August 20, 2025
Americans Keep Using the Same Passwords, Even as Attacks Surge
Despite years of high-profile breaches and phishing scams, almost half of U.S. consumers still admit to reusing the same password across multiple accounts, according to a new survey commissioned by Yubico.
The nationwide study, conducted by Talker Research across the ten largest metro areas, shows a country that believes it’s security-conscious but continues to rely on outdated practices.
While 62% of respondents said they feel confident spotting phishing attempts, 39% still reported falling victim to some form of cyber incident within the last year.
Perhaps most concerning is the fact that only 3% of consumers recognised hardware security keys as the strongest method for stopping phishing attacks, in spite of their proven effectiveness. Most users continue to lean on text message codes for two-factor authentication.
Ronnie Manning, Yubico’s chief brand advocate, said: “[Consumers] are overconfident in their safety, yet they still hold on to risky habits that can be tempting for today’s modern hackers.”
Security Gaps by City
Patterns vary by region, but the same risky habits appear coast to coast. In Los Angeles, 19% of respondents admitted to changing their passwords only after a breach or prompt, whereas in Denver, half of the residents reported using the same password for multiple accounts. By contrast, San Francisco leads in the adoption of passkeys, with 64% enabling them whenever possible.
In the South, Atlanta stands out for stronger MFA adoption (62%), while Texas respondents revealed one of the most old-fashioned practices—using their pet’s name as a password (13%).
Meanwhile, Washington, D.C. residents expressed the highest concern over their banks being hacked, with 42% listing financial institutions as their top worry. Still, that concern has not translated into widespread adoption of phishing-resistant security methods.
