Passwords – 25 Fun Facts and Statistics!

Passwords are among the oldest yet most popular means of online security and privacy. We use them to safeguard sensitive banking information to the Reddit account we created to enjoy some juicy memes.

Nowadays, we get to see additional safeguards such as two-factor authentication in conjunction with passwords, but it is the password that remains at the core of things.

People have now started to realize how important it is to have a strong password, and why should one follow good password practices. But things weren’t like this in the beginning.

One can attribute this shift in perspective to the fact that people’s lives are now more integrated with their online accounts, and hence, they act more responsibly.

We have compiled a few noteworthy facts related to passwords. Some of them might make your jaw drop, while others might make you audit some of your password practices.

Then are also a few statistics to give you an idea of what and whatnots.

The numbers game

Let’s go through some numbers to understand what’s happening in the world of passwords and cybersecurity. It is much easier to put the finger on what’s wrong if one has relevant data.

Organizations keep conducting surveys and researches to come up with useful information. Here are excerpts from some of those studies and surveys.

1. Nearly 80% of the cloud services allow users to set up weak passwords

People often use simple passwords because they are easy to remember. One way to make them use strong passwords can be to implement rules which don’t allow users to create accounts with weaker passwords.

But the service providers do not seem to bother much about it. A study that included 12,000 cloud services showed that 79.9% of websites allowed users to have passwords with only lowercase characters.

13.6% of them made users create moderate passwords (passwords with characters and numbers), and only 6.5% of the websites required strong passwords (ones with numbers, symbols, uppercase, and lowercase alphabets.)

(Source: McAfee)

2. Nearly 30% of the users reuse the same password on multiple accounts

Recycling is a good habit, but not when it comes to the use of passwords. The most obvious disadvantage of using the same password on different accounts is that it will take only one account breach to compromise the rest of them.

Joseph Bonneau, a researcher at University of Cambridge, compared stolen password information from two websites and discovered that the rate of repeating password among same email addresses was 31%

The number even reaches close to 50% if one starts taking similar passwords into account.

(Source: InfoWorld)

3. 20 most common passwords make for 10.3% of the passwords in use

A study of nearly 11 million passwords for cloud services available on Darknet, showed that nearly 10% of the account holders are still using one among the 20 most common passwords.

It significantly improves the chances of the hackers being simply able to guess the password even if it has got strong encryption.

(Source: McAfee)

4. 70% of users have more than 10 password-protected accounts

The increasing number of accounts one needs to manage is one of the reasons why users often find themselves using bad password practices.

A survey showed that nearly 70% of users had more than 10 password-protected accounts, while 30% confessed to having too many to count.

(Source: Entrepreneur)

5. In 2020, the average number of accounts per user will be 207

One has no option but to create multiple accounts if they wish to take advantage of the internet to its fullest. Even the news websites now require readers to sign-in to the website to go through news articles.

A projection says that the average number of accounts per user will be 207 by the year 2020. The only way to have strong passwords on so many accounts without forgetting them is to take the help of a password manager.

(Source: Dashlane)

6. Only 1% of the web services ask users to create an extremely safe password

A survey pointed out that merely one percent of websites require their users to create passwords that contain a mix of 4 kinds of characters, i.e., upper-case letters, lower-case letters, numbers, and special characters.

60% of the services allowed users to create a password with just one kind of character, while the percentages of services allowing two and three kinds of characters were 30% and 10%, respectively.

The web services should try to get users in the habit of creating strong passwords.

(Source: Password Coach)

Bad password practices

Getting rid of bad password practices should be the priority of anyone who operates online accounts. A lot of people may argue that they have been doing just fine with their usual passwords. But such practices will take them only so far.

Some people indulge in such practices because of the dearth of knowledge. Here a few points to tell you about the various foul password practices and how many of you are still entertaining them.

7. 40% of organizations store passwords in a Word document or a spreadsheet

A survey conducted by CyberArk said that nearly 40% of organizations store privileged admin passwords on a Word Document or spreadsheet. There were also 28% of them who either used a shared server or USB drive.

Bad password practices can provide hackers a much easier way to compromise the system. And passwords stored this way are an invitation to trouble. The survey was conducted in 2016, and maybe the situation is not so worse under present circumstances.

