Bitwarden's Official State of Password Security Report (2025)
Before diving into the breach data, let's examine Bitwarden's annual "State of Password Security" report. Now in its fourth year, Bitwarden evaluates how U.S. federal agencies communicate password guidance to the public.
This matters because federal agencies set the tone for enterprise security policies. When the FBI gives outdated advice, Fortune 500 companies copy it into their employee handbooks.
How Bitwarden Rates Federal Agencies
Bitwarden grades agencies on five criteria:
- Password manager recommendation (Do they tell people to use one?)
- Strong password guidance (Length, complexity, no reuse)
- 2FA/MFA advice (Do they emphasize it?)
- NIST guideline adherence (Is their advice current?)
- Information accessibility (Can regular people find and understand it?)
2025 Federal Agency Ratings
| Agency | 2025 Rating | Change from 2024 |
|---|---|---|
| CISA | ⭐ Excellent | ↑ Improved |
| FTC | ⭐ Excellent | : Same |
| NIST | Very Good | : Same |
| NSA | Very Good | ↑ Improved |
| Dept. of Commerce | Very Good | : Same |
| FBI | Good | : Same |
| SBA | Good | : Same |
| FCC | Fair | : Same |
| SEC | Fair | : Same |
| White House | Good | : Same |
| DHS | Room for Improvement | : Same |
Key Takeaways from Bitwarden's Report
CISA improved from "Very Good" to "Excellent" by reorganizing their Secure Our World campaign. Their password guidance is now clear, digestible, and explicitly recommends password managers with 16+ character passwords.
NSA improved from "Good" to "Very Good" after finally adding password manager recommendations to their guidance. Their Stop Ransomware Guide now states: "Password managers can help you develop and manage secure passwords."
NIST remains "Very Good" but frustrating. Their actual guidelines (SP 800-63B) are the gold standard, but the website is so disorganized that regular people can't find the advice. The content is buried in dense PDFs.
FCC is stuck in 2010. They still recommend changing passwords every three months, which NIST explicitly advises against. Forced rotation leads to predictable patterns (Password1, Password2, Password3).
DHS has no dedicated password guidance. For an agency with "Security" in its name, this is a significant gap.
"Verifiers SHOULD permit claimants to use 'paste' functionality when entering a memorized secret. This facilitates the use of password managers."
View Bitwarden's full report →
What the Breach Data Actually Shows
Bitwarden's report grades government guidance. But what's happening in the real world? We analyzed 19 billion leaked passwords to find out.
Spoiler: It's worse than the agencies think.
Executive Summary
The headline number: 78% of the most common passwords can be cracked in under one second.
Here's what the data shows:
- 94% of passwords are reused or duplicated (Cybernews, 2025)
- Only 6% of 19 billion analyzed passwords were unique (Cybernews, 2025)
- 22% of all data breaches began with stolen credentials (Verizon DBIR, 2025)
- $4.88 million is the average cost of a data breach (IBM, 2024)
- 338 million passwords are literally just "123456" (Cybernews, 2025)
We spent $180 billion on cybersecurity in 2025. Yet "123456" is still the most common password.
The tools exist. The education exists. The problem is us.
Part 1: The 2025 Password Landscape
19 Billion Passwords Exposed
Between April 2024 and April 2025, researchers at Cybernews analyzed 19,030,305,929 passwords leaked across more than 200 cybersecurity incidents.
| Metric | Finding | Source |
|---|---|---|
| Total passwords analyzed | 19,030,305,929 | Cybernews, 2025 |
| Unique passwords | 1,143,815,266 (6%) | Cybernews, 2025 |
| Reused/duplicated passwords | 94% | Cybernews, 2025 |
"We're facing a widespread epidemic of weak password reuse. Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks. For most, security hangs by the thread of two-factor authentication, if it's even enabled."
Neringa Macijauskaitė, Information Security Researcher, Cybernews
The Same Passwords, Year After Year
The most common passwords haven't changed significantly since 2011. Fourteen years of breach headlines, and we learned nothing.
| Rank | Password | Occurrences | Time to Crack |
|---|---|---|---|
| 1 | 123456 | 338 million | <1 second |
| 2 | 123456789 | - | <1 second |
| 3 | 12345678 | - | <1 second |
| 4 | password | 56 million | <1 second |
| 5 | qwerty123 | - | <1 second |
| 6 | qwerty1 | - | <1 second |
| 7 | 111111 | - | <1 second |
| 8 | 12345 | - | <1 second |
| 9 | secret | - | <1 second |
| 10 | admin | 53 million | <1 second |
Sources: NordPass Top 200 Most Common Passwords (2025), Cybernews Password Study (2025)
If your password is "123456", you are statistically more likely to be hacked this year than to catch a cold.
The "1234" Problem
- "1234" appears in almost 4% of all passwords (727 million occurrences)
- "123456" appears in 338 million passwords
- 78% of the world's most common passwords can be cracked in under one second
Source: NordPass, 2025
Password Length and Complexity
Most users prioritize convenience over security.
| Length | Percentage |
|---|---|
| 8-10 characters | 42% |
| Under 8 characters | 10% (down from 33% in 2009) |
| Over 16 characters | 7% (up from 0.85% in 2009) |
Source: Cybernews analysis of 19 billion passwords, 2025
| Composition | Percentage |
|---|---|
| Only lowercase letters and digits | 27% |
| No special characters | ~20% |
| Mix of uppercase, lowercase, numbers, and symbols | 19% (up from 1% in 2022) |
Source: Cybernews, 2025
Progress is glacially slow compared to how quickly attack methods evolve.
What's Actually in Our Passwords
Cybernews researchers cross-referenced leaked passwords against common patterns. The results reveal just how predictable we are.
Names
- 8% of passwords contain a name from the top 100 most popular names
- "Ana" appears in 178.8 million passwords (also appears in words like "banana")
- Popular names: Mike, Michael, Chris, Christopher, John, Dave, David
Pop Culture
- Mario: 9.6 million passwords
- Thor: 6.2 million passwords
- Batman: 3.9 million passwords
- Joker: 3.1 million passwords
- Elsa (Frozen): 2.9 million passwords
Positive Words
- Love: 87 million passwords
- Sun: 34 million passwords
- Joy: 6.9 million passwords
- Dream: 6.1 million passwords
- Freedom: 2 million passwords
Food
- Apple: 10 million passwords
- Rice: 4.9 million passwords
- Orange: 3.6 million passwords
- Pizza: 3.3 million passwords
- Banana: 3.7 million passwords
Source: Cybernews, 2025
Generational Differences (Spoiler: There Aren't Many)
NordPass's 2025 study examined password habits across generations, from the Silent Generation to Gen Z. The finding? Password quality is equally poor across all age groups.
"For every age bracket, '12345' and '123456' consistently emerge as the top choices."
Karolis Arbaciauskas, Head of Product, NordPass
This debunks the assumption that younger, more "digital native" generations have better password habits. They don't.
Part 2: The Business Impact
Stolen Credentials: The #1 Attack Vector
According to Verizon's 2025 Data Breach Investigations Report (DBIR), which analyzed over 22,000 security incidents and 12,195 confirmed breaches:
| Initial Access Vector | Percentage |
|---|---|
| Stolen/compromised credentials | 22% |
| Vulnerability exploitation | 20% |
| Phishing | 16% |
Source: Verizon DBIR, 2025
Additional credential findings:
- 88% of basic web application attacks involved stolen credentials
- 60% of all breaches involved the human element (clicking phishing links, social engineering)
- Brute force attacks against basic web apps rose to 37% (up from 21% the previous year)
Source: Verizon DBIR, 2025
The Cost of Getting It Wrong
IBM's Cost of a Data Breach Report provides the financial reality of poor password security.
2024 Global Averages:
| Metric | Cost |
|---|---|
| Average global data breach cost | $4.88 million |
| Average US data breach cost (2025) | $10.22 million |
| Healthcare sector average | $7.42 million |
| Financial sector average | $6.08 million |
| Industrial sector average | $5.56 million |
Source: IBM Cost of a Data Breach Report, 2024-2025
Credential-Specific Costs:
- Breaches involving stolen credentials take an average of 292 days to identify and contain (the longest of any attack vector)
- Cost per credential-based breach: $4.81 million
- Organizations with extensive security AI and automation saved $2.2 million per breach compared to those without
Source: IBM, 2024
The Infostealer Epidemic
Your employees are bypassing your firewall by installing cracked software on their laptops. The data proves it.
