For all the technological advancements in today’s online world, we remain painfully behind when it comes to password use and security. Most internet users today aren’t aware of the importance of establishing secure and effective passwords, which leaves people vulnerable to the attacks of cybercriminals and hackers. The password statistics below reveal some major consequences of failed cybersecurity practices.

We all use passwords to protect some of our most important and confidential information, like bank statements, work log-ins and medical information. For many online systems, a password is all that stands between your personal information and a hacker trying to steal it. So why don’t we put more effort into making them as secure as possible? The following statistics shed light on some surprising password trends among consumers and organizations —and the consequences that might make you rethink your own online habits.

Table of Contents:

Weak Password Statistics and Habits

While the capabilities of cybercriminals continue to evolve, our password management habits and understanding of proper cybersecurity practices haven’t kept the same pace. This goes for both consumers and businesses, as the statistics below reveal.


  1. 75% of Americans say they feel frustrated trying to maintain and keep track of their passwords. (Google)
  2. 24% of Americans have used the word “password,” “Qwerty” or “123456” as their password. (Google)
  3. 43% of Americans have shared their password with someone. (Google)
  4. 20% of Americans have shared the password to their email account. (Google)
  5. Only 37% of Americans used two-factor authentication to secure their passwords in 2020. (Google)
  6. Only 34% of Americans say they change their passwords regularly. (Google)
  7. Just 15% of Americans use an online password manager. (Google)
  8. 66% of Americans use the same password across multiple online accounts. (Google)
  9. While 79% of Americans said keeping their security software up to date is very important, 33% don’t update theirs regularly. (Google)
  10. 27% of Americans have tried to guess someone else’s password, and 17% of them were able to guess correctly. (Google)
  11. 13% of Americans reported reusing their password across all their accounts in 2019. (Google)
  12. Only 32% of Americans were able to correctly define “phishing,” “password manager” and “two-step verification.” (Google)
  13. 42% of organizations rely on sticky notes for password management. (Ponemon Institute)
  14. 59% of organizations rely on human memory to manage passwords. (Ponemon Institute)
  15. 62% of organizations say they don’t take the necessary steps in properly securing mobile data. (Ponemon Institute)

While the methods of cybercriminals are sophisticated, proper defense against them doesn’t require enormous effort. Implementing simple password security best practices can greatly reduce the likelihood of an attack. To keep your data safe, make sure you’re doing the following:

  • Choose a password with at least 12 characters, with a mix of uppercase and lowercase letters, numbers and symbols.
  • Create a unique password for every online account—do not reuse passwords.
  • Use a password manager like LastPass to simplify the process of creating a unique, strong password for every account.
  • Don’t write your passwords down, whether physically or electronically.
  • Use two-factor authentication where you can. This alone can prevent a majority of hackers from accessing your data.

Password Security and Data Breach Statistics

In an age where technology has continued to evolve rapidly, our password security practices have hardly changed. If you still reuse your password on every account or haven’t changed it in years, you’re not alone—but hopefully the statistics below .


  1. 52% of data breaches were caused by malicious attacks, and each breach costs an average of $4.27 million. (IBM)
  2. 4 out of 10 Americans have had their personal data compromised online. Of those, 47% have lost money as a result. (Google)
  3. 38% of Americans say they’ve lost time because of a data breach. (Google)
  4. Only 45% of Americans say they would change their password after being hacked. (Google)
  5. The total cost of a data breach in America was $8.64 million in 2020. (IBM)
  6. Across all industries, it took an average of 280 days to identify and contain a data breach in 2020. (IBM)
  7. Containing a data breach in 200 days or less saved an average of $1 million in 2020. (IBM)
  8. In 2020, data breach costs took up 39% of an organization’s budget more than a year after the breach. (IBM)
  9. 80% of hacking-related breaches are caused by stolen and reused credentials. (Verizon)
  10. Password dumper malware is the most prominent type of malware, which caused 40% of malware-related breaches in 2020. (Verizon)
  11. 80% of hacking-related breaches are linked to passwords. (Verizon)
  12. Cybercriminals sell access to organizations’ key systems for an average of $3,139, and systems have been sold for up to $140,000. (Digital Shadows)
  13. Brute-force hacking tools are sold on criminal marketplaces for just $4 on average. (Digital Shadows)
  14.  Email addresses containing the words “invoice” or “invoices” accounted for 66% of breached credentials in 2020. (Digital Shadows)

Password Security Statistics by Industry

Cybercriminals aren’t only a threat to home users—they pose a significant risk to large organizations across all industries as well. That said, not all industries are equally impacted. Compliance regulations vary greatly across sectors, and some industries are quicker to adopt and maintain appropriate security measures than others. For example, technology and software companies are often highly diligent in their cybersecurity defenses while insurance companies frequently trail behind.

