---
title: "Password Statistics 2026: Credential Theft, MFA, and the Passkey Tipping Point"
date: 2026-05-15
author: "Sofia Ramirez"
featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/04/password-statistics.jpg"
categories:
  - name: "Cybersecurity"
    url: "/cybersecurity.md"
tags:
  - name: "Statistics"
    url: "/tag/statistics.md"
---

# Password Statistics 2026: Credential Theft, MFA, and the Passkey Tipping Point

Cybernews researchers analysed over 19 billion passwords leaked between April 2024 and April 2025 and found that 94% were reused or duplicated across accounts. The headline number is alarming, but the more interesting story sits underneath it. Even as leak volume climbed, Verizon’s 2025 DBIR found that the use of compromised credentials was the initial access vector in 22% of the breaches reviewed, down from 31% in the prior period. Multi-factor authentication and passkeys are absorbing the defensive load, while password hygiene barely budges.

The data below spans the most common passwords, reuse rates, [breach costs](https://sqmagazine.co.uk/data-breach-statistics/), NIST guideline shifts, MFA adoption, passkey uptake, biometric login, and SMS-based two-factor authentication risk.

## Key Takeaways

- **Cybernews** analysed over 19 billion leaked passwords and found **94%** were reused or duplicated, leaving only 6% as unique credentials.
- **Verizon** reports stolen credentials drove **22%** of breaches in 2025, down from 31% the prior period.
- Around **2.8 billion** passwords were posted for sale or for free on dark-web markets and criminal boards in 2024, per **Verizon DBIR 2025**.
- **IBM** estimates breaches initiated by compromised credentials cost an average of **$4.67 million** per breach.
- The **FIDO Alliance** confirms more than **1 billion** people have activated at least one passkey, and over 15 billion online accounts can use passkeys.
- **NIST** now recommends a **15-character** minimum, recommends that verifiers permit a maximum length of at least **64 characters**, and explicitly forbids composition rules in its Revision 4 password guidelines.
- **UK Finance** reports **89%** of UK mobile-banking app users authenticate with fingerprint or facial recognition rather than a password.

## Editor’s Choice

- An eight-character lowercase-only password can now be cracked in approximately **3 weeks** on a 12-GPU RTX 5090 rig running bcrypt, per **Hive Systems**.
- **Google** reports that more than **800 million** Google accounts now use passkeys for sign-in.
- **Verizon DBIR 2025** found that a staggering **88%** of attacks against basic web applications involved the use of stolen credentials.
- The **FBI** Internet Crime Complaint Center received **982** SIM-swap complaints in 2024, totalling $25,983,946 in reported losses.
- **Microsoft** disclosed **92%** of Microsoft employee productivity accounts now use phishing-resistant multi-factor authentication.
- **Hive Systems** estimates a 15-character lowercase password could take up to **477 million years** to brute-force on the same hardware.
- **Verizon DBIR 2025** logs found **30%** of corporate-managed devices and **46%** of unmanaged devices in infostealer logs contained company credentials.

## Recent Developments

- **April 2026**: [Microsoft](https://sqmagazine.co.uk/microsoft-statistics/) announced that passkey support for phishing-resistant sign-in to Microsoft Entra-protected resources will roll out across Windows devices, with general availability expected by mid-June 2026.
- **March 2026**: Microsoft began auto-enabling passkey profiles across all Microsoft Entra ID tenants by default for organisations that had not customised the passkey policy.
- **March 2026**: Dashlane Passkey Power 20 update reaffirmed that 40% of Dashlane users now store at least one passkey in their vault, double the 20% recorded in 2024.
- **February 2026**: UK Finance reaffirmed in its updated Payment Markets report that biometric authentication for banking is now the default rather than the exception across the major UK current-account providers.
- **February 2026**: Microsoft’s Secure Future Initiative status update confirmed all new Microsoft consumer accounts created from May 2025 onward will be passwordless by default, a posture announced in April 2025 and sustained through early 2026.
- **January 2026**: FIDO Alliance reported continued growth past the more than 1 billion passkey-activation milestone first announced on World Passkey Day 2025, with implementation reaching 48% of the world’s top 100 websites.