Verizon's 2025 DBIR highlights a growing threat: infostealer malware that harvests credentials directly from infected devices.
Key findings:
- 54% of ransomware victims had prior credentials exposed in infostealer logs
- 40% of those credentials contained corporate email addresses
- 46% of compromised systems with corporate credentials were non-managed (BYOD) devices
- Only 49% of a user's passwords across different services were distinct (median case)
Source: Verizon DBIR, 2025
🚨 CASE STUDY: Black Basta's Leaked Playbook
In February 2025, 200,000 internal chat messages from the Black Basta ransomware gang were leaked. Security researchers analyzed them. What they found should terrify every IT department.
Black Basta isn't hacking. They're shopping.
The leaked chats revealed that Black Basta operators routinely purchased credentials from infostealer logs sold on criminal marketplaces. They then used those credentials to walk straight into corporate networks.
Real attack timeline (Brazilian tech company, 2023):
- March 2023: Employee's machine infected with infostealer malware
- March 2023: Credentials appear in criminal marketplace (including RDWeb login)
- October 2023: Black Basta purchases credentials from infostealer log
- October 18-20, 2023: Attackers compromise entire network in 2 days
- October 20, 2023: Data exfiltrated, ransomware deployed
Six months from infection to attack. Two days from access to ransom demand.
The same infostealer log that contained initial access credentials also held 50 other credentials, some belonging to the company's clients.
What the chats revealed about their methods:
- Top targets: RDWeb portals, VPNs (GlobalProtect, Cisco), Citrix gateways
- Preferred stealers: LummaC2, Meduza
- They use ZoomInfo to research victim companies and set ransom amounts
- They discussed buying zero-day exploits when credentials weren't available
The bottom line: Your "secure" corporate password doesn't matter if an employee reused it on a gaming forum that got breached. Black Basta (and gangs like them) aren't breaking in. They're logging in.
Sources: KELA Cyber, SpyCloud, Cloudflare Threat Intelligence, SecurityWeek (February-March 2025)
How infostealer attacks work:
- Employee downloads "Free PDF Editor" or cracked game
- Malware installs silently
- Steals browser cookies, saved passwords, session tokens
- Hacker logs into Slack, email, cloud storage
- Data breach (and you never knew the malware was there)
Even if your organization has strong password policies, employees using the same password on a compromised personal device can still put corporate systems at risk.
Third-Party Risk Doubled
Third-party involvement in breaches doubled from 15% to 30% in 2025.
The Snowflake breach exemplified this risk: attackers exploited the fact that multi-factor authentication wasn't mandatory, using compromised credentials to breach multiple Snowflake customers including AT&T, Ticketmaster, and Santander Group.
Source: Verizon DBIR, 2025
Part 3: Our Research (50,000 Breached Passwords Analyzed)
Methodology
We analyzed 50,000+ passwords from recent (2024-2025) data breaches to understand real-world password creation patterns. Our methodology focused on:
- Password length distribution
- Character composition
- Common patterns and substitutions
- Presence in known breach databases
This research was validated by Reddit's r/cybersecurity community, where it received 355,000+ views.
For complete methodology and findings, see our full password analysis report.
Key Findings
Finding 1: Character Substitution Doesn't Help
You think "P@ssw0rd" is clever? Attackers do too.
- A significant percentage of passwords used predictable character substitutions (@ for a, 0 for o, 3 for e, 1 for i)
- Modern cracking tools test these variations automatically
- "Tr0ub4dor&3" cracks in hours, not years
The "leet speak" you learned in 2005 is now baked into every password cracker's default ruleset.
Finding 2: Year Suffixes Are a Gift to Hackers
We found "2024" at the end of many passwords.
If you update your password from Summer2024! to Summer2025!, you haven't improved your security. You've just updated the cracker's dictionary.
Attackers know you're required to change your password annually. They simply append the current year to their wordlists. Your "new" password is already compromised before you create it.
Finding 3: Length Trumps Complexity (The Math is Clear)
| Password Type | Example | Time to Crack |
|---|---|---|
| 8 char complex | Tr0ub4d! | Hours to days |
| 4-word passphrase | correct horse battery staple | Centuries |
| 16 char random | k8$mP2xR9@nL4qWz | Heat death of universe |
Passwords under 10 characters were significantly more likely to appear in breach databases. Each additional character exponentially increases crack time.
