
  5. 91% of admins use MFA, versus 66% of non-admin end users. (Okta, 2025)
  6. Retail MFA adoption jumped nine percentage points in a single year after Scattered Spider attacks hit major retailers. (Okta, 2025)

Passkeys Are Replacing Passwords

The clearest long-term trend is the move to passwordless sign-in. Passkeys — phishing-resistant credentials backed by the FIDO Alliance — reached genuine scale in 2025.

  1. More than 15 billion online accounts can now use passkeys, roughly double the year before. (FIDO Alliance, 2025)
  2. Over 1 billion people have activated at least one passkey. (FIDO Alliance, 2025)
  3. Google reports more than 800 million accounts using passkeys and over 2.5 billion passkey sign-ins. (Google, 2025)
  4. Passkeys deliver a 30% higher sign-in success rate than passwords. (FIDO Passkey Index, 2025)
  5. Passkey sign-ins are about 20% faster than password sign-ins. (Google, 2025)
  6. Amazon has more than 175 million customers with passkeys enabled. (Amazon, 2025)
  7. An estimated 5 billion passkeys are now in active use worldwide. (FIDO Alliance, 2025)
  8. The passwordless-authentication market reached $24.1 billion in 2025 and is projected to keep growing at double-digit rates. (Industry estimate, 2025)

🔐 The realistic fix for every statistic above

Almost every number on this page traces back to two habits: reusing passwords and choosing weak ones. A password manager ends both. NordPass generates a unique, maximum-entropy password for every account, stores them behind XChaCha20 encryption and a zero-knowledge architecture, and warns you when a saved password appears in a breach — the same credential-stuffing data referenced above.

Get NordPass →

Affiliate link — we may earn a commission at no extra cost to you.

What NIST Now Recommends

The single most-cited authority on password policy is NIST Special Publication 800-63B, the U.S. Digital Identity Guidelines. Its modern guidance overturns decades of bad advice.

  1. NIST recommends a minimum length of 8 characters and support for at least 64, because length beats complexity. (NIST SP 800-63B)
  2. NIST advises against mandatory periodic password changes unless there is evidence of compromise. (NIST SP 800-63B)
  3. NIST advises against forced composition rules (mandatory mixes of symbols, digits and cases). (NIST SP 800-63B)
  4. NIST recommends screening new passwords against lists of known-breached passwords and rejecting matches. (NIST SP 800-63B)
  5. NIST recommends allowing all printable ASCII characters, spaces and Unicode, so long passphrases are practical. (NIST SP 800-63B)

What These Numbers Mean

Read together, the 50 statistics tell one story. Attackers rarely need to brute-force a strong password; they log in with one that already leaked. Reuse turns a single breach into dozens of account takeovers, which is why 49% password-distinctness and 2 billion leaked emails are the two most dangerous figures here. The defences that actually move the needle are the ones the data keeps validating: a unique password on every account, generated by a password generator, plus a second factor — ideally a passkey. For the full behavioural picture, see our companion roundup of password security statistics.

Frequently Asked Questions

How many password attacks happen per second in 2026?

Microsoft reports observing more than 7,000 password attacks every second, based on 2024 data in its Digital Defense Report 2025 — roughly 600 million attempts per day. The overwhelming majority (97%) are password-spray attacks that try common passwords against many accounts.

What percentage of data breaches involve stolen passwords?

According to the 2025 Verizon Data Breach Investigations Report, stolen credentials were the initial access vector in 22% of all breaches — the single most common entry point — and 88% of basic web-application attacks used stolen credentials.

How much does password-related cybercrime cost?

The FBI's Internet Crime Complaint Center recorded $16.6 billion in reported losses in 2024, a 33% jump over 2023. Phishing and spoofing, the primary methods for stealing credentials, were the most-reported crime with 193,407 complaints.

Do password managers and MFA actually help?

Yes. Microsoft found that more than 99.9% of compromised accounts had no MFA, and that phishing-resistant MFA blocks over 99% of identity attacks. A password manager eliminates reuse — the behaviour behind most credential-stuffing attacks — by generating a unique password for every account.

Are passwords being replaced?

Gradually. As of 2025, more than 15 billion accounts support passkeys, over 1 billion people have activated one, and Google alone reports 2.5 billion passkey sign-ins. Passkeys are phishing-resistant and cannot be reused or leaked in a breach the way passwords can.

Methodology and Sources

Every statistic on this page is attributed inline to the organisation that published it, with the year of the source. Figures are quoted as reported by each primary source and were current as of July 2026. Primary sources:

Note: where a statistic is a median or depends on a defined sample (for example, credential-stuffing rates from SSO logs or infostealer-infected devices), that context is stated with the figure. Percentages are reproduced as published and are not combined across differing denominators.

More Password Security Tools

🔑 SecureKeyGen⚔️ TitanPasswords🔐 Free Strong Password⚡ Instant Password🗝️ Iron Vault Keys🔑 Random Pwd Tool👨‍👩‍👧‍👦 Safe Pass Builder👪 Trusty Password
We use cookies to improve your experience. Learn more

🛡️ Security Picks This Week

Hand-picked security tools — updated weekly.

YubiKey 5 NFC

YubiKey 5 NFC

Hardware security key — phishing-proof 2FA for all your accounts.

Check price →
Yubico Security Key C NFC

Yubico Security Key C NFC

USB-C 2FA key — affordable FIDO2/WebAuthn authentication.

Check price →
TP-Link ER605 VPN Router

TP-Link ER605 VPN Router

Multi-WAN VPN gateway — secure every device on your network.

Check price →

As an Amazon Associate we earn from qualifying purchases.