Skip to content
Home / Journal / data
data · Jul 12, 2026

Password Security Statistics (2026)

Stolen credentials drive 88% of web-app attacks and are the #1 breach vector, yet only 36% of Americans use a password manager. Credential breaches cost $4.81M and take 292 days to find. The cited data on passwords, MFA, and passkeys.

datastatisticspassword-managerssecurityauthentication

A data analysis of why stolen passwords remain the top way into a company, how few people actually use a manager, and why 2025 was the year passkeys finally reached scale.

Eighty-eight percent of attacks against basic web applications involved the use of stolen credentials, according to Verizon’s 2025 Data Breach Investigations Report — the single most-used method attackers reach for. Credentials are still the number-one initial access vector, and the defenses against them are well understood and cheap. The gap is adoption: only 36% of Americans use a password manager. The numbers below show where the risk concentrates and which controls actually close it.

Key takeaways

  • 88% of attacks against basic web apps used stolen credentials, and credentials remain the top initial access vector, per Verizon’s 2025 DBIR
  • Credential-based breaches cost $4.81M and take 292 days to identify and contain — the slowest of any vector — per IBM’s Cost of a Data Breach 2024
  • Only 36% of Americans use a password manager, roughly 94 million people, per Security.org
  • “123456” is still the most common password in the world, per NordPass; only 3% of compromised passwords met basic complexity rules (Verizon DBIR)
  • 2.8 billion passwords were posted for sale or distribution in 2024, appearing in 28% of breached databases, per Verizon’s 2025 DBIR
  • Workforce MFA adoption reached 70% as of January 2025, per Okta
  • 69% of users now have at least one passkey and 48% of the top 100 websites support them, per the FIDO Alliance Passkey Index 2025
Headline numbers
Stolen credentials dominate the breach path
Share of breaches involving each factor, per Verizon's 2025 DBIR. Credentials lead every access route.
Web-app attacks using stolen creds
88%
Breaches involving human element
60%
Breaches w/ creds as initial vector
22%

How often are stolen credentials behind a breach?

Almost always, wherever a login sits in the path. Verizon’s 2025 DBIR found stolen credentials used in 88% of attacks against basic web applications, and compromised credentials were the top initial access vector across all breaches, present in 22% of them. The human element — phishing, error, misuse — figured in 60% of breaches.

The reason is economics. Attackers do not need an exploit when a working password is for sale. Verizon counted 2.8 billion passwords posted for sale or distribution in 2024, and passwords showed up in 28% of breached databases. A valid credential is the cheapest, quietest way in.

How much does a credential breach cost?

More than any other kind, and it lingers longest. IBM’s Cost of a Data Breach 2024 put the average cost of a breach involving stolen or compromised credentials at $4.81 million, above the global average of $4.88 million and notable because these breaches took 292 days to identify and contain — the slowest of any attack vector.

That delay is the whole problem. A stolen credential lets an intruder log in as a legitimate user, so nothing looks anomalous for months. Verizon also found 54% of ransomware victims had prior credential exposure in infostealer logs — the password leak came first, the ransom came later.

Cost & dwell time
Credential breaches are slow and expensive
Average cost per credential-based breach vs. days to identify and contain. IBM Cost of a Data Breach 2024.
Days to identify & contain
292
Cost per breach ($M ×10)
48.1

Do people still reuse weak passwords?

Overwhelmingly. NordPass reports “123456” is still the most common password in the world, topping the chart in six of the last seven years. Verizon’s forensic view is bleaker: only 3% of compromised passwords met basic complexity requirements, per the 2025 DBIR.

Reuse is the multiplier. In NordPass’s survey, about half of Americans, 43% of Britons, and 37% of Germans said they reuse passwords because it is easier to remember fewer. One leaked password then unlocks every account that shares it — which is exactly what credential-stuffing attacks automate.

How many people use a password manager?

Not enough. Security.org’s 2024 report found 36% of American adults use a password manager, roughly 94 million people, up just two points year over year. Built-in browser tools dominate: Google Password Manager reaches 32% of adults and Apple’s Keychain 23%.

