Cybernews researchers analysed over 19 billion passwords leaked between April 2024 and April 2025 and found that 94% were reused or duplicated across accounts. The headline number is alarming, but the more interesting story sits underneath it. Even as leak volume climbed, Verizon’s 2025 DBIR found that the use of compromised credentials was the initial access vector in 22% of the breaches reviewed, down from 31% in the prior period. Multi-factor authentication and passkeys are absorbing the defensive load, while password hygiene barely budges.
The data below spans the most common passwords, reuse rates, breach costs, NIST guideline shifts, MFA adoption, passkey uptake, biometric login, and SMS-based two-factor authentication risk.
Key Takeaways
- Cybernews analysed over 19 billion leaked passwords and found 94% were reused or duplicated, leaving only 6% as unique credentials.
- Verizon reports stolen credentials drove 22% of breaches in 2025, down from 31% the prior period.
- Around 2.8 billion passwords were posted for sale or for free on dark-web markets and criminal boards in 2024, per Verizon DBIR 2025.
- IBM estimates breaches initiated by compromised credentials cost an average of $4.67 million per breach.
- The FIDO Alliance confirms more than 1 billion people have activated at least one passkey, and over 15 billion online accounts can use passkeys.
- NIST now recommends a 15-character minimum, recommends that verifiers permit a maximum length of at least 64 characters, and explicitly forbids composition rules in its Revision 4 password guidelines.
- UK Finance reports 89% of UK mobile-banking app users authenticate with fingerprint or facial recognition rather than a password.
Editor’s Choice
- An eight-character lowercase-only password can now be cracked in approximately 3 weeks on a 12-GPU RTX 5090 rig running bcrypt, per Hive Systems.
- Google reports that more than 800 million Google accounts now use passkeys for sign-in.
- Verizon DBIR 2025 found that a staggering 88% of attacks against basic web applications involved the use of stolen credentials.
- The FBI Internet Crime Complaint Center received 982 SIM-swap complaints in 2024, totalling $25,983,946 in reported losses.
- Microsoft disclosed 92% of Microsoft employee productivity accounts now use phishing-resistant multi-factor authentication.
- Hive Systems estimates a 15-character lowercase password could take up to 477 million years to brute-force on the same hardware.
- Verizon DBIR 2025 logs found 30% of corporate-managed devices and 46% of unmanaged devices in infostealer logs contained company credentials.
Recent Developments
- April 2026: Microsoft announced that passkey support for phishing-resistant sign-in to Microsoft Entra-protected resources will roll out across Windows devices, with general availability expected by mid-June 2026.
- March 2026: Microsoft began auto-enabling passkey profiles across all Microsoft Entra ID tenants by default for organisations that had not customised the passkey policy.
- March 2026: Dashlane Passkey Power 20 update reaffirmed that 40% of Dashlane users now store at least one passkey in their vault, double the 20% recorded in 2024.
- February 2026: UK Finance reaffirmed in its updated Payment Markets report that biometric authentication for banking is now the default rather than the exception across the major UK current-account providers.
- February 2026: Microsoft’s Secure Future Initiative status update confirmed all new Microsoft consumer accounts created from May 2025 onward will be passwordless by default, a posture announced in April 2025 and sustained through early 2026.
- January 2026: FIDO Alliance reported continued growth past the more than 1 billion passkey-activation milestone first announced on World Passkey Day 2025, with implementation reaching 48% of the world’s top 100 websites.
The Most Common Passwords
- NordPass found that “123456” remains the world’s most common password for 2025, a position it has held for six of the past seven years.
- The NordPass research analysed a 2.5 TB database of passwords exposed in public breaches and dark-web repositories captured between September 2024 and September 2025.
- Verizon’s DBIR found that only 3% of compromised passwords met basic complexity requirements.
- NordPass concludes that despite significant efforts over the years to educate users about cybersecurity, there has been little improvement in widespread password hygiene and security habits.
| Rank | Password | Time to Crack |
| 1 | 123456 | Under 1 second |
| 2 | 123456789 | Under 1 second |
| 3 | 12345678 | Under 1 second |
| 4 | password | Under 1 second |
| 5 | qwerty123 | Under 1 second |
| 6 | qwerty1 | Under 1 second |
| 7 | 111111 | Under 1 second |
| 8 | 12345 | Under 1 second |
| 9 | secret | Under 1 second |
| 10 | 123123 | Under 1 second |
Source: NordPass Most Common Passwords list; Hive Systems Password Table.
