When including bot-driven traffic, 52% of all detected authentication requests contain leaked passwords.

95% of login attempts involving leaked passwords are coming from bots.

Of the successful leaked password login attempts on WordPress sites, 48% are bot-driven. The remaining 52% of successful logins on WordPress sites originate from legitimate, non-bot users.

After analysing 1.8 million breached administrator credentials, 40,000 admin portal accounts were found to be using ‘admin’ as a password.

123456 was the most common compromised password found in a new list of breached cloud application credentials.

Requiring an Active Directory password length of at least 13 characters would significantly reduce the risk of cloud application password reuse.

The most common base terms used in breached passwords were “password”, “admin”, and “welcome”.

88% of organisations still use passwords as their primary method of authentication.

53% of people admit to using the same password across multiple accounts.

Simple passwords like Pass@123 and P@ssw0rd, which meet basic Active Directory requirements, are frequently used, increasing the risk of password reuse.

The most common length for compromised passwords was 8 characters (212.5 million total).

31.1 million breached passwords were over 16 characters in length.

Over 31 million of the breached passwords were over 16 characters in length.

12% of respondents' organisations experienced a material privacy breach in the past 12 months.

Organisations using SaaS apps have an average of 47,750 passwords to manage.

The most commonly used keyboard walk pattern was “Qwerty,” which appeared over 1 million times in a list of compromised passwords.