That leaves nearly two-thirds relying on memory, reuse, or a notes app — the exact behaviors the breach data punishes. A password manager generates a unique, high-entropy password per site, which structurally defeats both reuse and credential stuffing. The tooling is solved; adoption is the lagging variable.

Adoption gap
Only 36 of every 100 Americans use a manager
Share of U.S. adults using a password manager in 2024, per Security.org. The other 64 rely on memory or reuse.

Is MFA adoption catching up?

Steadily, but with a long tail. Okta’s Secure Sign-in Trends Report 2025 put workforce MFA adoption at 70% as of January 2025. Adoption tracks company size: 87% at organizations over 10,000 employees but only 27% at firms with 25 or fewer.

The more meaningful shift is toward phishing-resistant methods. Okta found adoption of phishing-resistant authenticators rose 63% in a year, from 8.6% to 14.0% of users, while overall password usage fell from 95.1% to 93.0%. MFA blunts stolen-credential attacks; phishing-resistant MFA closes the gap that push-fatigue and real-time phishing kits still exploit.

Are passkeys actually being used?

2025 was the turn. The FIDO Alliance Passkey Index 2025 reports 69% of users now have at least one passkey and 48% of the top 100 websites support them — more than double the 2022 figure. Passkeys hit a 93% login success rate versus 63% for traditional methods.

Enterprises are following: 87% of surveyed organizations have deployed or are actively implementing passkeys, a 14-point jump since 2022. Because a passkey is bound to a device and origin, there is no shared secret to steal or phish — which removes the credential that 88% of web-app attacks depend on.

Frequently asked questions

What percentage of breaches involve stolen credentials?

Stolen credentials are the leading path in. Verizon’s 2025 DBIR found them used in 88% of attacks against basic web applications, and compromised credentials were the initial access vector in 22% of all breaches. The human element — phishing, error, misuse — was present in 60% of breaches overall.

How expensive is a credential-based breach?

Costly and slow. IBM’s Cost of a Data Breach 2024 put the average at $4.81 million per breach involving stolen or compromised credentials. These took 292 days to identify and contain — the longest of any vector — because a valid login looks like normal activity until the damage surfaces.

What is the most common password?

“123456,” per NordPass, which has topped its global list in six of the last seven years. The security picture is worse than the list suggests: Verizon’s 2025 DBIR found only 3% of compromised passwords met basic complexity requirements, and reuse means one weak password can open many accounts.

How many people use password managers?

About 36% of American adults, roughly 94 million people, per Security.org’s 2024 report. Browser-native tools lead — Google Password Manager at 32% and Apple Keychain at 23%. The remaining two-thirds rely on memory or reuse, the behaviors most exposed to credential-stuffing attacks.

Is MFA adoption widespread yet?

Workforce MFA reached 70% by January 2025, per Okta, but it skews by size — 87% at large enterprises versus 27% at the smallest firms, per JumpCloud. Phishing-resistant authenticators grew 63% year over year, from 8.6% to 14.0% of users.

Will passkeys replace passwords?

They are the strongest candidate. 69% of users already have a passkey and 48% of the top 100 sites support them, per FIDO. Passkeys have no shared secret to steal or phish, achieve a 93% login success rate, and 87% of enterprises are deploying or implementing them.

What this means for teams

The password data is unusually clean on cause and cure. One factor — reusable, stealable credentials — drives the top breach vector, the highest cost, and the longest dwell time, and three controls close most of it: a password manager, MFA, and passkeys. None is exotic or expensive. The failure is adoption, not availability.

That is the 80/20 case for fewer, better tools. A team does not need a sprawling identity stack to move the needle; it needs one password manager rolled out to everyone, MFA turned on by default, and passkeys enabled where supported. The same discipline shows up when shadow IT fragments credentials across unsanctioned apps, and in how support teams reduce ticket volume in our customer support software statistics — fewer, well-chosen tools beat a longer list. See how we score each pick on the about page.

Sources

How we score