  1. The healthcare industry had the highest average cost of a data breach in 2020 at $7.13 million. (IBM)
  2. Research, media, hospitality, and public sector industries had the lowest average cost of a data breach, ranging between $1.1 and $1.7 million. (IBM)
  3. Over half of legal and compliance leaders surveyed in 2020 said they believe the most-increased risk their organizations face due to COVID-19 is cybersecurity and data breach. (Gartner)
  4. The same respondents said the cybersecurity risks they fear are those resulting from practices such as using unsecured networks. (Gartner)
  5. 37% of employees in technology and software businesses use multi-factor authentication (MFA)—the use of two or more separate factors in verifying and authorizing a user. (LastPass)
  6. 33% of employees in education use MFA and 32% of banking or financial employees use MFA. (LastPass)
  7. On the lower end, only 20% of employees in legal or insurance businesses use MFA. (LastPass)


  1. Enabling mobile password management increases employee use of password management systems by 30%.  (LastPass)
  2. Employees in the media and advertising industry have the most passwords to remember, with an average of 97 passwords per employee. (LastPass)
  3. Government employees have the lowest number of passwords to remember, averaging around 54 passwords per employee. (LastPass)
  4. Media and advertising employees reuse passwords almost twice as much as employees in other industries do. (LastPass)
  5. Employees in the not-for-profit industry have the lowest number of reused passwords (around 9 on average). (LastPass)
  6. Employees in the technology or software industries reuse around 15 passwords on average. (LastPass)
  7. Banking and financial accounts had the most listings on cybercriminal marketplaces where cybercriminals buy and sell organizations’ account credentials. (Digital Shadows)
  8. Brute-forcing tools targeting the banking and financial industry are sold for an average of $74.30. (Digital Shadows)

As it turns out, maintaining the basics of cybersecurity best practices often has the biggest impact on avoiding the most common attacks. Organizations that require their employees to use MFA are far ahead of the curve than others when it comes to defending against attacks. Additionally, making password management convenient and accessible increases the likelihood that employees will use it.

Action item: Be diligent about maintaining the basics of your organization’s cybersecurity practices. Consider introducing a mobile password management component to increase convenience and ease of use among employees.

Password Security Statistics by Company Size

Larger organizations are shown to have higher adoption rates of cybersecurity measures than smaller companies have. This makes sense considering large companies may have thousands of employees, and they might be subject to stricter policies and regulations. Smaller companies might be less familiar with the proper defenses they should have in place, or it may simply be less of a priority—IT staff in smaller organizations are often spread thin, juggling multiple competing responsibilities.

  1. Large businesses are more likely to use multi-factor authentication (MFA)—87% of businesses with 10,000 employees or more use MFA. (LastPass)
  2. Large companies are more than twice as likely to experience a data breach than smaller companies. (LastPass)
  3. Physical tampering was the top threat against large companies in 2020. (Verizon)
  4. Spyware was the top threat against small companies in 2020, followed closely by brute-force hacking and capturing stored data. (Verizon)
  5. Phishing is a top threat for both large and small companies. (Verizon)
  6. Companies with 1,000 employees or fewer reuse passwords the most. (LastPass)
  7. Companies with 1,000 employees or fewer reuse an average of 10–14 passwords per employee. (LastPass)
  8. Alternatively, companies with 10,000 employees or more only reuse four passwords per employee on average. (LastPass)
  9. Mid-sized organizations with 5,000 to 10,000 employees saw a 7% increase in the total average cost of a data breach, amounting to $4.72 million in 2020. (IBM)
  10. The total average cost of a data breach in smaller companies with less than 500 employees was $2.35 million in 2020, but smaller companies have a higher average cost per employee. (IBM)

For organizations to become truly resilient against data breaches and cybersecurity attacks, a shift in behavior and practice is required—both from leadership and individual employees. Organizations can minimize security threats by implementing a system to monitor leaked employee credentials, company files and other information.

Action item: Use Google Alerts to monitor references to your company and brand names on criminal hacking forums.

Data Breach Types, Costs and Root Causes

There are a variety of factors that impact the costs associated with an organizational data breach, from different security system platforms to the level of employee training provided. Assessing these factors can provide insight into where companies could level up their security measures and prevent future attacks—or at least reduce the cost of them.

  1. Nation-state attackers are responsible for 13% of malicious data breaches. (IBM)
  2. There has been a 24% increase in the number of data breaches caused by malicious attacks since 2014. (IBM)
  3. 7% of malicious data breaches in 2020 were caused by an internal member of the organization. (IBM)
  4. 14% of malicious data breaches in 2020 were caused by phishing. (IBM)
  5. 16% of malicious data breaches in 2020 were caused by a vulnerability in third-party software. (IBM)
  6. 53% of malicious data breaches were financially motivated in 2020. (IBM)
  7. The motivation for 21% of malicious data breaches is unknown. (IBM)
  8. Hacktivists caused 13% of malicious data breaches in 2020. (IBM)
  9. Ransomware and destructive malware breaches cost more than the average malicious attack in 2020. (IBM)
  10. The average cost of a ransomware attack in 2020 was $4.44 million. (IBM)
  11. The average cost of destructive malware attacks in 2020 was $4.52 million. (IBM)
  12. Security system complexity increased the average cost of a data breach by $291,870 in 2020. (IBM)

With data available pertaining to factors that both mitigated and amplified data breach costs, organizations would be wise to assess opportunities to introduce cost mitigating measures, as well as analyze what cost-amplifying factors exist within their company.

Action item: Incident response teams decreased the cost of a data breach by $295,267, and employee training mitigated costs by $238,019 in 2020. Companies that don’t have these structures in place should look into how they might implement them going forward.

Cybercriminals will only continue to conspire against individuals and organizations in an attempt to gain access to private data. Given the statistics above, it’s clear that more attention should be paid to the vulnerabilities that exist in our password management habits. If you’re looking for ways to level up your security, implementing a cross-platform antivirus program that provides protection for all your devices is a great place to start.