## The Most Common Passwords

- **NordPass** found that “123456” remains the world’s most common password for 2025, a position it has held for six of the past seven years.
- The **NordPass** research analysed a **2.5 TB** database of passwords exposed in public breaches and dark-web repositories captured between September 2024 and September 2025.
- **Verizon’s DBIR** found that only **3%** of compromised passwords met basic complexity requirements.
- **NordPass** concludes that despite significant efforts over the years to educate users about cybersecurity, there has been little improvement in widespread password hygiene and security habits.

RankPasswordTime to Crack1123456Under 1 second2123456789Under 1 second312345678Under 1 second4passwordUnder 1 second5qwerty123Under 1 second6qwerty1Under 1 second7111111Under 1 second812345Under 1 second9secretUnder 1 second10123123Under 1 second*Source: NordPass Most Common Passwords list; Hive Systems Password Table.*

Crack-time figures in the table above are the worst case for the user. NordPass’s frequency analysis shows these strings appear so often in breach corpora that an attacker rarely needs to brute-force them. For comparison data on weak-credential exposure, see SQ Magazine’s [voice phishing data](https://sqmagazine.co.uk/voice-phishing-statistics/) coverage on social-engineering credential capture.

## Password Reuse Across Accounts

- **Cybernews** analysed over **19 billion** passwords exposed in data breaches between April 2024 and April 2025, finding that **94%** were reused or duplicated across accounts.
- **Cybernews** reported that only **6%** of analysed passwords (out of over 19 billion exposed) were unique credentials.
- **Bitwarden’s 2025** World Password Day Global Survey found **78%** of respondents reuse passwords across accounts.
- The same **Bitwarden** survey found **69%** of respondents say they feel overwhelmed by the number of passwords they need to remember.
- **Bitwarden** also reported that approximately one in three respondents (**32%**) writes passwords on paper or in unencrypted notes.
- Around **25%** of **Bitwarden** survey respondents report using a password that is the same as or close to one of the most common passwords on public breach lists.

MethodologySourceReuse RateSampleLeak-corpus analysisCybernews 202594% reused or duplicated19 billion exposed passwordsSelf-reported surveyBitwarden 202578% admit reuseMulti-country consumer survey*Source: Cybernews Password Analysis; Bitwarden World Password Day Global Survey.*

The gap between the two figures is methodological. Cybernews is counting actual leaked passwords, so duplicates show up at scale. Bitwarden is asking people whether they reuse, and self-reporting under-states the behaviour as it usually does. Across over 19 billion leaked passwords, password reuse is a primary enabler of credential stuffing because once a password is leaked from one site, attackers can attempt the same combination at hundreds of other services. Adoption of dedicated tooling has been slow, as SQ Magazine’s [password manager adoption data](https://sqmagazine.co.uk/password-manager-statistics/) details.

## Credential-Driven Data Breaches

- **Verizon’s 2025 DBIR** found that the use of compromised credentials was the initial access vector in **22%** of the breaches reviewed, down from 31% in the prior period.
- **Verizon** also reported that a staggering **88%** of attacks against basic web applications involved the use of stolen credentials.
- **IBM** estimates breaches where compromised credentials were the initial access vector cost an average of **$4.67 million** per breach.
- **IBM** also reported mean time to identify and contain breaches attributed to stolen or compromised credentials reached an average combined time of **292 days**.
- **Verizon DBIR 2025** found that passwords appear in **28%** of data dumps.

![Password And Credential Breach Trends](https://sqmagazine.co.uk/wp-content/uploads/2026/04/password-and-credential-breach-trends.jpg "Password and Credential Breach Trends")

> **By the numbers:** Stolen credentials drove 22% of breaches in the 2025 DBIR, down from 31% in the prior period, even as 2.8 billion passwords surfaced on criminal markets and dark-web boards in 2024 alone, according to Verizon. Defensive layers like MFA, not better password hygiene, are absorbing the credential-attack surface.

