The survey used a sample group of 1,000 Web sites over a 90-day period, during which Incapsula recorded more than 1.4 million unauthenticated access attempts and 20,376 authenticated logins.
While 2.8 percent of the unauthenticated attempts were made by human visitors (presumably typing the wrong password, etc.) and another 1.8 percent of the visits were made by benevolent bots (search engines, RSS readers, etc.), the remaining 94.1 were made by automated tools designed to exploit password-related security flaws.
"Simply put, this means that on average 15 of every 16 visitors to your login page have ill [intentions] in mind," Incapsula's Igal Zeifman wrote in a blog post explaining the results. "The seemingly high ratio of malicious visits is, in fact, all but expected -- especially considering the recent waves of large-scale Brute Force attacks and the overall increase in APT events and other password-related hacks."