Passwords are among the oldest yet most
popular means of online security and privacy. We use them to safeguard
sensitive banking information to the Reddit account we created to enjoy some
Nowadays, we get to see additional
safeguards such as two-factor authentication in conjunction with passwords, but
it is the password that remains at the core of things.
People have now started to realize how
important it is to have a strong password, and why should one follow good
password practices. But things weren’t like this in the beginning.
One can attribute this shift in perspective
to the fact that people’s lives are now more integrated with their online
accounts, and hence, they act more responsibly.
We have compiled a few noteworthy facts
related to passwords. Some of them might make your jaw drop, while others might
make you audit some of your password practices.
Then are also a few statistics to give you
an idea of what and whatnots.
- 1 The numbers game
- 1.1 1. Nearly 80% of the cloud services allow users to set up weak passwords
- 1.2 2. Nearly 30% of the users reuse the same password on multiple accounts
- 1.3 3. 20 most common passwords make for 10.3% of the passwords in use
- 1.4 4. 70% of users have more than 10 password-protected accounts
- 1.5 5. In 2020, the average number of accounts per user will be 207
- 1.6 6. Only 1% of the web services ask users to create an extremely safe password
- 2 Bad password practices
- 2.1 7. 40% of organizations store passwords in a Word document or a spreadsheet
- 2.2 8. 66% of people use only 1 or 2 passwords for all their accounts
- 2.3 9. The usually prescribed minimum length of passwords is 12 or more
- 2.4 10. It seems the younger generation doesn’t pay much attention to password security
- 2.5 11. There is a 50% chance that a password contains at least one vowel
- 2.6 12. People are 3 times more likely to use their pet’s name as password rather than that of a family member
- 2.7 13. A person usually changes the password every 2.5 to 3 years
- 3 Passwords and cyberattacks
- 3.1 14. Hacking attempts using brute force or dictionary attacks increased by 400% in 2017
- 3.2 15. Someone created a computer capable of guessing 350 billion passwords per second
- 3.3 16. Saving passwords in the web browser isn’t a very smart move
- 3.4 17. There are roughly more than a million brute force attack on WordPress sites each hour
- 3.5 18. 48% of people have shared a password with someone else
- 3.6 19. 68% of the executives of companies that experienced significant breaches indicated that those could have been prevented
- 4 The miscellaneous ones
- 4.1 20. First Thursday of each May is World Password Day
- 4.2 21. “123456” is the most commonly used password
- 4.3 22. Facebook had ‘Chuck Norris’ as the master password for one to access any profile on the platform
- 4.4 23. The launch code for US nuclear missiles was ‘00000000’ for 20 years
- 4.5 24. Microsoft Hotmail allowed anyone to access accounts using the password ‘eh.’
- 4.6 25. Even FBI’s most wanted hackers fall prey to bad password practices
- 5 References and Data Sources
The numbers game
Let’s go through some numbers to understand
what’s happening in the world of passwords and cybersecurity. It is much easier
to put the finger on what’s wrong if one has relevant data.
Organizations keep conducting surveys and
researches to come up with useful information. Here are excerpts from some of
those studies and surveys.
1. Nearly 80% of the cloud services allow users to set up
People often use simple passwords because
they are easy to remember. One way to make them use strong passwords can be to
implement rules which don’t allow users to create accounts with weaker
But the service providers do not seem to
bother much about it. A study that included 12,000 cloud services showed that
79.9% of websites allowed users to have passwords with only lowercase
13.6% of them made users create moderate
passwords (passwords with characters and numbers), and only 6.5% of the
websites required strong passwords (ones with numbers, symbols, uppercase, and
2. Nearly 30% of the users reuse the same password on
Recycling is a good habit, but not when it
comes to the use of passwords. The most obvious disadvantage of using the same
password on different accounts is that it will take only one account breach to
compromise the rest of them.
Joseph Bonneau, a researcher at University
of Cambridge, compared stolen password information from two websites and
discovered that the rate of repeating password among same email addresses was
The number even reaches close to 50% if one
starts taking similar passwords into account.
3. 20 most common passwords make for 10.3% of the
passwords in use
A study of nearly 11 million passwords for
cloud services available on Darknet, showed that nearly 10% of the account
holders are still using one among the 20 most common passwords.
It significantly improves the chances of
the hackers being simply able to guess the password even if it has got strong
4. 70% of users have more than 10 password-protected
The increasing number of accounts one needs
to manage is one of the reasons why users often find themselves using bad
A survey showed that nearly 70% of users
had more than 10 password-protected accounts, while 30% confessed to having too
many to count.
