Password Reuse Rampant: Despite Rising Phishing, Half of Americans Still Sharing Their Logins

08/19/2025 – 03:01 AM

New Survey From Yubico Reveals Which U.S. Cities Are the Savviest (and Laziest) When It Comes to Cybersecurity

STOCKHOLM & SANTA CLARA, Calif.–(BUSINESS WIRE)–
Regulatory News:

Yubico (NASDAQ STOCKHOLM: YUBICO), a cybersecurity firm dedicated to fortifying the digital realm, has released a new survey revealing a stark contrast in cybersecurity habits across America’s major metropolitan areas. While innovation hubs and financial centers grapple with sophisticated threats, the survey highlights a concerning trend: nearly half of Americans (48%) are still compromising their online security by reusing passwords across multiple accounts. Even more alarming, a mere 3% consider hardware security keys, the gold standard in phishing protection, as their preferred security method.

The study, conducted by Talker Research, delved into the digital behaviors of residents in the top 10 U.S. metro markets, exposing a nation that, while seemingly security-conscious, continues to make fundamental security errors. From password fatigue to an inflated sense of ability to detect AI-driven phishing schemes, the survey paints a picture of cities excelling in security and those lagging behind, ripe for exploitation.

“Yubico’s findings are a clarion call, exposing a widespread illusion of security when it comes to online accounts,” commented Ronnie Manning, Yubico’s chief brand advocate. “There’s a considerable overestimation of safety, yet risky behaviors, readily exploited by today’s cybercriminals, persist. The YubiKey is more than just a product; it’s a declaration that says your security is paramount. It empowers individuals to safeguard their entire digital existence with a single, simple touch.”

City-by-City Breakdown: The Digital Security Report Card

New York vs. Los Angeles: With nearly 50% of respondents admitting to password reuse, it’s anyone’s guess how many New Yorkers are using the same credentials for their banking app as they are for their local deli’s loyalty program. In sprawling Los Angeles, where gridlock is a way of life, perhaps it’s no surprise password updates are infrequent, with 19% only changing them when prompted or after a security breach. The takeaway: convenience shouldn’t trump caution.
Seattle vs. Denver vs. San Francisco Bay Area: As tech titans battle for supremacy, Seattle and San Francisco stand out for their proactive embrace of Multi-Factor Authentication (MFA), with 70% and 67% adoption rates, respectively. The Bay Area goes a step further, with a remarkable 64% actively utilizing passkeys whenever possible, signaling a move toward passwordless authentication. Meanwhile, Denver, often touted as the next major tech hub, lags considerably. Half of Denver residents confess to reusing passwords, and a concerning 11% don’t employ any security measures beyond basic passwords. Is Denver’s security posture a ticking time bomb?
Chicago vs. Atlanta: While a solid 22% of consumers still cling to the belief that strong, unique passwords are the ultimate defense, they’re failing to see the bigger picture. MFA is the real game-changer. Atlanta, on the other hand, is demonstrating a proactive approach, with 62% of consumers actively enabling MFA when available. Perhaps Southern hospitality extends to protecting your digital neighbors from cyber threats.
Dallas-Fort Worth vs. Houston: In the heart of Texas, are residents still naming their passwords after their beloved pets? A startling 13% of respondents admitted to this practice. Let’s amplify security efforts to match the scale of everything else in Texas! It’s time to ditch Rover’s name and adopt robust authentication methods.
Washington, D.C. vs. New York City: In the nation’s capital, 42% of residents expressed concern about potential hacks targeting their financial institutions. Competition is fierce when it comes to passkey adoption, with 61% of New Yorkers and 62% of D.C.-area residents embracing the technology to safeguard their digital accounts. The race is on to secure citizens’ digital assets.

Beyond these city-specific insights, the survey revealed a disconnect between perceived and actual security. Despite a majority (62%) claiming confidence in their ability to identify phishing attempts, 39% reported experiencing a cybersecurity incident within the past year.

While MFA adoption is on the rise (64%), the survey highlights that most opt for less secure methods, such as SMS codes. The critical point: only hardware security keys offer 100% protection against phishing attacks. As cyber threats continue to evolve, organizations and individuals must prioritize robust, phishing-resistant authentication methods.

For more survey insights, see here.

About Yubico

Yubico (Nasdaq Stockholm: YUBICO) is a modern cybersecurity company on a mission to make the internet safer for everyone. As the inventor of the YubiKey, we set the gold standard for modern phishing-resistant, hardware-backed authentication, stopping account takeovers and making secure logins simple.

Since 2007, we’ve helped shape global authentication standards, co-creating FIDO2, WebAuthn, and FIDO U2F, and introduced the original passkey. Today, our passkey technology secures people and organizations in over 160 countries—transforming how digital identity is protected from onboarding to account recovery.

Trusted by the world’s most security-conscious brands, governments, and institutions, YubiKeys work out of the box with hundreds of apps and services, delivering fast, passwordless access without friction or compromise.

We believe strong security should never be out of reach. Through our philanthropic initiative, Secure it Forward, we donate YubiKeys to nonprofits supporting at-risk communities.

Dual-headquartered in Stockholm, Sweden and Santa Clara, California, Yubico is proud to be recognized as one of TIME’s 100 Most Influential Companies and Fast Company’s Most Innovative Companies. Learn more at www.yubico.com.

Password Reuse Rampant: Despite Rising Phishing, Half of Americans Still Sharing Their Logins