This pattern aligns with broader [cybersecurity threat data](https://sqmagazine.co.uk/cybersecurity-statistics/) showing that defensive maturity is widening even as attack volume holds.

## Cost of Credential-Based Breaches

- **IBM** reported the global average cost of a data breach fell **9%** in 2025, from $4.88 million in 2024 to **$4.44 million** in 2025.
- **IBM** noted the average cost of a US breach reached **$10.22 million**, the highest of any region.
- **IBM** identified phishing as a factor in **41%** of cyber incidents tracked in 2025.
- **IBM** reported healthcare remained the industry with the highest average cost of a data breach at **$7.42 million**.
- **IBM** also flagged shadow AI as a factor in **20%** of breaches, adding **$670,000** to average breach costs.

![Cost Of Data Breaches By Type And Sector](https://sqmagazine.co.uk/wp-content/uploads/2026/04/cost-of-data-breaches-by-type-and-sector.jpg "Cost of Data Breaches by Type and Sector")

The drop in global average breach cost looks like good news on the surface, but credential-breach attacks still cost more than the global average and take 292 days to clean up.

## Brute-Force Crack Times

- The 2025 **Hive Systems** Password Table is built around a benchmark configuration of twelve NVIDIA RTX 5090 graphics cards attacking bcrypt-hashed passwords with a cost factor of 10.
- **Hive Systems** found an eight-character password made up of only lowercase letters can now be cracked in approximately **3 weeks**.
- **Hive Systems** found an eight-character password using upper- and lower-case letters, numbers, and symbols requires roughly **165 years** on the same hardware.
- **Hive Systems** calculated that a fifteen-character lowercase password could take up to **477 million years** to brute-force.
- **Hive Systems** also estimated that AI-grade hardware of the kind used to train large language models increases password-cracking speeds by approximately **1.8 billion percent** compared to consumer-grade machines.
- Compared to 2024, **Hive Systems** found that the time it takes to crack passwords using consumer-grade GPUs has dropped by nearly **20%**.

LengthLowercase OnlyPlus NumbersPlus Mixed Case and Symbols8 chars3 weeksMonthsAbout 165 years12 charsCenturiesMillenniaAbout 10^9 years15 charsAbout 477 million yearsAbout 10^15 yearsEffectively unbreakable*Source: Hive Systems Password Table.*

> **Key finding:** Hive Systems estimates AI-grade hardware lifts password-cracking speed roughly 1.8 billion percent above a consumer-grade rig. The practical effect: any 8-character password without symbols falls in days, while a 15-character passphrase remains computationally out of reach for the foreseeable future, even with attacker access to LLM-tier compute.

Length, not character variety, is the lever. NIST’s revised guidance reflects the same conclusion.

## Credential Stuffing Volume at SSO Providers

- **Verizon’s 2025 DBIR** found that the median daily percentage of credential stuffing accounted for **19%** of all authentication attempts at SSO providers.
- **Verizon** also found that a staggering **88%** of attacks against basic web applications involved the use of stolen credentials.
- **Verizon** reported that passwords appear in **28%** of data dumps, while other sensitive information often appears alongside them.
- **Verizon** classifies credential compromise as one of the most common initial access vectors for breaches overall.

Authentication LayerCredential-Stuffing ShareSourceSSO providers (median daily)19%Verizon DBIR 2025Basic web app attacks88% used stolen credentialsVerizon DBIR 2025Data dumps containing passwords28%Verizon DBIR 2025*Source: Verizon Data Breach Investigations Report.*

A 19% credential-stuffing rate at SSO ingress points is the floor, not the ceiling. The figure reflects what makes it through to authentication endpoints; volumetric defences upstream often filter the loudest 80% of attempts before they reach this measurement. The full pattern lines up with broader [cybersecurity attack data](https://sqmagazine.co.uk/cybersecurity-attacks-statistics/) on automated credential abuse.