(Source: CyberArk)

8. 66% of people use only 1 or 2 passwords for all their accounts

If you have accounts on multiple platforms, then it can be too big of a task to remember passwords for all of them. While there are a lot of ways to get across this issue, a lot of users decide to go with only 1 or 2 passwords across all their accounts.

It is needless to mention how bad of a strategy this can be. Going with password managers is a much safer bet.

(Source: Halock)

9. The usually prescribed minimum length of passwords is 12 or more

A lot of popular websites such as Google, Facebook, Reddit, Netflix, and others allow users to create passwords that are only 6 or 8 characters long. Wikipedia would let you create a password with just one character.

But all of us know that it’s a good practice to keep the password long. Long passwords are difficult to decrypt or guess. Various password experts recommend that passwords should be at least 12 or more characters long.

(Source: Infosec)

10. It seems the younger generation doesn’t pay much attention to password security

A survey said that 76% of the people aged between 18 to 24 years are likely to reuse a password. It was the highest percentage for any age group.

The same fraction for people aged above 65 years was 62%. The stat is surprising in many ways since one expects the younger tech-savvy generation to be more careful about their online security.

(Source: Digital Guardian)

11. There is a 50% chance that a password contains at least one vowel

We humans follow certain patterns that make it easier for one to guess the password. The chances of a password containing at least one vowel are 50%.

The numbers placed at the end of a password are usually ‘1’ or ‘2.’ It was also observed that women tend to use their names for passwords, while men use their hobbies for passwords.

You might want to change your password if you also follow one of these patterns.

(Source: Halock)

12. People are 3 times more likely to use their pet’s name as password rather than that of a family member

Pets often become dearer to us than our human family members. The unconditional love people receive from their pets shows up in their password practices, as well. There is three times more probability of someone using the name of their pet as a password and not a family member.

It is needless to mention that it will not make up for a strong password. Someone can easily predict your password if they have an idea of how much you love your pet.

(Source: Facebook)

13. A person usually changes the password every 2.5 to 3 years

Changing passwords frequently is a recommendable practice. Data breaches keep happening now and then, but we don’t get to hear about all of them.

Frequent password changes will keep you on the safer side. However, people usually take up to 3 years to change their passwords. Some of them do it only when they get notified by the service provider to do so.

(Source: Resource Techniques)

Passwords and cyberattacks

 A weak password or poor password practice make lives a lot easier for hackers. All they need is a small opening, and the weak passwords provide them just that.

Let’s have a look at how these hackers are guessing your passwords and how you might be facilitating their attempts.

14. Hacking attempts using brute force or dictionary attacks increased by 400% in 2017

There was a significant increase in the number of brute force attacks in 2017. A brute force attack involves the hacker trying to access the account using different password combinations with the help of a software.

The report said the labs experienced around 100 to 600 brute force attacks each hour.

(Source: SC Media)

15. Someone created a computer capable of guessing 350 billion passwords per second

The system uses five servers, which make use of 25 AMD Radeon graphics card to come up with these many guesses per second. The system has made it entirely possible to guess an eight-character password significantly lesser time.

It will take it only 5.5 hours to go through all the possible 8-character options, including numbers, upper- and lower-case characters, and symbols.

(Source: Ars Technica)

16. Saving passwords in the web browser isn’t a very smart move

Popular web browsers such as Chrome and Firefox offer to save user passwords so that users don’t need to memorize them. Since the passwords are saved within the browser, the user can easily login into the account if using the browser.

However, very few of the users know that the browser stores this sensitive information locally on your device in plain text. There is no master password involved, as is the case with password managers. So, if someone has physical access to your device, the person can easily have a quick look at all your passwords.

You should think twice the next time you decide to save passwords with the web browser.

(Source: ZD Net)

17. There are roughly more than a million brute force attack on WordPress sites each hour

Even though it is one of the oldest ways to compromise a system, a brute force attack is still quite popular among hackers. The increased processing capabilities of computers and the option to rent some of it online allows cybercriminals to conduct highly sophisticated brute force attacks.

A research showcased that there are almost a million brute force attacks on WordPress sites each hour.

