Password Party’s Over: Nearly 50% of Americans Continue to Re-use Passwords Despite Phishing Attacks on the Rise

Ryan Schin

Ryan Schin

5 minute read

New Survey from Yubico Reveals which U.S. Cities are the Savviest (and Laziest) when it Comes to Cybersecurity

STOCKHOLM, SWEDEN and SANTA CLARA, CA — August 19, 2025 — A new survey from Yubico (NASDAQ STOCKHOLM: YUBICO), a modern cybersecurity company on a mission to make the internet safer for everyone, today reveals a tale of two cities – or, more accurately, ten. While New Yorkers rush to catch a train and Californians are stuck in traffic, nearly half of Americans (48%) are still stuck using the same password for multiple online accounts. Even worse? When asked what they think is the most secure method, only 3% believed in using a hardware security key which is considered to be the most effective tool available to stop phishing.

Conducted by Talker Research, the survey of online habits across the top 10 U.S. metro markets reveals a nation that thinks it’s security-savvy but is still making rookie mistakes. From password reuse to overconfidence in spotting AI-enhanced phishing scams, here’s a look at which cities are winning the security game – and which ones need to step it up.

“Yubico’s survey reveals a wake-up call: many people have a false sense of security when it comes to their online accounts being protected,” said Ronnie Manning, Yubico’s chief brand advocate. “They are overconfident in their safety, yet they still hold on to risky habits that can be tempting for today’s modern hackers. The YubiKey isn’t just a product; it’s a statement that proves your security is non-negotiable. It gives you the power to secure your entire digital life with one simple, human touch.”

The City Showdown: Who Needs a Digital Pep Talk?

  • New York vs. Los Angeles: Over 48% of all respondents admitting to reusing passwords, we can only imagine the number of New Yorkers who are using the same password for their finance app as they are for their favorite bodega rewards program. And in LA, where the traffic is a constant grind, maybe it’s not a surprise that password updates are a rarity, with 19% only changing them when they are prompted or have experienced a security incident. 
  • Seattle vs. Denver vs. San Francisco Bay Area: Tech-giant cities Seattle and San Francisco agree: MFA is used by 70% of Seattleites and 67% of San Franciscans. In fact, San Franciscans take it a step further with 64% setting up passkeys whenever available. Meanwhile, their competitor for top U.S. tech hub, Denver, lags behind- being one of the most likely to use the same password for multiple accounts (50%) and to admit to not using any specific security methods beyond basic passwords (11%).
  • Chicago vs. Atlanta: While a significant portion of consumers believe that strong, unique passwords are the most secure method (22%), they’re missing the bigger picture. Atlanta, meanwhile, is on the rise, with 62% of consumers actively turning on MFA when available. Looks like southern hospitality includes protecting your friends from getting hacked.
  • Dallas-Fort Worth vs. Houston: Does anyone in the Lone Star State still use their pet’s name for a password? A surprising 13% of all respondents admitted to doing so. Let’s make security as big as everything else in Texas!
  • Washington D.C. vs. New York City: The survey shows that 42% of people in Washington, D.C., are worried about their financial institutions being hacked. The cities are neck and neck when it comes to adopting passkeys, with 61% of  New Yorkers and 62% of D.C. area residents setting-up the technology to protect their online accounts. 

The survey also found that despite a majority (62%) feeling confident they can spot a phishing attack, 39% reported experiencing a cybersecurity incident in the last year.

With over 64% of people turning on MFA, the momentum is there, but most are still using less secure methods like text message codes. The fact remains that the only 2FA method to defend against phishing attacks 100% of the time is a hardware security key.

For more survey insights, see here.

——

From July 10 to July 21, 2025, Talker Research surveyed 5,000 Americans from the following locations:

  • New York-Newark-Jersey City, NY-NJ-PA
  • Chicago-Naperville-Elgin, IL-IN-WI
  • Dallas-Fort Worth-Arlington, TX
  • Houston-The Woodlands-Sugar Land, TX
  • Atlanta-Sandy Springs-Alpharetta, GA
  • Washington-Arlington-Alexandria, DC-VA-MD-WV
  • Los Angeles-Long Beach-Anaheim, CA
  • Denver-Aurora-Lakewood, CO
  • San Francisco-Oakland-Berkeley-San Jose-Santa Clara, CA
  • Seattle-Tacoma-Bellevue, WA

###

About Yubico

Yubico (Nasdaq Stockholm: YUBICO) is a modern cybersecurity company on a mission to make the internet safer for everyone. As the inventor of the YubiKey, we set the gold standard for modern phishing-resistant, hardware-backed authentication, stopping account takeovers and making secure logins simple.

Since 2007, we’ve helped shape global authentication standards, co-creating FIDO2, WebAuthn, and FIDO U2F, and introduced the original passkey. Today, our passkey technology secures people and organizations in over 160 countries—transforming how digital identity is protected from onboarding to account recovery.

Trusted by the world’s most security-conscious brands, governments, and institutions, YubiKeys work out of the box with hundreds of apps and services, delivering fast, passwordless access without friction or compromise. 

We believe strong security should never be out of reach. Through our philanthropic initiative, Secure it Forward, we donate YubiKeys to nonprofits supporting at-risk communities.

Dual-headquartered in Stockholm, Sweden and Santa Clara, California, Yubico is proud to be recognized as one of TIME’s 100 Most Influential Companies and Fast Company’s Most Innovative Companies. Learn more at www.yubico.com.

Share this article:
  • Securing the skies with YubiKeys: Insights on cyber resilience in the aviation industry and beyondIn an increasingly interconnected world, the landscape of cybersecurity is constantly evolving. Bad actors are becoming more sophisticated, leveraging tactics like phishing and ransomware to exploit human error and weak credentials. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises – especially those in high-stakes sectors like commercial […]Read morecyber resilienceEUmanufacturingQ&A
  • Future-proofing authentication: A look at the future of post-quantum cryptographyThe path from passwords to passkeys and beyond In a previous blog I talked about the end of passwords and the rise of passkeys, which promise stronger security and less frustration for both individuals and businesses. The global momentum behind passkeys represents one of the most exciting shifts in authentication history, but realizing their full […]Read more
  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet