Top 10 Countries with the Weakest Password Habits

ZeroBounce analyzed breach data from dozens of countries and discovered that people in Germany, Portugal, and Australia use some of the weakest passwords in the world. 

Passwords still protect everything – your inbox, your bank account, your business.

Even in an age of facial recognition and passkeys, millions still use “123456” or “password1” to protect their most sensitive accounts. And in some countries, that risky behavior is even more common.

We dug into the data to see where password habits are falling short and which countries are most at risk.

The 10 countries with the riskiest password habits

Here are the countries with the most vulnerable passwords per 100,000 residents.

Germany ranks far ahead of the rest, with more than 360 exposed passwords per 100,000 people, nearly five times the rate of Portugal, the next country on the list. 

Even countries with the world’s most developed cybersecurity ecosystems, like the U.S. and the UK, appear in the top 10. That means millions of accounts in the most connected countries are wide open to basic attacks – not because protection measures aren’t available, but because they aren’t being used.

Meanwhile, emerging economies like India, Mexico, and Indonesia rank near the bottom, showing that weaker infrastructure doesn’t always mean weaker password habits.

The takeaway is clear: high connectivity doesn’t guarantee better habits, and in some cases, it masks just how weak they are.

Password habits: a region-by-region breakdown

When we zoom out, we see sharp contrasts between global regions:

• Europe leads with 74.8 vulnerable passwords per 100,000 residents – nearly 9x higher than Asia and 18x higher than Africa.
• North America shows moderate per capita exposure, though the U.S. ranks 6th globally.

Interestingly, password culture varies by country. In Italy, for example, football team names are commonly used as passwords. In France, users often default to “azerty,” their keyboard layout. 

Globally, simple patterns like names, birth years, and keyboard sequences are still widely used and widely exploited. And when habits stay predictable, so do the breaches.

Weak passwords, big risks

A single compromised password can lead to identity theft, phishing attacks, and large-scale data breaches. In fact, Verizon has reported that the majority of hacking-related breaches stem from stolen or weak credentials – historically as high as 80%. That makes password security one of the most important, and often most overlooked, parts of cybersecurity.

The way attacks happen is changing, too. Today’s hackers don’t rely on guesswork – they use AI-powered tools to test billions of password combinations in seconds.

Add to that the billions of exposed logins already available online, and you get the clear picture: if someone reuses a password, there’s a good chance it’s already been compromised.

However, that risk isn’t evenly spread. Some countries are seeing much higher rates of exposed passwords than others. These patterns reveal how password habits vary around the world and where the biggest gaps in security still exist.

How we ranked the countries with the worst password habits

To identify where poor password practices are most common, we analyzed government-sourced credential breach data and calculated the number of vulnerable passwords per 100,000 residents across dozens of countries.

Looking at per capita figures gives a more accurate view of individual behavior. A country with a large population might show a higher total number of breaches, but that doesn’t always mean people are more careless. By focusing on the number of exposed passwords per 100,000 people, we were able to pinpoint where risky password habits are most concentrated.

Why it matters 

Weak password habits create risk across entire systems. For individuals, that can mean stolen accounts, identity theft, and unauthorized access to personal data. For businesses, it means more exposure to account takeovers, phishing attempts, and brand damage. For email teams, it means lower deliverability when compromised addresses bounce or get flagged.

Cybersecurity expert: The simplest solutions work best

As our Head of Cybersecurity, Vlad Cristescu, puts it: “The simplest solutions are often the most effective—when people actually use them.”

Start with good habits: strong, unique passwords. A password manager to keep them organized. Multi-factor authentication for an extra layer of protection. And for businesses, a clean email list.

“Small changes go a long way – and lead to fewer problems down the line.”

The clearest lesson from the data

The data makes one thing clear: weak password habits are still a global problem, and no country, no matter how advanced, is fully immune. The good news is, what needs fixing isn’t the tech – it’s the way we use it. The power to change that is in our hands.

Whether you’re securing a personal inbox or an enterprise system, it all starts the same way: strong credentials, smarter habits, and a focus on the fundamentals.