## Infostealer Malware and Credential Exposure

- **Verizon’s 2025 DBIR** analysed infostealer logs and found **30%** of corporate-managed devices in infostealer logs contained company credentials.
- **Verizon** also found **46%** of unmanaged devices in infostealer logs contained company credentials.
- **Verizon** estimates **2.8 billion** passwords were posted for sale or for free on criminal message boards, in encrypted messenger groups, and on darknet markets in 2024.
- **Verizon** classifies credential compromise as one of the most common initial access vectors for breaches overall.

![Company Credentials Found In Infostealer Logs By Device Type](https://sqmagazine.co.uk/wp-content/uploads/2026/04/company-credentials-found-in-infostealer-logs-by-device-type.jpg "Company Credentials Found In Infostealer Logs By Device Type")

The 16-point gap between managed and unmanaged devices is one of the cleanest arguments yet for treating bring-your-own-device access as a higher-tier risk than corporate endpoints. The unmanaged-device exposure pattern matches SQ Magazine’s [remote work security data](https://sqmagazine.co.uk/remote-work-cybersecurity-statistics/) on shadow IT and BYOD risk.

## NIST Password Guidelines: What Changed

- **NIST SP 800-63B Rev 4** requires verifiers and CSPs to enforce a minimum password length of **8 characters** and recommends a minimum of **15 characters**.
- **NIST SP 800-63B Rev 4** also recommends verifiers permit a maximum password length of at least **64 characters**.
- **NIST SP 800-63B Rev 4** explicitly states that verifiers and CSPs shall not impose other composition rules for passwords, removing legacy mandates for digits or special characters.
- **NIST SP 800-63B Rev 4** states that verifiers and CSPs shall not require users to change passwords periodically and shall force a change only if there is evidence of compromise.
- **NIST SP 800-63B Rev 4** requires verifiers to compare prospective passwords against a blocklist of values known to be commonly used, expected, or compromised.

NIST 800-63B Rev 4 RulePractical Effect8-char minimum, 15-char recommendedLength over complexity64-char minimum maximumPassphrases must be supportedNo mandatory composition rulesNo more “must include a symbol”No periodic rotationRotation only on compromise evidenceBlocklist screening requiredBlock “123456” and similar*Source: NIST Special Publication on Digital Identity Guidelines.*

Rev 4 is the codification of guidance NIST has been signalling since 2017. The practical change for organisations still on legacy policy: drop the rotate-every-90-days rule and turn on a breach-list check at password-set time.

## MFA Adoption by Company Size

- **Microsoft** disclosed in 2022 that only **22%** of enterprise customers using Microsoft Entra ID, the company’s cloud identity platform, had enabled multi-factor authentication.
- Compiled vendor telemetry shows **87%** MFA adoption among companies with more than 10,000 employees, and **78%** among firms with 1,001 to 10,000 employees.
- The same compilation reports only **34%** of companies with 26 to 100 employees use MFA, and **27%** of businesses with up to 25 employees.
- By industry, the technology industry leads at **88%** MFA coverage, the highest of any vertical.
- **Microsoft’s** April 2025 Secure Future Initiative reported **92%** of Microsoft employee productivity accounts now use phishing-resistant multi-factor authentication.

![Multi Factor Authentication Usage By Organization Size](https://sqmagazine.co.uk/wp-content/uploads/2026/04/multi-factor-authentication-usage-by-organization-size.jpg "Multi-Factor Authentication Usage by Organization Size")

Mandatory MFA at the identity-provider level is doing more for SMB MFA coverage than any awareness campaign in the past decade. The pattern lines up with [small business breach statistics](https://sqmagazine.co.uk/small-business-cybersecurity-statistics/) showing SMBs absorb a disproportionate share of credential-driven incidents.