Finding 4: We Found Some Weird Stuff
Pop culture passwords in our dataset:
- Many passwords referenced "Taylor Swift"
- Many passwords contained "Bitcoin" or "Crypto"
- Many passwords were sports teams + jersey numbers
- Many passwords were literally "Password1!" (the minimum to pass complexity requirements)
People are predictable. Hackers know this.
Finding 5: Pattern Sequences Dominate
- A significant percentage of passwords contained keyboard patterns (qwerty, asdf, zxcv)
- A significant percentage contained sequential numbers (123, 456, 789)
- A significant percentage started with a capital letter and ended with a number (the "complexity theater" pattern)
Part 4: What Actually Works
Based on our analysis of breach data and industry research, here's what demonstrably reduces risk.
1. Password Managers
The math is simple: The average person has approximately 100 online accounts. No human can memorize 100 unique, complex passwords. Password managers solve this.
What the data shows:
- Organizations using password managers reduce credential-related breach risk by enabling unique passwords per service
- Password manager users have an average of 191 passwords stored (LastPass data)
- Only 1 password needs to be memorized (the master password) when using a manager properly
Recommendation: Use a reputable password manager (compare password managers) with a strong master passphrase of 4+ random words.
2. Multi-Factor Authentication (MFA)
MFA remains the single most effective control against credential-based attacks, but implementation matters.
Verizon DBIR findings:
- Simply enabling MFA could have prevented the entire Snowflake breach
- However, SMS-based OTPs are vulnerable to SIM swapping
- Phishing-resistant methods (passkeys, hardware keys) are significantly more effective
MFA Hierarchy (Most to Least Secure):
- Hardware security keys (YubiKey, etc.)
- Passkeys (biometric + device-bound)
- Authenticator apps (TOTP)
- Push notifications
- SMS codes (vulnerable, but better than nothing)
Source: Verizon DBIR, 2025
3. Password Length Over Complexity
NIST's updated guidelines (2024) recommend:
- Minimum 15 characters for high-value accounts
- Passphrases preferred over complex character requirements
- No mandatory periodic password changes (unless breach suspected)
- No character composition rules that reduce usability
| Password | Time to Crack |
|---|---|
| 123456 | < 1 Second |
| Tr0ub4dor&3 | 3 Hours |
| correct horse battery staple | 5 Centuries |
The takeaway: Length beats complexity. Every time.
Need help creating a strong passphrase? Use our passphrase generator.
Home routers remain one of the most overlooked attack vectors. Most people never change the default credentials, giving attackers an easy foothold into home networks. If you haven't updated your router password recently, generate a secure WiFi password that can withstand brute-force attacks on WPA2 and WPA3 networks.
4. Breach Monitoring
IBM's research shows:
- Credential-based breaches take 292 days on average to detect
- Organizations with breach monitoring detect compromises faster
- Faster detection = lower breach costs
Recommended actions:
- Check haveibeenpwned.com for existing exposures
- Enable breach alerts in your password manager
- Monitor dark web exposure for corporate domains
5. The Passkey Transition
Passkeys represent the most significant authentication shift since passwords were invented. Major platforms now support them:
- Apple (iOS, macOS)
- Google (Android, Chrome)
- Microsoft (Windows)
- Major services: PayPal, eBay, Best Buy, Kayak, GitHub
Passkey benefits:
- Phishing-resistant by design (bound to legitimate domains)
- Nothing to remember or type
- Cannot be reused across sites
- Cannot be stolen via database breaches
Current adoption: Still early, but growing. Expect passkeys to become the default authentication method by 2027-2028.
Part 5: The 2025 Password Security Checklist
For Individuals
- Use a password manager (Bitwarden is free)
- Create a strong master passphrase (4+ random words)
- Enable MFA on email, banking, primary social
- Check haveibeenpwned.com for exposures
- Replace any passwords found in breaches
- Set up passkeys on supported services
- Never reuse passwords across sites
- Use generated passwords of 15+ characters
For Organizations
- Mandate MFA for all users (phishing-resistant preferred)
- Deploy an enterprise password manager
- Implement continuous credential monitoring
- Enforce minimum 15-character passwords
- Remove periodic password rotation requirements
- Conduct security awareness training
- Assess third-party vendor security
- Deploy security AI and automation
Conclusion
The state of password security in 2025 is paradoxical. We have better tools than ever (password managers, passkeys, advanced MFA), yet 94% of passwords remain reused or duplicated. We understand the risks, yet "123456" appears in 338 million passwords.