5. In 2020, the average number of accounts per user will
One has no option but to create multiple
accounts if they wish to take advantage of the internet to its fullest. Even
the news websites now require readers to sign-in to the website to go through
A projection says that the average number
of accounts per user will be 207 by the year 2020. The only way to have strong
passwords on so many accounts without forgetting them is to take the help of a
6. Only 1% of the web services ask users to create an
extremely safe password
A survey pointed out that merely one
percent of websites require their users to create passwords that contain a mix
of 4 kinds of characters, i.e., upper-case letters, lower-case letters,
numbers, and special characters.
60% of the services allowed users to create
a password with just one kind of character, while the percentages of services
allowing two and three kinds of characters were 30% and 10%, respectively.
The web services should try to get users in
the habit of creating strong passwords.
(Source: Password Coach)
Bad password practices
Getting rid of bad password practices should be the priority of anyone who operates online accounts. A lot of people may argue that they have been doing just fine with their usual passwords. But such practices will take them only so far.
Some people indulge in such practices because
of the dearth of knowledge. Here a few points to tell you about the various
foul password practices and how many of you are still entertaining them.
7. 40% of organizations store passwords in a Word document
or a spreadsheet
A survey conducted by CyberArk said that
nearly 40% of organizations store privileged admin passwords on a Word Document
or spreadsheet. There were also 28% of them who either used a shared server or
Bad password practices can provide hackers
a much easier way to compromise the system. And passwords stored this way are
an invitation to trouble. The survey was conducted in 2016, and maybe the
situation is not so worse under present circumstances.
8. 66% of people use only 1 or 2 passwords for all their
If you have accounts on multiple platforms,
then it can be too big of a task to remember passwords for all of them. While
there are a lot of ways to get across this issue, a lot of users decide to go
with only 1 or 2 passwords across all their accounts.
It is needless to mention how bad of a
strategy this can be. Going with password managers is a much safer bet.
9. The usually prescribed minimum length of passwords is
12 or more
A lot of popular websites such as Google,
Facebook, Reddit, Netflix, and others allow users to create passwords that are
only 6 or 8 characters long. Wikipedia would let you create a password with
just one character.
But all of us know that it’s a good
practice to keep the password long. Long passwords are difficult to decrypt or
guess. Various password experts recommend that passwords should be at least 12
or more characters long.
10. It seems the younger generation doesn’t pay much
attention to password security
A survey said that 76% of the people aged
between 18 to 24 years are likely to reuse a password. It was the highest
percentage for any age group.
The same fraction for people aged above 65
years was 62%. The stat is surprising in many ways since one expects the
younger tech-savvy generation to be more careful about their online security.
(Source: Digital Guardian)
11. There is a 50% chance that a password contains at
least one vowel
We humans follow certain patterns that make
it easier for one to guess the password. The chances of a password containing
at least one vowel are 50%.
The numbers placed at the end of a password
are usually ‘1’ or ‘2.’ It was also observed that women tend to use their names
for passwords, while men use their hobbies for passwords.
You might want to change your password if
you also follow one of these patterns.
12. People are 3 times more likely to use their pet’s name
as password rather than that of a family member
Pets often become dearer to us than our
human family members. The unconditional love people receive from their pets
shows up in their password practices, as well. There is three times more
probability of someone using the name of their pet as a password and not a
It is needless to mention that it will not
make up for a strong password. Someone can easily predict your password if they
have an idea of how much you love your pet.
13. A person usually changes the password every 2.5 to 3
Changing passwords frequently is a
recommendable practice. Data breaches keep happening now and then, but we don’t
get to hear about all of them.
Frequent password changes will keep you on
the safer side. However, people usually take up to 3 years to change their
passwords. Some of them do it only when they get notified by the service
provider to do so.
(Source: Resource Techniques)
Passwords and cyberattacks
weak password or poor password practice make lives a lot easier for hackers.
All they need is a small opening, and the weak passwords provide them just
Let’s have a look at how these hackers are
guessing your passwords and how you might be facilitating their attempts.
14. Hacking attempts using brute force or dictionary
attacks increased by 400% in 2017
There was a significant increase in the
number of brute force attacks in 2017. A brute force attack involves the hacker
trying to access the account using different password combinations with the
help of a software.
The report said the labs experienced around
100 to 600 brute force attacks each hour.
(Source: SC Media)
15. Someone created a computer capable of guessing 350 billion passwords per second
The system uses five servers, which make
use of 25 AMD Radeon graphics card to come up with these many guesses per
second. The system has made it entirely possible to guess an eight-character
password significantly lesser time.
It will take it only 5.5 hours to go
through all the possible 8-character options, including numbers, upper- and
lower-case characters, and symbols.
