We receive compensation from the products and services mentioned in
this story, but the opinions are the
author's own. Compensation may impact where offers appear. We have not included all available products or offers.
Learn more about
how we make money
and
our editorial policies.
Advertiser Disclosure
All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this
site are from third-party advertisers from which All About Cookies receives compensation. This compensation
may impact how and where products appear on this site (including, for example, the order in which they
appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor
do
we include all companies or all available products. Information is accurate as of the publishing date and
has
not been provided or endorsed by the advertiser.
Close
Editorial Policy
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help
you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
All About Cookies makes money when you click the links on our site to some of the products and offers that
we mention. These partnerships do not influence our opinions or recommendations. Read more about how we
make money.
Partners are not able to review or request changes to our content except for compliance reasons.
We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we
cannot guarantee we haven't missed something. It's your responsibility to double-check all information
before making any decision. If you spot something that looks wrong, please let us know.
Close
Everything from streaming apps to web browsers requires a password. But if you have multiple devices and potentially hundreds of logins, that’s a lot of passwords to keep track of.
So how exactly do people create and track their passwords? And how many people are using unsafe password practices that put their digital security at risk? How many different passwords does the average person even use?
To find the answers to these questions, the All About Cookies team surveyed 1,000 U.S. adults about their password habits.
22% of people report that they frequently forget their passwords, and another 51% say they occasionally forget them.
59% say one of their passwords has appeared in a data breach, showing how widespread credential exposure has become. 41% still use a password even after it has been exposed in a breach.
Password fatigue is widespread, with 73% saying they feel overwhelmed managing passwords.
Thanks for subscribing!
Please check your email for your first message.
Take back control of your privacy.
Join thousands who get our privacy-first newsletter every week. No spam. No nonsense.
By submitting this form you agree to receive emails from All About Cookies and to the
privacy policy and
terms.
Does the average person use risky passwords?
When it comes to creating a strong password, best practices are to avoid incorporating personal information, instead encouraging the use of words and combinations that are more random to increase security.
Following those best practices can create passwords that are harder for hackers to crack, but they can also be harder for users to track and remember compared to passwords that incorporate elements of their personal life. Given a choice between safer but harder-to-remember passwords vs. less secure but easier-to-recall ones, the majority of people, unfortunately, choose the latter.
82% of people use at least one unsafe or researchable piece of information in passwords they regularly use. Nearly one-third of people use their favorite number, and more than one-fifth use the name of a pet or reuse passwords they have used for other accounts in the past. That makes those the most common pieces of information people incorporate into their passwords. Around one in five people also said they use the name or birthday of a loved one, their own birthday, or include a loved one's name in their current roster of passwords.
On a more encouraging note, a quarter of users said they utilize passwords created by a password generator, which are designed to be complex and difficult to crack. Additionally, 22% say they use a string of random words at least some of the time, another strong security practice.
Many are still using passwords even after they’ve been breached
Data breaches that expose user data, including login credentials, are a frustratingly common occurrence these days. While best practices would dictate changing passwords once you know they have been compromised, how many users actually take the time and effort to do so?
Nearly three-in-five respondents report that they have discovered a password of theirs included in a data breach or hack. Astoundingly, more than 40% of those who have had a password compromised in this way say that they did not change the password in question and continued using it despite the fact that it had been publicly exposed. This may speak to a greater data breach fatigue, as many users hear about data breaches so frequently that they find it hard to treat them as seriously as they probably should.
How people keep track of their passwords
In an increasingly digital world where it feels like every single app and website asks users to create a new account, it can feel overwhelming to try to keep track of dozens of different login passwords, with different users taking different approaches to managing this modern problem.
The most common way respondents said they track passwords is by memorizing them, an approach that 35% of people utilize. Nearly the same number (34%) use a dedicated password manager program. Half that number, 17%, choose to physically write their passwords down on something like a piece of paper or sticky note, the only other method used by more than 10% of people.
How many people reuse and share passwords
Sharing login information with friends and family members has become increasingly common in an era where things like streaming services, collaborative social media accounts, and more are popular. We found that more than half of the population (51%) shares passwords and other login information for at least one of the account types shown below.
Video streaming service passwords are the most commonly shared — 42% of people admit to giving their login information to someone else. There is a big drop-off in password sharing from there, as 16% share device passwords for things like phones, tablets, and computers, which is the second most common type of shared password. 10% of people share email and music streaming passwords, while 8% share login info for bank accounts and digital subscriptions (such as online newspapers).
