Most people use passwords between 8–10 characters in length, accounting for 42% of the analysed passwords. Eight characters was the most popular length.

Seasons are popular in passwords, with "Summer" appearing in 3.8 million entries.

There is an 8% chance for names from the 100 most popular names of 2025 list to be included in a password.

Brands are popular in passwords, with "Google" appearing in 25.9 million entries, "Facebook" in 18.7 million, "Kia" in 12.7 million.

Credential-stuffing attacks, while seemingly inefficient, have a success rate between 0.2% and 2.0%, which makes them highly profitable as hackers test millions of credentials to yield thousands of compromised accounts.

Passkey implementation has reached 48% of the world’s top 100 websites

47% of consumers will abandon purchases if they have forgotten their password for that particular account.

Among people familiar with passkeys, 53% believe passkeys offer greater security than passwords.

74% of consumers are aware of passkeys.

Over 35% of people had at least one of their accounts compromised due to password vulnerabilities in the last year.

Among people familiar with passkeys, 54% consider them to be more convenient than passwords.

More than two thirds of users familiar with passkeys turn to them for simpler, safer sign-ins.

69% of consumers have enabled passkeys on at least one of their accounts.

Among those who have used passkeys, 38% report enabling them whenever possible.

More than half of consumers believe passkeys are both more secure (53%) and more convenient (54%) than passwords.

76% of CIOs acknowledge the growth threat of credential leaks.

The average time between credentials being found and the reported ransomware attack was 2.5 weeks

Compared to 2024, the time it takes to crack passwords using consumer-grade GPUs has dropped by nearly 20%.

Among the roles most vulnerable to credential theft, 28% were in Project Management, followed by Consulting (12%) and Software Development (10.7%).

Credentials for victims of the Play, Akira, and Rhysida ransomware groups were found on cybercrime marketplaces between 5 and 95 days prior to the reported attack.