## Passkey Adoption: Consumer and Enterprise

- The **FIDO Alliance** reports that more than **1 billion** people have activated at least one passkey, and over **15 billion** online accounts can use passkeys.
- **FIDO** research shows consumer awareness of passkeys has grown from 39% in 2022 to **75%** in 2025.
- **FIDO** research also found **69%** of users now have at least one passkey, up from 39% awareness just two years prior.
- Passkey implementation has reached **48%** of the world’s top 100 websites, according to **FIDO Alliance** data.
- **Google** reports a **352%** increase in passkey authentications by 2025 after enabling passkeys as the default sign-in for personal accounts in late 2023.
- **Google** also reports that more than **800 million** Google accounts now use passkeys for sign-in.
- Across the broader passkey ecosystem, monthly passkey authentications reached **1.3 million** in 2025, more than doubling year over year.
- **Dashlane** vault data shows **40%** of Dashlane users now store at least one passkey, double the 20% recorded in 2024.
- **Dashlane** reports passkey-ready deployments grew **87%** year over year among its enterprise customers.

MetricValueSourceConsumers who have activated a passkey1B plusFIDO AllianceOnline accounts passkey-enabled15B plusFIDO AllianceConsumer awareness75% (up from 39% in 2022)FIDO Alliance and HID GlobalTop 100 websites supporting passkeys48%FIDO Alliance and DashlaneGoogle passkey-auth growth (YoY)352%GoogleGoogle accounts using passkeys800M plusGoogleDashlane users with a passkey40% (vs 20% in 2024)Dashlane Passkey Power 20*Source: FIDO Alliance World Passkey Day; Google Safety Engineering blog; Dashlane Passkey Power Index.*

> **Why it matters:** Google has driven more than 800 million accounts onto passkeys with a 352% cumulative increase in passkey authentications since the late-2023 default change, according to its Safety Engineering disclosures. The figure marks the first authentication transition in 25 years where consumer adoption has run ahead of enterprise mandate, reversing the pattern that defined SMS 2FA and MFA rollouts.

The consumer-led pattern matters because it changes how passwords are retired, with the passkey funnel piggybacking on Google, Apple, and Microsoft consumer-account defaults.

## Biometric Authentication for Login

- **UK Finance** documents **89%** of UK mobile-banking app users authenticate using fingerprint or facial recognition rather than a password or PIN as their primary login method.
- **FIDO** research found **54%** of consumers familiar with passkeys consider them more convenient than passwords.
- **FIDO** research also found **53%** of consumers familiar with passkeys believe they offer greater security.
- **FIDO** data shows that over **35%** of people had at least one of their accounts compromised due to password vulnerabilities in the past year.
- **FIDO** consumer research reports **47%** of consumers will abandon a purchase when they have forgotten the password for that account.

![Biometric Authentication Usage And Preferences](https://sqmagazine.co.uk/wp-content/uploads/2026/04/biometric-authentication-usage-and-preferences.jpg "Biometric Authentication Usage and Preferences")

The 89% UK banking figure is the closest a major password-replacement metric comes to a saturation rate. PSD2 strong-customer-authentication rules accelerated the shift from PIN-only login to fingerprint and face recognition over a five-year window.

## SMS 2FA and SIM-Swap Attack Statistics

- The **FBI** Internet Crime Complaint Center received **982** SIM-swap complaints in calendar year 2024, with reported losses totalling $25,983,946.
- The **FBI** report describes SIM-swap fraud as occurring when attackers convince mobile carriers to transfer a victim’s phone number to an attacker-controlled SIM, after which SMS-based 2FA codes flow to the attacker.
- The **FBI** report observes SIM-swap fraud has remained a persistent threat category since first being designated as a tracked complaint type, and the financial impact has grown steadily as more high-value accounts rely on SMS for second-factor authentication.
- The **FBI** report recommends consumers and institutions move from SMS-based 2FA to authenticator apps or hardware security keys where possible.