(Source: Ars Technica)
16. Saving passwords in the web browser isn’t a very smart
Popular web browsers such as Chrome and
Firefox offer to save user passwords so that users don’t need to memorize them.
Since the passwords are saved within the browser, the user can easily login
into the account if using the browser.
However, very few of the users know that
the browser stores this sensitive information locally on your device in plain
text. There is no master password involved, as is the case with password
managers. So, if someone has physical access to your device, the person can
easily have a quick look at all your passwords.
You should think twice the next time you
decide to save passwords with the web browser.
(Source: ZD Net)
17. There are roughly more than a million brute force
attack on WordPress sites each hour
Even though it is one of the oldest ways to
compromise a system, a brute force attack is still quite popular among hackers.
The increased processing capabilities of computers and the option to rent some
of it online allows cybercriminals to conduct highly sophisticated brute force
A research showcased that there are almost
a million brute force attacks on WordPress sites each hour.
Sharing a password is the epitome of bad
password practices, and a lot of people still do it without thinking much of
the consequences. The way whistleblower Edward Snowden got access to passwords
of 25 of his colleagues was by simply asking them.
A survey says 30% of teens have shared a
password. The stat jumps to 48% if you include every demographic. The survey
also said that women are more likely to share passwords as compared to men, and
girls are twice more likely to share passwords as compared to boys.
(Source: Random Password Generator)
19. 68% of the executives of companies that experienced
significant breaches indicated that those could have been prevented
Cybercriminals thrive on human errors, and
it is the human element of any organization’s cybersecurity mechanism which is
most vulnerable to cyberattacks.
A survey found out that 68% of executives
of companies that experienced significant breaches entertained the possibility
of avoiding the breach if they had either privileged user identity and access
management or user identity assurance.
The miscellaneous ones
We had to dive deep into the world of
passwords to find out all those stats for you, and we came across a few interesting
facts in the process. All of them might not be astonishing to you, but we are
confident of raising your eyebrows with a few of them.
20. First Thursday of each May is World Password Day
Not many people know that there is a World
Password Day. It is observed on the first Thursday of each May.
You can make sure all your passwords are
updated and even share some tips for better password practices on this day.
(Source: National Day Calendar)
21. “123456” is the most commonly used password
Jeremi Gosney, a passwords expert and
founder of the security firm Stricture Consulting group, analyzed 130 million
passwords and came up with this stat.
The passwords are the ones released by
hackers who breached Adobe servers in 2013. The passwords were available in encrypted
form, and Jerimi seems to be able to decrypt them to some extent.
The other most commonly used passwords in
the list were ‘123456789,’ ‘password,’ ‘adobe123,’ ‘qwerty,’ and so on.
(Source: ZD Net)
22. Facebook had ‘Chuck Norris’ as the master password for
one to access any profile on the platform
Facebook hasn’t been as good an ambassador
of online privacy as we wanted it to be. One of the interesting controversies
related to them and passwords was the use of ‘Chuck Norris’ as the master
It is said that one could use the master
password to access any profile created on Facebook. It was also said that only
a few engineers had knowledge of this information and that it would work only
with the Facebook ISP.
(Source: The Rumpus)
23. The launch code for US nuclear missiles was ‘00000000’
for 20 years
Yes, they had such a weak password for
something which has the potential to destroy the world. The small security
devices, which were set to prevent the launch of nuclear missiles without the
right code and authority, had their passwords set to ‘00000000.’
They even had the code written down the
password for officers to make sure they don’t run into any issues if they
happen to launch the missiles. The authorities seemed more interested in being
able to launch the missiles without an issue rather than being able to stop any
illegitimate launch attempts.
(Source: Naked Security)
24. Microsoft Hotmail allowed anyone to access accounts
using the password ‘eh.’
In 1999, it was discovered that anyone could
log into the Hotmail accounts by using the password ‘eh.’ This was a classic
example of poor programming practice.
They could’ve easily gone for a slightly
difficult password given the kind of information was at stake. The incident
also gives some idea of what the approach used to be in case of online security
back in those days.
(Source: Tech Republic)
25. Even FBI’s most wanted hackers fall prey to bad
Jeremy Hammond, a cybercriminal in FBI’s
most-wanted list, had his password as the name of his cat, followed by ‘123.’
Hammond confessed that his password was
very weak. However, it is not certain that it was the weak password, which led
to him getting caught or something else. He was sentenced ten years of
imprisonment for his actions.
(Source: ABC News)
References and Data Sources
- Password Coach
- Digital Guardian
- Resource Techniques
- SC Media
- Ars Technica
- ZD Net
- Random Password Generator
- National Day Calendar
- ZD Net
- The Rumpus
- Naked security
- Tech Republic
- ABC News