Photo by Ben Hensley | John Kotman is founder of Kotman Technology.

An online digital password manager system is warning that Americans remain vulnerable to hacks and account breaches as a new nationwide survey has found widespread use of weak, reused and predictable passwords.

PasswordManager.com released the study, which found that 84% of the 1,500 adults surveyed do not use unique passwords for each account. The survey, conducted in December 2025, also found 65% of participants admitted to using predictable patterns or personal information in their passwords, with 26% using simple number or letter patterns, 22% using birth years or dates, and 20% using family or pet names.

Six percent of respondents even included the word “password” in one or more passwords.

Despite these habits, just 5% of survey respondents rated their passwords as “very risky,” with 63% saying their passwords are “not very risky” or “not risky at all.”

The survey found that many Americans delay changing passwords due to inconvenience or worries of forgetting new passwords. Around half of respondents admitted to not updating passwords more often because they fear forgetting new ones, with nearly a third of participants adding that they did not find it necessary to change passwords.

“The best practice is having a complex and unique password for each account; however, remembering that many passwords is essentially impossible,” said information systems and cybersecurity expert Gunnar Kallstrom.

Fresno-based cybersecurity firm Kotman Technology sees similar trends. Founder Jon Kotman said one of the biggest vulnerabilities remains password reuse across multiple accounts.

“I’d say the biggest one is that when you reuse the password, the security of that password is really only as secure as the least secure place you use it,” Kotman said. “If your password is stolen from a given website, it potentially could be used someplace else.”

Kotman said small variations in reused passwords are also predictable for cybercriminals.

“They would have a password, and at the end if it’s their Wells Fargo password, they’d put ‘WF’ at the end,” he said. “But criminals can really kind of figure that out as well too.”

Kotman recommended password managers for uniqueness and scale, adding that generators can create passwords up to 100 characters long and are secured with a master password and two-factor authentication.

When large-scale password security breaches occur, 22% of respondents neglected to immediately change their passwords.

The survey also found growing awareness of newer security measures. More than half of respondents (67%) view two-factor authentication positively, while nearly three-quarters revealed awareness of passkeys — an emerging technology that replaces passwords with biometric authentication or security keys stored on devices. Sixty-six percent said they would be open to switching to passkey services.