(Source: Geekflare)

18. 48% of people have shared a password with someone else

Sharing a password is the epitome of bad password practices, and a lot of people still do it without thinking much of the consequences. The way whistleblower Edward Snowden got access to passwords of 25 of his colleagues was by simply asking them.

A survey says 30% of teens have shared a password. The stat jumps to 48% if you include every demographic. The survey also said that women are more likely to share passwords as compared to men, and girls are twice more likely to share passwords as compared to boys.

(Source: Random Password Generator)

19. 68% of the executives of companies that experienced significant breaches indicated that those could have been prevented

Cybercriminals thrive on human errors, and it is the human element of any organization’s cybersecurity mechanism which is most vulnerable to cyberattacks.

A survey found out that 68% of executives of companies that experienced significant breaches entertained the possibility of avoiding the breach if they had either privileged user identity and access management or user identity assurance.

(Source: Centrify)

The miscellaneous ones

We had to dive deep into the world of passwords to find out all those stats for you, and we came across a few interesting facts in the process. All of them might not be astonishing to you, but we are confident of raising your eyebrows with a few of them.

20. First Thursday of each May is World Password Day

Not many people know that there is a World Password Day. It is observed on the first Thursday of each May.

You can make sure all your passwords are updated and even share some tips for better password practices on this day.

(Source: National Day Calendar)

21. “123456” is the most commonly used password

Jeremi Gosney, a passwords expert and founder of the security firm Stricture Consulting group, analyzed 130 million passwords and came up with this stat.

The passwords are the ones released by hackers who breached Adobe servers in 2013. The passwords were available in encrypted form, and Jerimi seems to be able to decrypt them to some extent.

The other most commonly used passwords in the list were ‘123456789,’ ‘password,’ ‘adobe123,’ ‘qwerty,’ and so on.

(Source: ZD Net)

22. Facebook had ‘Chuck Norris’ as the master password for one to access any profile on the platform

Facebook hasn’t been as good an ambassador of online privacy as we wanted it to be. One of the interesting controversies related to them and passwords was the use of ‘Chuck Norris’ as the master password.

It is said that one could use the master password to access any profile created on Facebook. It was also said that only a few engineers had knowledge of this information and that it would work only with the Facebook ISP.

(Source: The Rumpus)

23. The launch code for US nuclear missiles was ‘00000000’ for 20 years

Yes, they had such a weak password for something which has the potential to destroy the world. The small security devices, which were set to prevent the launch of nuclear missiles without the right code and authority, had their passwords set to ‘00000000.’

They even had the code written down the password for officers to make sure they don’t run into any issues if they happen to launch the missiles. The authorities seemed more interested in being able to launch the missiles without an issue rather than being able to stop any illegitimate launch attempts.

(Source: Naked Security)

24. Microsoft Hotmail allowed anyone to access accounts using the password ‘eh.’

In 1999, it was discovered that anyone could log into the Hotmail accounts by using the password ‘eh.’ This was a classic example of poor programming practice.

They could’ve easily gone for a slightly difficult password given the kind of information was at stake. The incident also gives some idea of what the approach used to be in case of online security back in those days.

(Source: Tech Republic)

25. Even FBI’s most wanted hackers fall prey to bad password practices

Jeremy Hammond, a cybercriminal in FBI’s most-wanted list, had his password as the name of his cat, followed by ‘123.’

Hammond confessed that his password was very weak. However, it is not certain that it was the weak password, which led to him getting caught or something else. He was sentenced ten years of imprisonment for his actions.

(Source: ABC News)

References and Data Sources

  1. McAfee
  2. InfoWorld
  3. McAfee
  4. Entrepreneur
  5. Dashlane
  6. Password Coach
  7. CyberArk
  8. Halock
  9. Infosec
  10. Digital Guardian
  11. Halock
  12. Facebook
  13. Resource Techniques
  14. SC Media
  15. Ars Technica
  16. ZD Net
  17. Geekflare
  18. Random Password Generator
  19. Centrify
  20. National Day Calendar
  21. ZD Net
  22. The Rumpus
  23. Naked security
  24. Tech Republic
  25. ABC News