America’s Best and Worst Password Security Habits

Cybersecurity is more critical than ever, now that we’re living in a digital world where anyone and everything is up for grabs in the eyes of hackers. Password security is the most common form of safe cybersecurity the everyday American can practice. But just how good are we with our passwords? “12345” is no longer cutting it. 

To evaluate how well Americans are managing their passwords, we conducted a nationwide study that revealed their current prevailing password practices and which states exhibit the best and worst password habits according to the following factors: password re-usage, password variation, auto-generated password, password character length, and password duration.

Key Findings:

  • 73.6% of Americans admit to reusing the same password for multiple accounts.
  • Auto-generated passwords are not commonly practiced, as 66.7% don’t use them.
  • The average American has 27.6 passwords.
  • Rhode Island ranked the best state for password security habits; with Wisconsin ranked the worst.

America’s password habits: from reuse to forgetfulness

Have you ever experienced password fatigue? It’s when you encounter an overwhelming sensation as you’re juggling numerous passwords for countless accounts. This fatigue often leads people to resort to a more, simple password and/or reuse of said password. Let’s look into how Americans currently handle their passwords.

Reduce, reuse, recycle – but not your passwords! Shockingly, 73.6% of Americans confess to recycling their passwords across various accounts – a practice many cybersecurity experts deem unsafe. To magnify the problem even more, another 79.1% admit to using variations of their most-used password for multiple accounts as well. Let’s leave the 3 ‘R’s to the real world, rather than the digital world.

On the brighter side, 33.3% of Americans are working smarter, not harder, by utilizing auto-generated passwords. These password generators incorporate a mix of numbers, upper and lower-case letters, and special characters. Worried about memorizing such funky codes? Don’t fret, that’s where password managers swoop in to save the day (and our brains). Nearly half (45.0%) of respondents currently use a password manager to organize and securely access their accounts efficiently.

Almost half (41.2%) of respondents tend to stick to passwords with 9-11 characters. Although it’s not too shabby, experts recommend a minimum of 12 characters for resilient security – 39.1% of Americans do meet this criterion, boasting a password length of 12+ characters. On the other end, 18.7% settle for 7-8 characters, while 1.1% choose to play it risky with passwords under 6 characters.

The cardinal rule of password creation is to never include any form of personal information – be it your name, birthday, email address, or username. Luckily, 76.3% adhere to this rule, steering clear of any personal details in their passwords. The average respondent also manages about 27.6 passwords. This may seem like a lot, but cybersecurity experts recommend using a unique person per account. Perhaps it’s a case of “the more, the merrier?”

35.9% of respondents forget their passwords infrequently, while 17.3% occasionally draw a blank a few times a month. However, another 17.3% boast an impeccable memory claiming to never forget their passwords. On the other hand, 14.1% fail to remember passwords about once a month. Luckily, only 8.7% wrestle with weekly forgetfulness, and 6.6% once a week.

Cybersecurity professionals also advocate for periodic (about 3-6 months) password changes to prevent potential hacks. This recommendation must’ve gotten lost in the (junk) mail as 43.0% have not updated their passwords in over 5+ years! Another 21.5% have persisted with the same password for 1-3 years, and 16.1% for 3-5 years. Only 9.8% update passwords after the 6-12 month mark. A mere 7.9% of respondents follow the recommendation, rotating passwords every 1-6 months; while 1.8% do so monthly.

Best states for password security

To determine which states are the best and worst in terms of their password security, we took our respondents’ answers and their resident states into a weighted scoring system that considered the following: password re-usage, password variation, auto-generated password, password character length, and password duration.

Rhode Island serves as an exemplary example when it comes to password security, boasting a perfect score of 100 out of 100. Only a minute 12.5% of Rhode Island respondents commit the cardinal sin of password reuse for multiple accounts; while 62.5% don’t bother creating variations of their passwords. Half of the state’s residents have embraced auto-generated passwords, and 12.5% do their due diligence of changing passwords every few months. 

