Psychology is surprisingly relevant in secure password management. The most common social engineering threats, like phishing emails, rely heavily on deceiving users into giving up their personal information without noticing the ruse. To help users protect their data from cybercriminals, we also need to understand how they use passwords and what password hygiene they apply. Although 2026 data shows that the average number of passwords users have has decreased, the risk landscape is yet to shrink — and some people are more susceptible to threats than others. A recent survey looked into users’ password hygiene habits to determine common patterns based on countries and age groups.
Contents:
The average number of passwords has gone down — but the risk isn’t gone yet
NordPass has been tracking the average number of passwords users have since 2020. For the first few years, the number was steadily going up, peaking at 168 passwords in 2024. However, just two years later, it saw a pretty sizable drop down to 120. This decline is likely driven by users switching to quicker, more convenient login methods like single sign-on (SSO) using their Google or Apple accounts, as well as a switch to passkeys and biometrics for passwordless authentication.
Although the declining number of passwords is a positive and desired trend, it’s not the full story. The number of passwords in use is going down, as is the number of publicly disclosed data leaks. However, these incidents now involve much larger data sets — and that data includes mishandled passwords.
Password reuse tendencies have been a concern for a while — during a NordPass survey conducted in 2025, half of the German respondents stated they reuse passwords either out of convenience or because they assume the risk is overblown. If the credential storage is unreliable or passwords are reused, even the strongest login can be at risk.
Even SSO methods on their own aren’t foolproof. If the account you use for SSO — like a Google or a university email account — is compromised and its password appears in a breach database, it can unlock access to all other accounts you own, making you a prime target for identity theft. So even if the number of passwords used is lower and users opt for alternative login methods, one breached credential can lead to a whole network of accounts getting compromised. To feel more secure, users need two things: a strong password and reliable storage for it.
The role of password storage
Although cybercriminals often extract passwords through spoofed website login forms, insecure password storage methods are also exploited. Even if users try to add some variety to their password roster, they might use easily accessible tools, like messaging or notes apps, for storage. However, these tools don’t always offer end-to-end encryption and, once compromised, reveal their content to the criminals.
A multi-topic survey was conducted in several countries, including the US, the UK, Germany, and Italy, to determine how people store their passwords and what the reasons for their storage preferences are. The survey results also looked into age group and income distribution to determine the common habits among different demographic groups.
According to the survey, the vast majority of respondents prefer to store their login credentials in a browser-based password manager. Only a fifth of the respondents from Spain stated that they use a dedicated password manager — the largest group from all surveyed countries. Italians were the least likely to use a dedicated password manager, while Germans picked relying on their memory as their second-most preferred password safekeeping strategy.
In the US, 18% of respondents said they combined both browser-based and third-party password managers. Similar numbers were seen in Canada, where the combined password storage was one of the more popular methods. In total, around 14% of all respondents picked a combination of storage methods as their go-to strategy — a mere 1% more than those who exclusively use dedicated password managers.
This raises some eyebrows: Browser-based password managers don’t usually offer the same level of data security as dedicated tools. Furthermore, they’re connected to the user’s browser account. For instance, if you use Chrome as your default browser and password manager, if your Google Account is compromised, criminals could log in to the browser and gain access to all credentials you store under that account.
Combining a browser-based password manager with a third-party tool is incorrectly assumed to be a safe way to maintain a backup log. However, if the passwords stored in the browser are compromised, the backup does little to help protect them.
Password reuse to save time also remains a problem. Nearly a quarter of respondents in Germany stated that they remember their passwords, with Australia and Canada trailing slightly behind at 18%. This reveals a tendency to reuse identical or similar passwords while neglecting security concerns. Such passwords are more likely to be breached and create a chain reaction of all or most of the users’ accounts being compromised.
A smaller demographic stated that they don’t use any digital tool for password management and keep them written down instead. At 6%, this method was the least common among respondents from the UK. Meanwhile, 13% of French respondents also chose this method — more than the 11% who use the combined browser-based and third-party password manager strategy.
| Password use and storage research: Key details |
|---|
| The average number of passwords has gone down from 168 per user in 2024 to 120 in 2026. |
| On average, 40% of people store their passwords in their preferred browser’s built-in password manager. |
| German respondents show a low password-change rate and greater reliance on remembering their passwords. |
| Italian respondents use browser-based password storage the most and are least likely to use a dedicated password manager. |
| Globally, 54% of respondents have changed their longest-standing password within the past 12 months. |
| Gen Z is more comfortable with digital tools but the most reluctant to change passwords. |
| Baby Boomers update passwords more frequently but rely on less secure methods more often. |
| Low-income users are the most structurally underserved segment in password security and rely on non-technical solutions the most. |
| High-income respondents show the highest password manager adoption and the lowest reliance on memory or handwritten passwords. |
Methodologies:
The quantitative research on average password use was conducted by NordPass on April 4-15, 2026, and included 1,509 NordPass users.
The quantitative research on password storage habits was conducted by Nord Security on March 26-April 6, 2026, and included 7,861 residents from Australia, Canada, France, Germany, Italy, Spain, the UK, and the US, aged 18-74.