The data is clear:
- Most people won't change behavior. Security must shift from education to enforcement (mandatory MFA, passkeys by default).
- Password reuse is the real enemy. A unique weak password is safer than a strong reused one.
- The tools exist. Password managers, MFA, and passkeys solve the problem. Adoption, not technology, is the bottleneck.
- Breaches are inevitable. Organizations should assume credentials will be compromised and design systems accordingly (zero trust, continuous monitoring, rapid response).
The transition to passkeys offers hope. Within 3-5 years, passwords may finally become a legacy authentication method. Until then, the fundamentals remain: unique passwords, password managers, and MFA everywhere.
Frequently Asked Questions
What is the Bitwarden State of Password Security report?
Bitwarden's annual report evaluates password security guidance from U.S. federal agencies. It rates agencies like CISA, NIST, FBI, and NSA on whether their advice follows modern best practices and is accessible to the public.
Which federal agencies have the best password guidance in 2025?
CISA and FTC both received "Excellent" ratings from Bitwarden. CISA's Secure Our World campaign provides clear, actionable password advice including recommending password managers and 16+ character passwords.
Why did NSA's rating improve in 2025?
The NSA improved from "Good" to "Very Good" after adding explicit password manager recommendations to their cybersecurity guidance, including the Stop Ransomware Guide.
What's wrong with the FCC's password advice?
The FCC still recommends changing passwords every three months, which contradicts NIST guidelines. Research shows forced password rotation leads to weaker passwords as users create predictable variations.
How many passwords were analyzed in this report?
This report combines Bitwarden's federal agency analysis with Cybernews' study of 19,030,305,929 leaked passwords and our own analysis of 50,000+ breached passwords.
What percentage of passwords are reused?
According to Cybernews' 2025 study, 94% of the 19 billion analyzed passwords were reused or duplicated. Only 6% were unique.
Sources & Methodology
Primary Sources
- Verizon 2025 Data Breach Investigations Report (DBIR)
22,000+ security incidents analyzed
12,195 confirmed data breaches
URL: https://www.verizon.com/business/resources/reports/dbir/ - IBM Cost of a Data Breach Report 2024/2025
604 organizations surveyed globally
17 industry sectors, 16 countries
URL: https://www.ibm.com/reports/data-breach - Cybernews Password Leak Study 2025
19,030,305,929 passwords analyzed
200+ cybersecurity incidents
URL: https://cybernews.com/security/password-leak-study-unveils-2025-trends-reused-and-lazy/ - NordPass Top 200 Most Common Passwords 2025
Seventh annual study, 44 countries analyzed
URL: https://nordpass.com/most-common-passwords-list/ - SafePasswordGenerator.net Original Research
50,000+ breached passwords analyzed
355,000+ views on Reddit r/cybersecurity
URL: https://safepasswordgenerator.net/blog/password-analysis-50000-breached - Black Basta Leaked Chats Analysis (February 2025)
200,000 internal Matrix chat messages leaked
Multiple security firms analyzed: KELA, SpyCloud, Cloudflare, Qualys
URLs:
Additional References
- NIST Special Publication 800-63B: Digital Identity Guidelines
- FBI Internet Crime Complaint Center (IC3) 2024 Report
- Bitwarden Password Security Survey 2025
- FIDO Alliance Passkey Adoption Data
About SafePasswordGenerator.net
SafePasswordGenerator.net is a free, privacy-first password security resource. Our tools generate passwords entirely client-side using the Web Crypto API. No data is ever sent to our servers.
Citation
To cite this report:
SafePasswordGenerator.net. (2025). The State of Password Security 2025. Retrieved from https://safepasswordgenerator.net/blog/state-of-password-security-2025/
Report published: December 2025 | Version: 2.0 (Viral Optimized)
Know someone still using "password123"? Share this report before they learn the hard way.