How widespread is password fatigue?
With the average person having dozens of accounts and passwords to manage, it can be easy to forget some of them entirely.
In fact, more than one-fifth of respondents, 22%, said they often or very often forget passwords, while an additional 51% report sometimes forgetting them.
The frustrations that come from creating, tracking, and sometimes forgetting so many passwords on a day-to-day basis are all contributing factors to the fact that nearly three-quarters of users (73%) say they are suffering from password fatigue, the feeling that they have too many passwords in their lives to keep track of them all. While the need for passwords isn’t going away anytime soon, using a dedicated password manager can be a helpful and convenient way to create, organize, and store them.
Advice from the experts
Keeping track of all the different passwords for all the accounts housed online can be tedious. However, healthy password habits are imperative for keeping yourself safe online. The All About Cookies team asked a panel of experts to gain further insight.
How often should people change their passwords to ensure they are protected?
Unlike most common practices, research has shown that changing passwords frequently may result in weaker passwords or reuse of passwords. Hence, NIST (the National Institute of Standards and Technology) does not recommend changing passwords frequently. The best guideline is to change [your password] when there is a breach, or every 365 days. In addition, NIST recommends having lengthier passwords rather than complex ones with special characters. Hints for passwords should also be avoided.
Passwords should be changed frequently. Likewise, you really want to use different passwords for different applications. The sheer number of required passwords today presents a challenge to the average technology user, but the alternative of getting hacked or having your identity stolen is a high price to pay.
The fact is, there is a percentage of people out there who have not changed their passwords in years despite not realizing that the same password was hacked five years ago and has been circulating the dark web for years. The only safe approach today is to use completely different passwords and change them often. If you write the passwords down somewhere, you have opened up another possible weak point.
What are some best practices for people to avoid getting their passwords compromised or leaked?
Nowadays, having only single-factor authentication makes people highly susceptible to breaches or compromise. First and foremost, people should always use at least two-factor authentication. Each factor should be from different categories of authentication.
These categories include:
Something you know (knowledge). Examples: password, PIN, passphrase
Something you have (token). Example: smart cards
Something you are (static biometric). Example: fingerprints
Something you do (dynamic biometric). Examples: voice patterns, handwriting
So, for example, biometrics (such as fingerprints or facial recognition), one-time codes, or authenticator codes should be used in combination with your password. NIST guidelines, however, indicate that biometrics should be used in a limited capacity.
In addition, when choosing a password, people need follow these guidelines:
The password is not in the dictionary, doesn’t have hints in it, and isn’t context specific. (For example, the password has part of the user’s name or username in it.)
It's not reused on other websites. Reuse also means having a password that only differs by one character.
It hasn’t been leaked. If a password has been leaked, they should never, ever reuse it.
It’s stored properly. Passwords should be stored in secure places and should be encrypted.
Is not easily guessable through social engineering.
Does not include repetitive characters such as “aaa."
Does not use known passwords. Passwords such as “password” should be avoided. Known passwords could also be passwords obtained from previous breach corpuses or dictionary words.
The password is long. Length is more important than complexity.
There are several simple things you can do to avoid getting your password compromised or leaked. First, when you create a new password, do not use any previously used passwords. Make sure your new password includes upper- and lower-case alphabetic characters, numbers, and special symbols (such as !@#$%^&*,.). [Do not use] any names or recognizable words.
There are several free or inexpensive password keepers on the market, and using one of these typically provides a secure vault for storing your passwords and autofilling them into your applications when necessary.
The first might seem obvious, but don’t stick it to your computer with a sticky note. Likewise, do not write it down in a file with all your other passwords and save the file as, “Saved Passwords.” Hackers are far more sophisticated today than even a few years ago. Whether the bad actors originate from a nation-state or organized crime, the dark web is filled with passwords stolen from previous data breaches.
As the bad actors have honed their skills, so, too, have they honed their tools for “guessing” passwords. Hive Systems has developed an interesting table with estimated times it takes hackers to crack various password combinations. We know that a 12- to 14-digit password mixing capital letters, numbers, symbols, and letters can be much more difficult for a determined hacker. The days of using your anniversary, a child’s birthdate, or your mother’s maiden name should be well behind you.