Crack-time figures in the table above are the worst case for the user. NordPass’s frequency analysis shows these strings appear so often in breach corpora that an attacker rarely needs to brute-force them. For comparison data on weak-credential exposure, see SQ Magazine’s voice phishing data coverage on social-engineering credential capture.
Password Reuse Across Accounts
- Cybernews analysed over 19 billion passwords exposed in data breaches between April 2024 and April 2025, finding that 94% were reused or duplicated across accounts.
- Cybernews reported that only 6% of analysed passwords (out of over 19 billion exposed) were unique credentials.
- Bitwarden’s 2025 World Password Day Global Survey found 78% of respondents reuse passwords across accounts.
- The same Bitwarden survey found 69% of respondents say they feel overwhelmed by the number of passwords they need to remember.
- Bitwarden also reported that approximately one in three respondents (32%) writes passwords on paper or in unencrypted notes.
- Around 25% of Bitwarden survey respondents report using a password that is the same as or close to one of the most common passwords on public breach lists.
| Methodology | Source | Reuse Rate | Sample |
| Leak-corpus analysis | Cybernews 2025 | 94% reused or duplicated | 19 billion exposed passwords |
| Self-reported survey | Bitwarden 2025 | 78% admit reuse | Multi-country consumer survey |
Source: Cybernews Password Analysis; Bitwarden World Password Day Global Survey.
The gap between the two figures is methodological. Cybernews is counting actual leaked passwords, so duplicates show up at scale. Bitwarden is asking people whether they reuse, and self-reporting under-states the behaviour as it usually does. Across over 19 billion leaked passwords, password reuse is a primary enabler of credential stuffing because once a password is leaked from one site, attackers can attempt the same combination at hundreds of other services. Adoption of dedicated tooling has been slow, as SQ Magazine’s password manager adoption data details.
Credential-Driven Data Breaches
- Verizon’s 2025 DBIR found that the use of compromised credentials was the initial access vector in 22% of the breaches reviewed, down from 31% in the prior period.
- Verizon also reported that a staggering 88% of attacks against basic web applications involved the use of stolen credentials.
- IBM estimates breaches where compromised credentials were the initial access vector cost an average of $4.67 million per breach.
- IBM also reported mean time to identify and contain breaches attributed to stolen or compromised credentials reached an average combined time of 292 days.
- Verizon DBIR 2025 found that passwords appear in 28% of data dumps.
By the numbers: Stolen credentials drove 22% of breaches in the 2025 DBIR, down from 31% in the prior period, even as 2.8 billion passwords surfaced on criminal markets and dark-web boards in 2024 alone, according to Verizon. Defensive layers like MFA, not better password hygiene, are absorbing the credential-attack surface.
This pattern aligns with broader cybersecurity threat data showing that defensive maturity is widening even as attack volume holds.
Cost of Credential-Based Breaches
- IBM reported the global average cost of a data breach fell 9% in 2025, from $4.88 million in 2024 to $4.44 million in 2025.
- IBM noted the average cost of a US breach reached $10.22 million, the highest of any region.
- IBM identified phishing as a factor in 41% of cyber incidents tracked in 2025.
- IBM reported healthcare remained the industry with the highest average cost of a data breach at $7.42 million.
- IBM also flagged shadow AI as a factor in 20% of breaches, adding $670,000 to average breach costs.
The drop in global average breach cost looks like good news on the surface, but credential-breach attacks still cost more than the global average and take 292 days to clean up.
Brute-Force Crack Times
- The 2025 Hive Systems Password Table is built around a benchmark configuration of twelve NVIDIA RTX 5090 graphics cards attacking bcrypt-hashed passwords with a cost factor of 10.
- Hive Systems found an eight-character password made up of only lowercase letters can now be cracked in approximately 3 weeks.
- Hive Systems found an eight-character password using upper- and lower-case letters, numbers, and symbols requires roughly 165 years on the same hardware.