The “digital native” paradox
The password storage survey also looked into how frequently users update their password. Globally, more than half of all respondents stated they’ve updated their longest-standing password within the past year. Italy stood out here as the country with the highest share of recent password changes and the lowest number of passwords that have not been changed in over a decade.
German respondents’ results were the polar opposite — the lowest number of respondents (47%) have recently updated their password. In the US, 14% of respondents couldn’t remember the last time they changed their password.
Interestingly, the age-based demographic analysis subverted the usual stereotypes about “digital natives.” Although Gen Z is often presumed to have a good understanding of digital tools — and, by extension, cybersecurity — the 18-24s were most likely to never change their password, and the least likely to change it within a year. In fact, the password change recency trend went up with age, peaking with the 55-64 year-old group.
Paradoxically, although younger users changed their passwords the least, they were far more likely to use either browser-based password managers, third-party tools, or a combination of the two. Likewise, the older demographics changed their passwords more frequently but relied more heavily on writing them down or simply remembering them.
This shows a lack of standard among all demographic groups — none prioritized both annual password changes and digital storage. The split password handling preferences contrast with the outcomes of the 2026 top 200 most common passwords report, which revealed that younger and older generations tend to pick the same easy passwords. Combining users’ tendency to default to easier, more vulnerable passwords, as well as inconsistencies in secure password storage make such credentials a higher-risk target in cyberattacks.
What feeds into a false sense of security?
Although the overall picture of password use and storage trends is leaning positive, cybersecurity experts can’t ignore the glaring potential data risks in users’ habits. What leads to such similar password protection practices across different countries?
In terms of password storage, convenience is a key player. Although login steps usually appear simple, they can be a hassle to a user if they forget their login details. This leads them to use the same password for different accounts to avoid having to reset it over and over. Built-in password managers offer a simple solution — store the login details in your browser and autofill them when you need them.
This creates a false sense of security — users think their passwords are safe, and they don’t need to remember them. However, it’s not always explicitly clear what protocols browser password managers use, which means the user can’t know how secure the stored data truly is. If their device is compromised and the hacker gains remote access to the browser, they can find all login details then and there.
Websites themselves can be culprits of weaker password practices and reluctance to update passwords. According to NordPass’ research into the top 1,000 most visited websites, only 1% required their users to create passwords that meet the best security practices. The standard recommendation is to enforce a minimum password length, require the use of special characters, and support case sensitivity for letters. However, if websites don’t enforce these rules, users create weaker, easier to remember passwords by default.
Societal reasons, like a lack of education on digital hygiene, can also play a role here. Digital hygiene skills cover user behavior online, account management, device and software upkeep, and appropriate handling of work and personal services. Dedicated tools, like password managers, VPNs, and antiviruses, help users improve their digital hygiene and maintain data sensitivity.
However, advanced security tools are more readily available to higher-income users. According to the research, low-income users are the most structurally underserved in terms of password security because their access to and awareness of dedicated password protection tools is more limited. Instead, they are more likely to rely on unencrypted messages and written notes to safekeep their data.
High-income users have a broader access to information and password management services. This can often come from work, if companies necessitate dedicated tools to manage and share employee accounts. They are also more likely to use a paid service and have shown a much higher rate of password management adoption. Access and awareness are essential in improving users’ password management, as well as helping them recognize and avoid social engineering attacks.
Small changes to digital hygiene go a long way
Based on the research findings, we see three pillars of necessary growth — convenience, standardization of password requirements, and education on digital hygiene. You can bridge these gaps by following simple digital hygiene tips:
Use a standalone, third-party password manager. Dedicated tools like NordPass use robust encryption to protect sensitive data from external threats. They also have features like autofill and autosave to streamline the sign up and login processes. NordPass also comes equipped with additional features to help detect vulnerable passwords and compromised data.
Switch to passwordless authentication. If possible, update your login method to prioritize biometric authentication like passkeys. They let you prove your identity and access your account with a click, eliminating the need to juggle multiple complicated passwords.
Ensure all accounts use unique, strong, and reliable passwords. Creating different passwords breaks the reused password chain where one compromised password puts other accounts at risk. A password generator helps ensure your credentials meet security requirements.
Keep your devices up to date. Make sure your hardware and software are well maintained. Stay on top of security updates, especially for apps you use to store sensitive data.
Read updates on cyber threats. AI-powered tools are changing the cybersecurity threat landscape constantly. Keep an eye on reports about common schemes and exploits so you can identify them if you become a target.
Get the right tool for your password needs. Cybersecurity is a valuable investment, but it doesn’t need to break the bank. You can get the free NordPass plan and access unlimited password storage. If you want to unlock advanced protection and features like Password Health, Data Breach Scanner, and Authenticator, you can upgrade to Premium any time.
Bottom line
Although the positive change in password use and storage habits is welcomed, users still have plenty of room for improvement. With passwordless authentication becoming more readily available, the key mission now is to continue making cybersecurity and digital hygiene awareness easily available for different demographics, as well as ensuring users can easily access the necessary tools to keep their data protected to a high standard.