For the first time since NordPass began tracking password habits in 2020, the average number of passwords people manage has fallen. New research published in May 2026 shows users now handle approximately 120 personal and 67 work-related passwords — down from a peak of 168 personal and 87 work passwords in 2024. The reason behind the decline points to a meaningful shift in how people authenticate online.
Six Years of Growth, Then a Reversal
When NordPass first measured password counts in February 2020, users averaged around 80 passwords. Within eight months — as the pandemic drove a surge in digital services, remote working tools, and online accounts — that figure jumped 25% to 100. By 2024 it had reached 168 personal and 87 work passwords per person.
The 2026 data shows a clear drop: 120 personal passwords and 67 work passwords. Karolis Arbačiauskas, head of product at NordPass, described the finding as “a bit surprising, given the global growth in digital services and accounts.”
Why the Number Is Falling
The research identifies three factors driving the decline:
- Single Sign-On (SSO) adoption — Signing in with Google, Apple, or Facebook credentials replaces the need to create and remember separate passwords for individual services, consolidating multiple accounts under one login.
- Passkeys — The FIDO2-based passkey standard, supported by Apple, Google, Microsoft, and a growing list of services, replaces passwords entirely with device-based cryptographic authentication. Users authenticate with Face ID, a fingerprint, or a PIN — and no password is ever created, stored, or potentially stolen.
- Biometric authentication — Face ID, fingerprint readers, and Windows Hello are replacing typed passwords for device and application access, reducing the total number of passwords in active use.
The Problem That Remains: Reuse
Fewer passwords is only good news if the passwords that remain are strong and unique. The research also finds that around 60% of Americans and Britons reuse passwords across multiple accounts. Password reuse is one of the most dangerous habits in cybersecurity: a single breach of any service you use can hand attackers working credentials for every other account where you use the same password.
This is the attack pattern behind credential stuffing — where attackers take leaked username and password pairs from one breach and systematically test them against banks, email providers, Microsoft 365, and other high-value targets. Reuse is the root cause that makes these attacks so effective.
The Expert Recommendation: Move to Passkeys
Arbačiauskas is direct in his recommendation: “Personally, I would recommend replacing passwords with passkeys. In my view, they are currently the most secure and convenient authentication and login tool available on the market.”
Passkeys are resistant to phishing (there is no password to steal or intercept), brute force (no shared secret exists to guess), and credential stuffing (each passkey is unique to the service and device). Major platforms including Microsoft 365, Google Workspace, Apple ID, GitHub, and many others already support passkeys.
What Businesses Should Do
- Audit password reuse across your team. A password audit tool or a dark-web credential monitoring service can identify whether any staff credentials have appeared in known breaches.
- Deploy a business password manager. For passwords that cannot yet be replaced with passkeys or SSO, a managed password manager ensures every account has a unique, complex credential — without placing the burden on employees to remember them.
- Enable passkeys wherever your platforms support them. Microsoft 365, Google Workspace, and GitHub all support passkeys. Enabling them removes the password attack surface entirely for those services.
- Enforce MFA as a minimum baseline. While passkeys are the gold standard, MFA on all accounts is the essential first step for any organisation that has not yet moved beyond passwords.
If you would like help reviewing your organisation’s authentication posture or implementing a password management or passkey rollout, get in touch with BIT Tech.