Think of a verse from your favorite poem and then use the first letter from each word in the third sentence, mixed with symbols, numbers, and capitalization, and you’ll start to have a level of difficulty necessary in today’s security climate.
Are there risks with using password managers to save your passwords? (e.g., LastPass, Google Password Manager)
Generally, it is a good practice to use secure and verified password managers. It helps users have longer passwords and avoid reusing passwords. However, as with anything, this can also be risky. Some password managers have been susceptible to breaches and leaks. It is important to know which password managers provide better security, have minimized risks, and learned from breaches. Google or Apple password managers are good options. There are also many other password managers that provide a good level of security.
Password managers use encryption technology that ensures that only the user with the correct key or password to the password manager can access their passwords. Not even the companies that operate the password manager can access the user's passwords. So, you are only as good as the one single password you use to unlock your password manager. It's either best to always remember just one password or to use a biometric marker or face ID to unlock your password manager.
A question like this reminds me of the old maxim, “Don’t keep all your eggs in one basket.” Now, is it easy to use a password manager? Yes. Is it handy not to have to memorize a dozen different passwords? Yes. Are we safer using a password manager than not? Well, it depends.
Many password managers are protected by, yes, passwords. Relying on one single password to protect all your other passwords might be more convenient and efficient. However, as with most security precautions, being the most convenient or efficient has to be weighed with the potential damage if your passwords are compromised. This is highly dependent on a number of factors, including the difficulty of the password, how frequently it is changed, [and if it is] duplicated elsewhere, for example.
This is not to say that there are not some very good password managers out there. However, one must always consider a number of factors. Is there one correct answer for everyone? Well, if everyone could remember an alphanumeric password with 15 characters including random symbols and capitalization, then there would be no need for other resources. However, because each of us now has potentially dozens of passwords to use every day, the individual user must consider a range of risk factors to determine their own best course of action.
The practice of multiple passwords is still relatively new and we are still learning what best practices look like. For some people, having a password manager might be their best solution. For other users, it may not.
Some responses may have been slightly edited for clarity and brevity.
Tips for better password protection
Use a password manager. If you're not currently using the best methods to store and manage your passwords, then switching to a password manager can help keep your accounts safe. Check out our guide to the best password managers.
Protect yourself with a VPN. If you use public Wi-Fi networks regularly, then protect your data with one of the best VPNs.
Methodology
All About Cookies surveyed 1,000 U.S. adults on their password-keeping practices, as well as how they manage and share their passwords.
#1 Password Vault for Seamless Data Security
4.9
AllAboutCookies writers and editors score products based on a number of objective features as well as our expert editorial assessment. Our partners do not influence how we rate products.
Josh Koebert is a seasoned data journalist whose work has appeared in top-tier outlets including CNET, PCMag, Forbes, TechCrunch, and a range of other respected media platforms. His work explores topics relating to privacy, data security, and technology in an increasingly digital world.
/images/2026/03/31/whats-in-a-password-2026.png)
/images/2026/03/31/data-breach-blues-2026.png)
/images/2026/03/31/how-people-keep-track-of-their-passwords-2026.png)
/images/2026/03/31/most-commonly-shared-passwords-2026.png)
/images/2026/03/31/how-often-people-forget-passwords-2026.png)
#1 ranked password manager with a strong history of security
/images/2025/08/08/aura_password_manager_review.jpg)
/images/2023/03/23/keeper_password_manager_review_2.jpg)
/images/2025/12/30/best_free_password_managers.png)
/images/2025/12/12/keeper_vs._1password.jpg)
/images/2025/12/01/total_password_review_featured_image.jpg)
/images/2025/10/28/nordpass_vs._bitwarden.jpg)
/images/2025/09/21/1password_vs._aura_password_manager.jpg)
/images/2025/09/21/nordpass_vs._aura_password_manager.jpg)
/authors/josh_ai_headshot.jpg){kind=small}
/authors/kalleigh-lane-new.jpg){kind=small}
/images/2025/02/12/sepideh-ghanavati-headshot.jpg)
/images/2025/02/12/daniel-ostergaard-headshot.jpg)
/images/2025/02/12/david-bader-headshot.png)
/images/2025/02/12/sachin-shetty-headshot-2.jpg)
/images/2023/03/09/logo-nordpass.png){kind=logo}
/authors/josh_ai_headshot.jpg)