Millions of UK adults reuse passwords, survey warns

DTP Group has published new survey findings on password reuse among UK adults, as executives from Roboshadow and Mimecast warn that attackers are increasingly exploiting human behaviour and weak cyber discipline rather than password strength alone.

The Leeds-based company found that one in eight UK adults, or 12.45 per cent of respondents, use a single password across every account. Censuswide surveyed 1,000 UK adults, and the results were extrapolated using an Office for National Statistics estimate of 54 million adults.

Applied nationally, the data suggests more than six million people in the UK could rely on a single credential across email, banking, shopping and social media. Just 19.12 per cent said they use a unique password for every account, implying that around four in five adults reuse passwords to some degree.

More than a third of respondents, 36.23 per cent, said they rely on between one and three passwords for all their online services. Nearly 60 per cent use six or fewer passwords in total, a pattern that could leave an estimated 32 million people vulnerable if one breached service exposes other accounts.

The number of digital services people manage has grown faster than the number of unique passwords they use. DTP found that 69 per cent of respondents manage between one and 20 password-protected accounts, while only a minority maintain enough distinct passwords to cover them all.

Official fraud statistics point to a related rise in account compromise. Action Fraud recorded 35,434 reports of social media and email account breaches in 2024, up from 22,500 a year earlier. Investigators and industry analysts often cite weak or reused credentials as a root cause.

Security leaders argue that the conversation around World Password Day now extends beyond password complexity rules. Roboshadow Founder and Chief Executive Terry Lewis said modern tools give organisations more visibility into attempted intrusions, but only if they are used consistently.

“World Password Day made sense when passwords were the front line of security, but in 2026, that’s no longer the case.”

“Today, most organisations already have access to enterprise-grade security by default. Multifactor authentication is widely available, passkeys are native to modern devices, and hardware-backed protections like TPM are standard. The issue isn’t technology. It’s discipline, and whether organisations use it consistently.”

“In the AI era, attackers aren’t manually guessing passwords. They’re using automation to continuously scan, probe and enumerate environments at scale. Whether it’s a weak credential, an exposed API key, or a forgotten device, anything visible will eventually be tested.”

The real shift is that enumeration is no longer silent, and organisations can detect it.

Modern security tooling, including SIEM and SOC capabilities, is now more accessible than ever. That means organisations can see when accounts are probed, when credentials are tested, and when unusual authentication patterns emerge, even in environments using MFA or passkeys. AI hasn’t broken security, but it has dramatically increased the volume and persistence of these attempts. It creates constant background noise from systems being tested, credentials being tried and access points being explored.

The organisations that win aren’t those with the most complex or longest password policies. They are the ones that can see this activity, understand it and respond quickly.

In 2026, security isn’t about better passwords. It’s about cyber discipline and the everyday operational habits that keep environments clean, visible and resilient.”

Industry attention has also shifted to how employees respond to phishing attempts and fake login prompts designed to harvest credentials. Mimecast field Chief Information Security Officer Beth Miller said the quality and timing of these lures has improved as attackers adopt generative AI.

“World Password Day is a useful moment, but the industry keeps having the wrong conversation. The question was never ‘are your passwords strong enough?’ It’s ‘why do attackers keep getting through even when they are?'” Miller said.

“AI has changed the equation. The fake login pages I’m seeing now are indistinguishable from the real thing. The lures are contextually accurate, timed well, and crafted to exploit exactly the pressure employees are already under. Credential theft isn’t a technical failure – it’s a behavioural one, and we’ve been slow to treat it that way.”

“Our State of Human Risk data exposes a three-part problem. First, 91% of organisations acknowledge obstacles to employee compliance – they know their people are a risk factor. Second, 96% recognise their protection is incomplete – they know their defences have gaps. Third, nearly three-quarters are still running fragmented defences where people-focused and technology-focused controls never talk to each other. Attackers don’t exploit what organisations fail to see. They exploit what organisations see but fail to connect. That gap – between recognition and action – is where incidents happen.”

“Passwords aren’t going away, and proper password hygiene still matters. But hygiene alone isn’t a strategy. What organisations need is the combination: identity protection at the access layer, real-time detection at the technical layer, and behavioural instrumentation at the human layer. The third is the most underinvested. It is also exactly where attackers are focused.”