Only 1%, or five websites, among the top 1,000 most visited websites met all best-practice password criteria.

58% of the world's top 1,000 most visited websites do not require special characters for their passwords.

42% of the world's top 1,000 most visited websites do not enforce any minimum password length requirements.

Simple passwords like Pass@123 and P@ssw0rd, which meet basic Active Directory requirements, are frequently used, increasing the risk of password reuse.

45% of organisations who only check for compromised passwords during expiry or reset events average only two checks for compromised passwords per year.

Organisations using SaaS apps have an average of 47,750 passwords to manage.

Only 50% of organisations scan for compromised passwords more than once a month.

Keyboard walks such as ‘qwerty’ are weak passwords used by millions of end users.

31.1 million breached passwords were over 16 characters in length.

Only 12% of organisations have moved away from using passwords as their primary method of authentication.

The most common base terms used in breached passwords were “password”, “admin”, and “welcome”.

53% of people admit to using the same password across multiple accounts.

The most common length for compromised passwords was 8 characters (212.5 million total).

After analysing 1.8 million breached administrator credentials, 40,000 admin portal accounts were found to be using ‘admin’ as a password.

88% of organisations still use passwords as their primary method of authentication.

83% of compromised passwords satisfied the length and complexity requirements of regulatory password standards.

The most commonly used keyboard walk pattern was “Qwerty,” which appeared over 1 million times in a list of compromised passwords.

Requiring an Active Directory password length of at least 13 characters would significantly reduce the risk of cloud application password reuse.

Over 31 million of the breached passwords were over 16 characters in length.

123456 was the most common compromised password found in a new list of breached cloud application credentials.