:format(avif))
:format(avif))
Everyone has done it at least once. You sign up for a new streaming trial at 11 PM, the site asks for an 8-character password that includes a symbol, but you shrug and reuse that old and faithful “Snowboarding!19” you’ve had since high school. In less than a minute, you’ve solved your problem—and created one for every other account that shares that same password.
Our latest study shows that this kind of shortcut isn’t rare—it’s ordinary. So let’s break down the findings and get into the weeds of the troubling practice that is password reuse.
Contents:
Inside the 2025 NordPass password reuse survey
To measure just how regular the habit of password reuse remains, NordPass commissioned an independent research team to conduct interviews with 1,727 adults—619 Americans, 605 Britons, and 503 Germans. The questionnaire dug into 3 areas:
How often people reuse logins.
How many passwords and accounts the habit affects.
Why they still do it in 2025.
United States
62% of Americans confess they “often” or “always” reuse a password.
The median reuser juggles 3 core passwords that unlock about 5 different accounts.
Half say they do it because it is “easier to remember fewer passwords,” and 1 in 3 feel overwhelmed by the sheer number of services they use each month.
A troubling 11% see “no significant risk” in repetition—proof that experience, not warnings, drives behavior.
United Kingdom
60% recycle logins.
Memory anxiety eclipses convenience: 40% fear they will lock themselves out if every password is unique.
Convenience and “too many accounts” tie for second place, and the same 11% shrug off the threat altogether.
Germany
50% reuse passwords, the “best” score but still a coin toss.
Convenience is the main motive for 37% of German reusers, with 29% citing account overload.
13% believe repetition is practically harmless.
Taken together, the data say one thing: roughly 57% of consumers across 3 advanced economies still bet on duplicate credentials. That is a majority large enough to keep credential‑stuffing operations profitable for years.
Why people still reuse passwords
Respondents fell into 4 overlapping camps when it came to explaining their password reuse habits:
The memorizers. About half of the Americans, 43% of the Britons, and 37% of the Germans who participated in the survey say they reuse passwords because it is “easier to remember fewer passwords.”
The overwhelmed. Around 30% in each country cite “too many accounts” to manage different passwords.
The anxious. Fear of forgetting unique logins peaks at 40% in the UK, 38% in the US, and 31% in Germany.
The skeptics. Between 11% and 13% have never had to deal with the consequences of being breached and assume the risk is overblown.
How cybercriminals take advantage of reused passwords
Reuse turns one leak into a chain reaction. If hackers steal your password from a single site, they can try the same login on every other service you use—email, banking, work apps—until one opens. That’s why password reuse matters. And the criminal economy around stolen logins is on an industrial scale. It moves fast. Once a breach hits the dark web forums and marketplaces, there are multiple ways for bad actors to profit from stolen and reused credentials.
Credential stuffing. Attackers equipped with vast quantities of reused credentials load millions of user-password pairs into botnets that fire automated logins. Even a 1% success rate nets thousands of working accounts.
Account takeover. A reused password—usually exposed in data breaches—that opens your email inbox lets cyber crooks reset everything else—cloud storage, cryptocurrency wallets, emails, etc. The initial foothold becomes a pivot point into higher‑value targets.
Social engineering. With control of social or business accounts, criminals study message history and craft believable requests: “Can you approve this invoice?” or “Forgot to pay the supplier—use this account.” Victims respond because the request comes from what would appear to be a trusted identity.
The role of businesses in preventing password reuse
Companies sit on both ends of the password reuse problem. They must protect their staff from careless habits, and shield customers whose credentials may already be up for sale on the dark web. There are a few ways organizations can tackle the problem.
Reject reused credentials
During the signup or password reset process, the site should check the proposed password against a breach database. If the string has appeared in past leaks—or looks identical to one already on file—the user sees an offer to choose something stronger. Also, embedding a one‑click password generator would remove friction.
Layer authentication
Multi‑factor authentication stops automated takeover even when credentials leak. A growing number now leapfrog passwords altogether by offering FIDO passkeys — device‑bound cryptographic secrets that can’t be reused or phished.
Security training
Companies that run frequent, hands‑on security workshops experience far fewer cases of employees reusing credentials. Demonstrating how quickly a single compromised login can ripple through an entire network makes it clear that password reuse is a very bad habit.
Password manager adoption
Many companies now encourage—or even require—the use of business password managers. When staff have a secure vault for their logins, they’re far less likely to recycle passwords. Most vaults also include built-in password generators that create strong, random strings on demand, taking the guesswork out of crafting robust credentials.
How to stop reusing passwords
To effectively break the habit of password reuse, all you need is a workflow that treats strong, unique credentials as the default rather than the exception. Here are some pointers on how you can do that.
Adopt a password manager
Tools like NordPass generate, sync, and autofill passwords across devices. The user remembers one Master Password; the vault remembers the rest. A built-in Password Generator produces random, high‑entropy strings at the click of a button, eliminating the temptation to ring in the new year with P@ssw0rd2026.
Consider passkeys
A passkey pairs public‑key cryptography with device biometrics, so there’s nothing to type, nothing to forget, and nothing to reuse. Many major platforms already support them; our What is a passkey? explainer walks you through setting one up for the first time. Where passkeys are unavailable, turn on MFA to add a second check that attackers can’t guess from a breached list.
Audit dormant accounts
Old forums, shopping sites you used once for a novelty gift, that abandoned fitness‑tracking app—each is a latent vulnerability if it shares credentials with active services. Close the account, or at least reset the password to something unique. Browse our annual list of the most common passwords for inspiration on what not to choose.
Final thoughts
Password reuse thrives on short‑term convenience and long‑term optimism. Our survey shows that 57% of users in 3 mature digital economies still rely on that optimism, even as criminals industrialize credential theft. The cure is hardly exotic: password managers, layered authentication, and a realistic assessment of risk. Breaking the habit doesn’t demand perfect vigilance, but rather a willingness to trade poor memory tricks for purpose‑built tools.