- Hive Systems calculated that a fifteen-character lowercase password could take up to 477 million years to brute-force.
- Hive Systems also estimated that AI-grade hardware of the kind used to train large language models increases password-cracking speeds by approximately 1.8 billion percent compared to consumer-grade machines.
- Compared to 2024, Hive Systems found that the time it takes to crack passwords using consumer-grade GPUs has dropped by nearly 20%.
| Length | Lowercase Only | Plus Numbers | Plus Mixed Case and Symbols |
| 8 chars | 3 weeks | Months | About 165 years |
| 12 chars | Centuries | Millennia | About 10^9 years |
| 15 chars | About 477 million years | About 10^15 years | Effectively unbreakable |
Source: Hive Systems Password Table.
Key finding: Hive Systems estimates AI-grade hardware lifts password-cracking speed roughly 1.8 billion percent above a consumer-grade rig. The practical effect: any 8-character password without symbols falls in days, while a 15-character passphrase remains computationally out of reach for the foreseeable future, even with attacker access to LLM-tier compute.
Length, not character variety, is the lever. NIST’s revised guidance reflects the same conclusion.
Credential Stuffing Volume at SSO Providers
- Verizon’s 2025 DBIR found that the median daily percentage of credential stuffing accounted for 19% of all authentication attempts at SSO providers.
- Verizon also found that a staggering 88% of attacks against basic web applications involved the use of stolen credentials.
- Verizon reported that passwords appear in 28% of data dumps, while other sensitive information often appears alongside them.
- Verizon classifies credential compromise as one of the most common initial access vectors for breaches overall.
| Authentication Layer | Credential-Stuffing Share | Source |
| SSO providers (median daily) | 19% | Verizon DBIR 2025 |
| Basic web app attacks | 88% used stolen credentials | Verizon DBIR 2025 |
| Data dumps containing passwords | 28% | Verizon DBIR 2025 |
Source: Verizon Data Breach Investigations Report.
A 19% credential-stuffing rate at SSO ingress points is the floor, not the ceiling. The figure reflects what makes it through to authentication endpoints; volumetric defences upstream often filter the loudest 80% of attempts before they reach this measurement. The full pattern lines up with broader cybersecurity attack data on automated credential abuse.
Infostealer Malware and Credential Exposure
- Verizon’s 2025 DBIR analysed infostealer logs and found 30% of corporate-managed devices in infostealer logs contained company credentials.
- Verizon also found 46% of unmanaged devices in infostealer logs contained company credentials.
- Verizon estimates 2.8 billion passwords were posted for sale or for free on criminal message boards, in encrypted messenger groups, and on darknet markets in 2024.
- Verizon classifies credential compromise as one of the most common initial access vectors for breaches overall.
The 16-point gap between managed and unmanaged devices is one of the cleanest arguments yet for treating bring-your-own-device access as a higher-tier risk than corporate endpoints. The unmanaged-device exposure pattern matches SQ Magazine’s remote work security data on shadow IT and BYOD risk.
NIST Password Guidelines: What Changed
- NIST SP 800-63B Rev 4 requires verifiers and CSPs to enforce a minimum password length of 8 characters and recommends a minimum of 15 characters.
- NIST SP 800-63B Rev 4 also recommends verifiers permit a maximum password length of at least 64 characters.
- NIST SP 800-63B Rev 4 explicitly states that verifiers and CSPs shall not impose other composition rules for passwords, removing legacy mandates for digits or special characters.
- NIST SP 800-63B Rev 4 states that verifiers and CSPs shall not require users to change passwords periodically and shall force a change only if there is evidence of compromise.
- NIST SP 800-63B Rev 4 requires verifiers to compare prospective passwords against a blocklist of values known to be commonly used, expected, or compromised.
| NIST 800-63B Rev 4 Rule | Practical Effect |
| 8-char minimum, 15-char recommended | Length over complexity |
| 64-char minimum maximum | Passphrases must be supported |
| No mandatory composition rules | No more “must include a symbol” |
| No periodic rotation | Rotation only on compromise evidence |
| Blocklist screening required | Block “123456” and similar |
Source: NIST Special Publication on Digital Identity Guidelines.
