Press releases

83% of Americans are Using Weak Passwords

Avast survey reveals Americans are using weak passwords and reuse passwords to protect multiple accounts

Avast survey reveals Americans are using weak passwords and reuse passwords to protect multiple accounts


Redwood City, California, May 2, 2019 –  Avast (LSE: AVST), a global leader in online security products, found that Americans are not properly protecting their online accounts. This is according to an online survey* conducted by Avast, which revealed that 83% of Americans do not include all of the following when creating passwords: numbers, special characters, upper and lower case letters, and do not create passwords that are at least 10 characters long. The survey also found that more than half of Americans (53%) use the same password to protect multiple accounts, further putting their accounts at risk of being hacked.

TMI - Too much information

Many Americans include personal information in their passwords, information that can often be found on social media accounts, and can potentially be used by cybercriminals to crack passwords, such as:

  • Their own name or the name of a family member (16%)
  • Their pet’s name (15%)
  • Their birthday (11%)
  • Words related to their hobby (8%)
  • Part of their home address (5%)
  • The name of their favorite book or movie (4%)
  • Celebrity names (3%)
  • The name of the website the password is for (3%)

Weak credentials

Despite a number of high-profile data breaches making the news in recent months, the survey reveals that Americans are still not creating strong passwords. In particular, many fail to:

  • Make their passwords at least 10 characters long, and include numbers, special characters, and upper and lower case letters (83%)
  • Make their passwords at least 10 characters long, and include numbers and special characters (81%)

“Cybercriminals collect personal data, like login credentials, from various sources including data breaches, and sell it on the darknet for other cybercriminals to abuse. Multiple data dumps on the darknet recently gained widespread attention with the release of Collection #1, which involved 87 GB of stolen personal data including more than 770 million email addresses,” said Luis Corrons, Security Evangelist at Avast. “Creating strong and unique passwords for each online account is nearly impossible, which is why people create weak passwords that are easy to remember or re-use passwords for multiple online accounts. Cybercriminals take advantage of this behavior to try to infiltrate accounts by brute force, attempting to use personal information to guess other passwords, or purchasing leaked credentials on the darknet to login into further accounts.”

Risky business

More than half (53%) of respondents re-use passwords to protect multiple accounts and of those that do, 88% admitted to being aware that the practice is risky. When those respondents were asked why they still stick to the habit, 54% said they can only memorize a limited number of passwords, 20% claim they don’t feel the information in their accounts is valuable, and seven percent are too lazy to change their password.

Hack checking and making a change

Fifty-eight percent of Americans have never checked to see if their email address was involved in a data breach. On average, less than one out of four people (23%) have changed their passwords after being informed of a data breach, 18% never changed their passwords, 21% do so once a year, 19% every six months, and only 20% change their passwords every three months or more frequently.   

“It’s important to remember the following when creating passwords:

  • Wherever possible, passwords should consist of at least 16 or more characters
  • Ideally contain numbers and special characters
  • Should be unrelated to yourself or the service they are protecting

Additionally, users should use two-factor authentication wherever possible,” said Luis Corrons, Security Evangelist at Avast. “Another method to creating strong passwords is to string together random words, making the passwords at least 16 characters long, but easier to remember. Using a password manager is the best option, one that, unfortunately, just two percent of Americans use.”

*Survey conducted online, among 1,188 Avast users in the U.S. in November and December 2018