Metric2024 ValueSourceSIM-swap complaints filed982FBI IC3Reported losses (US)$25,983,946FBI IC3Recommended replacementAuthenticator apps or hardware keysFBI IC3*Source: FBI Internet Crime Complaint Center Annual Report.*

The IC3 figure captures only complaints that crossed the FBI threshold; carrier-level fraud reporting puts SIM-swap volume substantially higher. The SIM-swap pattern overlaps with [crypto security data](https://sqmagazine.co.uk/cybersecurity-in-cryptocurrency-statistics/) given how often custodial wallet drains begin with a hijacked phone number.

## Phishing as a Credential-Theft Channel

- **IBM** identified phishing as a factor in **41%** of cyber incidents tracked in 2025.
- **Verizon’s 2025 DBIR** found that a staggering **88%** of attacks against basic web applications involved the use of stolen credentials.
- **Verizon’s 2025 DBIR** found that the use of compromised credentials was the initial access vector in **22%** of breaches reviewed, down from 31% in the prior period.
- **IBM** estimates breaches initiated by compromised credentials cost an average of **$4.67 million** per breach.

Phishing OutcomeShare or CostSourcePhishing’s share of all incidents41%IBM 2025Web app attacks using stolen credentials88%Verizon DBIR 2025Credentials as breach initial access22% (down from 31%)Verizon DBIR 2025Average credential-breach cost$4.67 millionIBM 2025*Source: IBM Cost of a Data Breach Report; Verizon Data Breach Investigations Report.*

Phishing remains the most efficient way to convert a stolen credential into account access. The decline in credentials as a breach vector reflects what happens after capture, not fewer captures.

## Frequently Asked Questions (FAQs)

**What is the most common password in 2025?**NordPass research ranks u0022123456u0022 as the most common password globally, a position it has held for six of the past seven years. The dataset analysed 2.5 TB of passwords exposed in public breaches and dark-web repositories captured between September 2024 and September 2025.

 

**How many passwords are leaked in a typical year?**Per Verizon’s 2025 DBIR, 2.8 billion passwords were posted for sale or for free on dark-web markets, criminal message boards, and encrypted messenger groups during 2024. Passwords appear in 28% of data dumps reviewed in the same period, while other sensitive information often appears alongside them.

 

**Are passwords being replaced by passkeys?**Adoption is accelerating fast. The FIDO Alliance reports that more than 1 billion people have activated at least one passkey, and over 15 billion accounts can use passkeys. Google says more than 800 million accounts now sign in with passkeys, with passkey authentications growing 352% year over year by 2025.

 

**How long does it take to crack an 8-character password in 2025?**Per the 2025 Hive Systems Password Table, an 8-character lowercase password takes about 3 weeks to brute-force on a 12-GPU RTX 5090 rig running bcrypt. An 8-character password using upper- and lower-case letters, numbers, and symbols requires roughly 165 years on the same hardware.

 

**What does NIST currently recommend for password length?**The current NIST password guidelines set an 8-character absolute minimum and recommend a 15-character minimum as best practice. They recommend that verifiers support a maximum length of at least 64 characters and explicitly forbid organisations from imposing composition rules such as mandatory digits or special characters.

 

**Is SMS-based two-factor authentication still safe?**The FBI’s 2024 Internet Crime Complaint Center report logged 982 SIM-swap complaints with $25,983,946 in reported losses and recommends consumers and institutions move from SMS-based 2FA to authenticator apps or hardware security keys where possible. Authenticator apps and FIDO2 keys remain the safer default.

 

 

## Conclusion

The over 19 billion leaked passwords analysed by Cybernews and the 94% reuse rate within that set frame the central tension in password security right now. Behaviour has barely improved, but the defensive layer has. Verizon’s drop in credential-driven breaches from 31% to 22%, [Google](https://sqmagazine.co.uk/google-usage-statistics/)‘s more than 800 million passkey-enabled accounts, NIST’s 15-character recommendation, and UK Finance’s 89% biometric login share all point in the same direction. The number to watch through the current year is the credential-vector breach share. If MFA and passkeys keep absorbing the credential-attack surface, that number falls again.