2022 World Password Day Global Survey Full Report

This marks the second year of the Bitwarden annual World Password Day survey. The survey, conducted independently by Propeller Insights, surveyed 2,000 internet users globally on how they view and manage their own password security. 

The stats and regional breakdowns below illustrate attitudes towards data breaches, personal password and workplace password habits, and remote work and return to office expectations. The first section, focusing on the big picture, includes some of the most compelling global themes and stats.

While the survey polled respondents in the United States, Germany, the United Kingdom, Australia, and Japan, this current report provides a global overview and focuses on findings from the United States, United Kingdom, and Japan.

For the most current data, visit the World Password Day resource page.

• Percentage of people in each region who claim to have experienced a data breach:

  • United States - 31%

  • United Kingdom - 35%

  • Australia - 23%

  • Germany - 19%

  • Japan - 10%
    

• People are paying heed to the headlines: globally, 35% of respondents are more worried about cyberattacks this year than last year.
  

• Trust issues: globally, 28% of respondents are most worried their spouse will be affected by a data breach, followed by parents at 22%.
  

• Almost all (90%) of global respondents are ‘somewhat’ or ‘very’ familiar with password security best practices - but does being familiar mean putting into practice? Not exactly.

  • A majority of global respondents (32%) reuse passwords across 5-10 sites.

  • Almost one-fourth (21%) of respondents reset their passwords every day or multiple times a week.

  • Over half (55%) of global respondents rely on their memories to manage passwords.
    

• Over two-thirds (68%) of global respondents believe it is more important for a password to be secure than easy to remember - yet over half still rely on their memory to manage passwords. 

  • People know they should be secure, but still try to use their memories. However, there are tools readily available, at no cost, to help them.
    

• Memory is notoriously unreliable: Of the one-third of global respondents who use password managers, a majority (51%) started because they ‘kept forgetting’ their passwords.
  

• 2FA has gone global and this is a win for all: a majority (83%) of global respondents are ‘somewhat’ or ‘very’ familiar with 2FA.
  

• Despite documented data breaches and the ongoing risk of cyberattacks, password managers in the workplace have yet to truly take off. Only one-quarter (25%) of respondents are required to use a password manager at work.
  

• Proactivity, please: A majority (64%) of global respondents believe workplaces should provide employees with a password manager to protect credentials.
  

• Globally, most employees (68%) expect to return to the office - and the vast majority (83%) of global respondents believe employers should provide security tools and training specifically for remote work.

  • The sizable number (59%) of UK respondents who rely on ‘memory’ for password management may also explain the 35% who need to reset their passwords every day or multiple times a week. 

  • A notable 35% of UK respondents reset their passwords every day or multiple times a week.

  • Only 10% of Japanese respondents need to reset their passwords every day or multiple times a week.

  • A little over half (52%) of Japanese respondents use 2FA for work accounts, yet 72% use it for personal accounts. In other countries, a higher percentage of respondents use 2FA for work accounts.

  • Less than one-fourth (22%) of Japanese respondents use a password manager - lower than other regions.

Data breaches are a real and ongoing threat. According to the nonprofit Identity Theft Research Center, reported data breaches increased 14% in the first quarter of this year (404, up from 353 in Q1 2021). Almost all (92%) were the results of cyberattacks (versus system or human error). Phishing and ransomware attacks remain the first and second causes of data breaches. 

Understandably, this climate is reflected in the below findings. 

• Breaches are real and impact consumers, not just big companies.
  

• Respondents are most concerned about a spouse being affected by a data breach.
  

• Almost one-fourth (23%) of global respondents have been affected by a data breach.
  

• Over one-third (35%) of UK respondents have been affected by a data breach.
  

• Only 10% of Japanese respondents believe they’ve been affected by a data breach - but 16% also say they aren’t sure or don’t know.
  

• Globally, 35% of respondents are more worried about cyberattacks this year than last year.
  

• In the UK, 34% are more worried about cyberattacks this year than last year.
  

• In Japan, 34% are more worried about cyberattacks this year than last year.
  

• Globally, 28% of respondents are most worried their spouse will be affected by a data breach, followed by a parent at 22%.
  

• In the UK, respondents are almost equally worried about parents (30%) and spouses (29%) being affected by a data breach.
  

• In Japan, 30% of respondents are most worried about their spouse being affected by a data breach.
  

• Almost one-third (31%) of US respondents experienced a data breach last year, a number comparable to last year’s findings.
  

• Over half (53%) were notified by the organization that was breached.
  

• Over one-third (36%) are more worried about cyberattacks than they were last year.
  

• Almost one-third (31%) are most worried about a spouse being affected by a data breach, followed by a parent (20%) and child (18%).

  • This is a solvable problem. Bitwarden 2-person Organizations, available for free, enable users to share an unlimited number of passwords with a spouse, partner, or trusted loved one, at no cost.

This section gets to the heart of respondents' attitudes about and behavior with passwords in their personal lives. The findings are both encouraging and inconsistent, in that respondents value security, are very familiar with and use two-factor authentication, and generally use passwords that are the right length. And yet, they still engage in habits that have the potential to stymie the more positive behaviors.

• Two-factor authentication has gone global.
  

• Memories are unreliable, a factor that is driving people to use password managers, and evidenced by the almost quarter of global respondents who reset their passwords everyday or multiple times a day.
  

• People understand the concept of security best practices - but there’s still work to be done.
  

• When it comes to passwords, users believe it is more important a password be secure than easy to remember.
  

• A majority of respondents are managing passwords across 10-25 sites, which may help explain why the majority is also reusing passwords across at least 5-10 sites.

• Over half (60%) of global respondents use passwords that are between 9-15 characters.
  

• Almost all (90%) of global respondents are ‘somewhat’ or ‘very’ familiar with password security best practices.
  

• A majority (83%) of global respondents are ‘somewhat’ or ‘very’ familiar with 2FA.
  

• Almost three-fourths (73%) of global respondents use 2FA for work; over three-fourths (78%) use it for personal accounts.
  

• Over two-thirds (68%) of respondents believe it is more important for a password to be secure than easy to remember.
  

• A majority 41% of global respondents manage passwords across 10-25 sites.
  

• A majority of global respondents (32%) reuse passwords across 5-10 sites.
  

• Over half (55%) of global respondents rely on their memories to manage passwords.
  

• Over half (53%) of respondents never share their passwords with anyone in their personal life.
  

• Over one-third (34%) of respondents claim to use a password manager.
  

• Eventually, memory reaches its limit: of the one-third of global respondents who use password managers, a majority (51%) started because they ‘kept forgetting’ their passwords.
  

• Almost one-fourth (21%) of respondents reset their passwords every day or multiple times a week.

• 2FA has gone mainstream among consumers - both at home and in the workplace.
  

• When it comes to passwords, users believe it is more important a password be secure than easy to remember.
  

• A majority of respondents are managing passwords across 10-25 sites, which may help explain why the majority is also reusing passwords across at least 5-10 sites.
  

• Over half of US respondents (60%) use passwords between 9-15 characters. Over a quarter (26%) average between 6-8 characters - even though the ideal length is at least 14 characters.
  

• Over half of US respondents (60%) are ‘very familiar’ with password security best practices.
  

• While 56% of US respondents are ‘very familiar’ with 2FA, 44% are only ‘somewhat familiar’ or had not heard of it at all.
  

• A whopping 79% of US respondents use 2FA for workplace accounts and 77% use it for personal accounts.
  

• A majority of U.S. respondents (67%) believe it is more important for a password to be secure than easy to remember.
  

• A little less than half (41%) of U.S. respondents manage passwords across 10-25 sites.
  

• One-third (33%) of U.S. respondents re-use passwords across 5-10 sites.
  

• Among U.S. respondents, there is an almost even split between those who reset their passwords once-a-month (37%) and those who ‘rarely’ reset their passwords (also 30%).
  

• Almost half of U.S. respondents (49%) rely on their memory to manage passwords.
  

• A little less than half (44%) of U.S. respondents currently use a password manager.
  

• Nearly half (45%) of US respondents never share passwords with family and friends and over half (57%) never share with work colleagues. This may be due to the fact that the most popular methods for password management (memory, computer document) aren’t particularly conducive towards effective sharing.

• The concept of password security deeply resonates in the UK.
  

• 2FA has gone mainstream at work and at home.
  