Louisiana ranks second best in password practices, with an overall score of 83.62. Unlike Rhode Island, a substantial 61.9% admit to password reuse, but redeem themselves as 66.6% avoid the temptation to password variations. Only 38.0% utilize auto-generated passwords. Interestingly, Louisiana excels in the password characters category, outperforming Rhode Island – with 66.6% exceeding the recommended 12-character count. 14.2% only update their passwords frequently, lagging slightly behind Rhode Island.

Maine clinches the bronze medal, with a total score of 59.82. The state closely mirrors Louisiana in most categories, with one notable exception. While they (28.5%) fall short in password variation, they’re the highest scorers in the password update frequency category – scoring another 28.5% for their commitment. 

To finish the top five list, Maryland secured fourth place with a respectable score of 46.57, and New Mexico in fifth accumulating 46.03 points. These states also showcased good password security practices, contributing to the collective effort to reinforce cybersecurity across the nation. 

Pass-ing the baton to…the worst states

Wisconsin finds itself (way) less renowned for its password practices, ranking at the bottom with a score of 0. An alarming 80.0% of Wisconsinites fall into the trap of reusing passwords and failing to avoid password variations. Only about a quarter (26.6%) utilize a password generator, while only 23.3% meet the recommended 12+ characters in their passwords. A shy 6.6% adhere to the “out with the old, in with the new” mantra by updating their passwords regularly. Perhaps, the Cheese State should be grate-ful for experiencing minimal hacking.

“Oh what a beautiful morning, what a beautiful day…” to be ranked second-to-last for the state of Oklahoma. Their total score of 1.04 is due to their high password repetition (83.33%) and password variation (83.34%). Only 16.6% of Okies opt for auto-generated passwords, especially as 33.3 wield passwords of 12 characters or more. About 8.3% frequently upgrade a password every few months.

Looking for some Southern (tech) gossip? Look no further as Mississippi finds itself third to last, with a score of 1.79. A whopping 71.4% admit to repeating a password or two across multiple accounts, and 78.5% use a modification of their primary password. Auto-generated passwords only account for 28.5% of this southern state. Compared to the rest of the nation, Mississippi scored the lowest in password character count, as only 12.2% adopt passwords with 12+ characters. Additionally, 7.14% of the state’s population updates passwords regularly. Now that’s some (Southern iced) tea!

Completing the bottom five list, sweet home Alabama ranks fourth to last with a score of 3.94, and Nevada fifth to last, scoring a 6.26. These states complete the list of regions with room for improvement in password security.

Despite the shortcomings in certain states, the overall picture of America’s password habits is moderately positive. Fortunately, the recommended password practices are fairly straightforward and easy to integrate into our daily routines. There’s always room for improvement and potential for becoming a stronger password security nation. 

Methodology

In April 2024, we surveyed 2,000 U.S. residents about their current password safety habits. Through this, we were able to create a weighted scoring system that considered the following factors:

  • How often they reuse a password for multiple accounts
  • What % doesn’t use a variation of a password for multiple accounts
  • What % uses auto-generated passwords
  • If their most-used password is 12+ characters
  • What % frequently updates their password every few months

Each U.S. state was scored on a scale of 0-100 to find the best and worst ranking. The following states were not accounted for as there was an insufficient amount of data: Alaska, District of Columbia, Hawaii, Idaho, Montana, Nebraska, North Dakota, South Dakota, Vermont, and Wyoming. 

The average age of respondents was 39.2 years old. The representative sample comprised of 48.8% male, 48.8% female, 1.7% non-binary, 0.4% transgender, and 0.3% other. 

Fair use

Feel free to use the data or visuals on this page for non-commercial purposes. Please be sure to include proper attribution linking back to this page to give credit to the authors. 

For any press questions, please contact rhiannon.odonohoe[at]casino.org