Rev 4 is the codification of guidance NIST has been signalling since 2017. The practical change for organisations still on legacy policy: drop the rotate-every-90-days rule and turn on a breach-list check at password-set time.
MFA Adoption by Company Size
- Microsoft disclosed in 2022 that only 22% of enterprise customers using Microsoft Entra ID, the company’s cloud identity platform, had enabled multi-factor authentication.
- Compiled vendor telemetry shows 87% MFA adoption among companies with more than 10,000 employees, and 78% among firms with 1,001 to 10,000 employees.
- The same compilation reports only 34% of companies with 26 to 100 employees use MFA, and 27% of businesses with up to 25 employees.
- By industry, the technology industry leads at 88% MFA coverage, the highest of any vertical.
- Microsoft’s April 2025 Secure Future Initiative reported 92% of Microsoft employee productivity accounts now use phishing-resistant multi-factor authentication.
Mandatory MFA at the identity-provider level is doing more for SMB MFA coverage than any awareness campaign in the past decade. The pattern lines up with small business breach statistics showing SMBs absorb a disproportionate share of credential-driven incidents.
Passkey Adoption: Consumer and Enterprise
- The FIDO Alliance reports that more than 1 billion people have activated at least one passkey, and over 15 billion online accounts can use passkeys.
- FIDO research shows consumer awareness of passkeys has grown from 39% in 2022 to 75% in 2025.
- FIDO research also found 69% of users now have at least one passkey, up from 39% awareness just two years prior.
- Passkey implementation has reached 48% of the world’s top 100 websites, according to FIDO Alliance data.
- Google reports a 352% increase in passkey authentications by 2025 after enabling passkeys as the default sign-in for personal accounts in late 2023.
- Google also reports that more than 800 million Google accounts now use passkeys for sign-in.
- Across the broader passkey ecosystem, monthly passkey authentications reached 1.3 million in 2025, more than doubling year over year.
- Dashlane vault data shows 40% of Dashlane users now store at least one passkey, double the 20% recorded in 2024.
- Dashlane reports passkey-ready deployments grew 87% year over year among its enterprise customers.
| Metric | Value | Source |
| Consumers who have activated a passkey | 1B plus | FIDO Alliance |
| Online accounts passkey-enabled | 15B plus | FIDO Alliance |
| Consumer awareness | 75% (up from 39% in 2022) | FIDO Alliance and HID Global |
| Top 100 websites supporting passkeys | 48% | FIDO Alliance and Dashlane |
| Google passkey-auth growth (YoY) | 352% | |
| Google accounts using passkeys | 800M plus | |
| Dashlane users with a passkey | 40% (vs 20% in 2024) | Dashlane Passkey Power 20 |
Source: FIDO Alliance World Passkey Day; Google Safety Engineering blog; Dashlane Passkey Power Index.
Why it matters: Google has driven more than 800 million accounts onto passkeys with a 352% cumulative increase in passkey authentications since the late-2023 default change, according to its Safety Engineering disclosures. The figure marks the first authentication transition in 25 years where consumer adoption has run ahead of enterprise mandate, reversing the pattern that defined SMS 2FA and MFA rollouts.
The consumer-led pattern matters because it changes how passwords are retired, with the passkey funnel piggybacking on Google, Apple, and Microsoft consumer-account defaults.
Biometric Authentication for Login
- UK Finance documents 89% of UK mobile-banking app users authenticate using fingerprint or facial recognition rather than a password or PIN as their primary login method.
- FIDO research found 54% of consumers familiar with passkeys consider them more convenient than passwords.
- FIDO research also found 53% of consumers familiar with passkeys believe they offer greater security.
- FIDO data shows that over 35% of people had at least one of their accounts compromised due to password vulnerabilities in the past year.
- FIDO consumer research reports 47% of consumers will abandon a purchase when they have forgotten the password for that account.
The 89% UK banking figure is the closest a major password-replacement metric comes to a saturation rate. PSD2 strong-customer-authentication rules accelerated the shift from PIN-only login to fingerprint and face recognition over a five-year window.
SMS 2FA and SIM-Swap Attack Statistics
- The FBI Internet Crime Complaint Center received 982 SIM-swap complaints in calendar year 2024, with reported losses totalling $25,983,946.
- The FBI report describes SIM-swap fraud as occurring when attackers convince mobile carriers to transfer a victim’s phone number to an attacker-controlled SIM, after which SMS-based 2FA codes flow to the attacker.
- The FBI report observes SIM-swap fraud has remained a persistent threat category since first being designated as a tracked complaint type, and the financial impact has grown steadily as more high-value accounts rely on SMS for second-factor authentication.
- The FBI report recommends consumers and institutions move from SMS-based 2FA to authenticator apps or hardware security keys where possible.
| Metric | 2024 Value | Source |
| SIM-swap complaints filed | 982 | FBI IC3 |
| Reported losses (US) | $25,983,946 | FBI IC3 |
| Recommended replacement | Authenticator apps or hardware keys | FBI IC3 |
Source: FBI Internet Crime Complaint Center Annual Report.
The IC3 figure captures only complaints that crossed the FBI threshold; carrier-level fraud reporting puts SIM-swap volume substantially higher. The SIM-swap pattern overlaps with crypto security data given how often custodial wallet drains begin with a hijacked phone number.
Phishing as a Credential-Theft Channel
- IBM identified phishing as a factor in 41% of cyber incidents tracked in 2025.
- Verizon’s 2025 DBIR found that a staggering 88% of attacks against basic web applications involved the use of stolen credentials.
- Verizon’s 2025 DBIR found that the use of compromised credentials was the initial access vector in 22% of breaches reviewed, down from 31% in the prior period.
- IBM estimates breaches initiated by compromised credentials cost an average of $4.67 million per breach.
| Phishing Outcome | Share or Cost | Source |
| Phishing’s share of all incidents | 41% | IBM 2025 |
| Web app attacks using stolen credentials | 88% | Verizon DBIR 2025 |
| Credentials as breach initial access | 22% (down from 31%) | Verizon DBIR 2025 |
| Average credential-breach cost | $4.67 million | IBM 2025 |
Source: IBM Cost of a Data Breach Report; Verizon Data Breach Investigations Report.
Phishing remains the most efficient way to convert a stolen credential into account access. The decline in credentials as a breach vector reflects what happens after capture, not fewer captures.
Frequently Asked Questions (FAQs)
NordPass research ranks u0022123456u0022 as the most common password globally, a position it has held for six of the past seven years. The dataset analysed 2.5 TB of passwords exposed in public breaches and dark-web repositories captured between September 2024 and September 2025.
Per Verizon’s 2025 DBIR, 2.8 billion passwords were posted for sale or for free on dark-web markets, criminal message boards, and encrypted messenger groups during 2024. Passwords appear in 28% of data dumps reviewed in the same period, while other sensitive information often appears alongside them.
Adoption is accelerating fast. The FIDO Alliance reports that more than 1 billion people have activated at least one passkey, and over 15 billion accounts can use passkeys. Google says more than 800 million accounts now sign in with passkeys, with passkey authentications growing 352% year over year by 2025.
Per the 2025 Hive Systems Password Table, an 8-character lowercase password takes about 3 weeks to brute-force on a 12-GPU RTX 5090 rig running bcrypt. An 8-character password using upper- and lower-case letters, numbers, and symbols requires roughly 165 years on the same hardware.
The current NIST password guidelines set an 8-character absolute minimum and recommend a 15-character minimum as best practice. They recommend that verifiers support a maximum length of at least 64 characters and explicitly forbid organisations from imposing composition rules such as mandatory digits or special characters.
The FBI’s 2024 Internet Crime Complaint Center report logged 982 SIM-swap complaints with $25,983,946 in reported losses and recommends consumers and institutions move from SMS-based 2FA to authenticator apps or hardware security keys where possible. Authenticator apps and FIDO2 keys remain the safer default.
Conclusion
The over 19 billion leaked passwords analysed by Cybernews and the 94% reuse rate within that set frame the central tension in password security right now. Behaviour has barely improved, but the defensive layer has. Verizon’s drop in credential-driven breaches from 31% to 22%, Google‘s more than 800 million passkey-enabled accounts, NIST’s 15-character recommendation, and UK Finance’s 89% biometric login share all point in the same direction. The number to watch through the current year is the credential-vector breach share. If MFA and passkeys keep absorbing the credential-attack surface, that number falls again.