• A majority of respondents are managing passwords across 10-25 sites, which may help explain why the majority is also reusing passwords across at least 5-10 sites.
  

• The sizable number of UK respondents who rely on ‘memory’ for password management may also explain the 35% who need to reset their passwords every day or multiple times a week. 
  

• Almost three-fourths (70%) of UK respondents use passwords between 9-15 characters.
  

• Almost all (99%) of UK respondents are ‘somewhat’ or ‘very’ familiar with password security best practices.
  

• Almost all (92%) of UK respondents are ‘somewhat’ or ‘very’ familiar with 2FA.
  

• Most (82%) of UK respondents use 2FA for work, while 81% use it for personal accounts.
  

• A majority (45%) of UK respondents manage passwords across 10-25 sites.
  

• A majority (36%) of UK respondents reuse passwords across 5-10 sites.
  

• A notable 35% of UK respondents reset their passwords every day or multiple times a week.
  

• 59% of UK respondents rely on memory to manage their passwords.
  

• A little less than half (43%) of UK respondents claim to never share their passwords with anyone in their personal life.
  

• Over one-third (37%) of UK respondents currently use a password manager.

The percentage of employers requiring password manager usage in the workplace is objectively small. Despite their documented effectiveness and low cost, password managers surprisingly haven’t yet become a common workplace staple. Employers should pay heed to the fact that employees want to be protected. From a cybersecurity standpoint, it's unlikely things will get much better, so the time to make these changes is now.

• Despite documented data breaches and the ongoing risk of cyberattacks, password managers in the workplace have yet to truly take off.
  

• One-quarter (25%) of respondents are required to use a password manager at work.
  

• A majority (64%) of respondents believe workplaces should provide employees with a password manager to protect credentials.

• Despite their documented effectiveness, password managers haven’t become a common workplace staple.
  

• Employees want employers to equip them with password manager software.
  

• Only 32% of respondents are required to use a password manager at work.
  

• Of the employees who work for organizations that do not require a password manager, 41% would like their employer to provide password manager software.
  

• Overall, 68% of respondents believe employers should provide employees with a password manager.

• While only one-third are required to use a password manager at work, the majority believe workplaces should take an active role in offering password management tools.
  

• Over one-third (34%) are required to use a password manager at work.
  

• Almost three-fourths (69%) believe workplaces should provide employees with a password manager to protect credentials.
  

• The percentage of Japanese respondents required to use a password manager is small - yet the majority believe workplaces should take an active role in offering password management tools.

• Only 14% of Japanese respondents are required to use a password manager at work.
  

• Over half (56%) of respondents believe workplaces should provide employees with a password manager to protect credentials.

Simply put, respondents want some of the people closest to them - their spouses and parents - to start using password managers. 

Add ‘using a password manager’ to the spouse wish list.

• Over one-third (36%) of US respondents want their spouse to start using a password manager, followed by a parent (selected by 18%).
  

Spouses and parents are highest on the ‘please use a password manager’ wish list.

• Globally, 33% of respondents would most like their spouse to start using a password manager.
  

• In the UK, 38% of respondents would most like their spouse to start using a password manager.
  

• In Japan, 28% would most like their spouse to start using a password manager, closely followed by a parent at 22%.

While there has been much debate about the merits of returning to work versus a hybrid approach versus continuing with remote work, the findings are clear: most people expect to return to the office. But, those who are remote expect to be supplied with the tools and education they need to keep their data protected.

Most employees expect to return to work - and those who are remote expect to be better protected.

• Almost two-thirds (72%) of employees expect to go back to the office full-time.
  

• Most US respondents (85%) believe employers should provide security tools and training specifically for remote work.
  

Globally, most employees expect to return to work - and those who are remote expect to be better protected.

• Globally, over two-thirds (68%) of respondents expect to go back to the office full-time.
  

• In the UK, 60% of respondents expect to go back to the office full-time.
  

• In Japan, 64% expect to go back to the office full-time.
  

• The vast majority (83%) of global respondents believe employers should provide security tools and training specifically for remote work.
  

• The vast majority (84%) of UK respondents believe employers should provide security tools and training specifically for remote work.
  

• Almost three-fourths (73%) of Japanese respondents believe employers should provide security tools and training specifically for remote work.