In 2026, Americans continue to make the same risky password mistakes. A new survey by PasswordManager.com of 1,500 U.S. adults finds that 83% don’t use a unique password for every account, and nearly two-thirds admit to using predictable patterns or personal information in their passwords.
Key findings:
Many Americans continue to use password elements that attackers can guess or pull from public information. About 65% admit to including at least one predictable pattern or personal detail.
The most common risky elements include: 26% use simple number or letter patterns (like “123” or “ABC”), 22% use a birth year or date, 20% use family names, and 20% use pet names. Another 17% use common words or phrases, and 6% even include the word “password.”
At the same time, most Americans don’t think their password habits are especially risky: only 5% rate their passwords as very risky, while 63% say their passwords are not very risky or not risky at all.
Only 16% of Americans report using a unique password for each of their accounts. Meanwhile, 20% say they use the exact same password for most or all of their accounts, and 32% say they reuse the same password with slight variations. Another 32% say they use unique passwords for most accounts, indicating that password reuse remains a common practice, even among individuals who attempt to vary their credentials.
Despite years of security warnings, many Americans still wait until a company forces them to update their passwords. About 1 in 4 say they only change passwords when prompted for Google, email, and social media accounts, and roughly 8% to 9% say they never change these passwords. Even for financial accounts, 19% rely on reset prompts and 6% say they never update their password.
Among those who don’t change passwords frequently, the top barrier is a lack of memory. Nearly half (49%) say they worry they’ll forget new passwords, while 40% say changing passwords is inconvenient. Another 31% say they don’t think it’s necessary, and 23% say they use a password manager.
This suggests the biggest hurdle isn’t awareness, but the perceived burden of password management.
“Fear of forgetting passwords is such a persistent barrier because of the time and effort it takes to reset a forgotten password,” explains information systems and cybersecurity expert Gunnar Kallstrom. “The best practice is having a complex and unique password for each account; however, remembering that many passwords is essentially impossible. The best solution is to use a password manager.”
When asked what would motivate them to change a password, the most common answers point to a mix of external pressure and personal risk: 58% cite a breach notification, 57% cite increased concern about security, 48% cite financial loss or fraudulent charges, and 43% say they’d change passwords if required by a company or service.
Approximately 43% of Americans report being notified that one of their accounts was involved in a breach, hack, or scam. Among those notified, most took action: 73% changed their password immediately, and 22% changed it eventually. Only 6% did not change their password.
Most Americans do not oppose stronger login security, but many only adopt it when required. For two-factor authentication (2FA), 43% set it up whenever available, while 43% only enable it when required. Attitudes are broadly positive, with 67% expressing a positive view and 12% a negative one.
Passkeys show similar openness: 74% are at least slightly familiar with them, and 66% say they are willing to switch. However, most say they need more reassurance or guidance, including 52% who want proof that passkeys are more secure, 44% who want a better understanding of how they work, and 32% who say a login prompt would make them more likely to adopt them.
“The simplest way to explain passkeys to someone who’s never used them is a modern, passwordless authentication method that replaces traditional passwords with cryptographic key pairs. Passkeys are safer than passwords because they are resistant to phishing attacks. They are different from 2FA since they replace passwords, whereas 2FA strengthens passwords but doesn’t remove risks associated with using them,” notes Kallstrom.
This survey was conducted via Pollfish in December 2025 among 1,500 U.S. adults. Results were post-stratified by age and gender to better reflect the U.S. population.
Pollfish collects responses using its Random Device Engagement (RDE) methodology.
To protect data quality, Pollfish applies multiple controls, including attention checks, speed checks, duplicate response prevention, and device-level fraud detection, which remove responses that fail quality thresholds prior to analysis. In addition, the survey included a red-herring attention check question to identify and remove responses from inattentive participants.