Baby Boomers beat Gen Z in password hygiene, but both generations still don’t stick to the best practices — and many people are still using decades-old passwords that they made as kids
The number of passwords is in decline, but password security is still shaky
- NordPass study claims older generations are more likely to change passwords than younger generations
- But younger users are more in tune with password storage services, preferring to use password managers over memory and writing them down
- All generations are failing to adhere to the best practices when it comes to password hygiene
Many people may believe Gen Z are the best when it comes to adopting new tech, but a new study by NordPass polling 7,861 respondents between the ages of 18-74 suggests that they might be the worst generation for password hygiene.
It’s not uncommon for people to pick a particular word or phrase as a password and alternate special characters, numbers, and capital letters to keep it ‘unique’, but this practice is weakened when the same central password is used for years—or even decades.
In fact, Gen Z has been found to be the generation least likely to change a password, while Baby Boomers are the most security-conscious, actively updating their passwords much more frequently.
Baby Boomers value security
When breaking down the stats, NordPass found just 54% of respondents had changed their longest-standing password in the last 12 months. Those aged 18-24 were the least likely to say they had updated their password within the last year, while those in older brackets, particularly between 55-to-64, were the most likely to update their passwords.
But there is a further trend to be examined. While those in the older age brackets are more likely to update their passwords, they rely on memory or physically writing down their passwords for storage. And those in the younger, more tech-savvy age brackets were more likely to rely on browser-based password storage or third-party password managers.
Writing down passwords or relying on memory often leads to the reuse of passwords to keep them memorable and easy to type, increasing the risk that personal accounts could be breached in the event of a cyberattack. While the average number of password has dropped from 168 in 2024 to 120 in 2026, this still leaves the average person with a significant number of possibly reused passwords that could leak, potentially compromising every account they are used on.
Opting for the convenience of a browser-based password manager also introduces additional risk, as these password vaults often aren’t subjected to the same security protocols as third-party password manager apps.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In fact, another recent NordPass study highlighted that browser-based passwords are at a significantly higher chance of being leaked or stolen thanks to malware, browser compromise, or physical access to the computer.
This is especially true for those using a browser-based password manager alongside a third-party app, because if the browser is compromised there is little you can do to protect your stored passwords.
“I’m fairly certain most internet users know they should immediately change a password that has been compromised,” said Karolis Arbaciauskas, head of product at cybersecurity company NordPass.
“So when people say they haven’t changed a password in years, either the password hasn’t been exposed, or they simply don’t know it has. I hate to be a bearer of bad news, but the second scenario is far more likely. Without tools to notify them when credentials appear in leaks or breaches, many users have passwords aging in the background while the risk grows.”
How to keep your passwords as secure as possible
There are many ways to create a secure password. These are my expert recommendations for maximizing your password security:
- Your password should be at least 15 characters long
- Rather than relying on a memorable phrase or key date, use a string of random words such as the NIST example of ‘cassette-lava-baby’
- Add in some random capitalization, numbers, and special characters, but avoid replacing certain letters with predictable special characters (such as ‘@’ for ‘a’, ‘$’ for ‘s’, and so on)
- If you are forced to regularly change a password as many people are forced to do in the workplace, always use a new, unique password, rather than relying on ‘Summer12345’ followed by ‘Autumn12345’
- Wherever possible, use an authenticator app. This can range from an app on your phone that you use to approve a login or a physical security key that you keep on your person. Many authenticators use phishing resistant passkeys that authenticate your login attempts by using your facial scan or a fingerprint
- Use a password manager to store your passwords securely. They also add the benefit of being able to autofill your credentials for you
- Use a credential exposure checking service such as Have I Been Pwned to securely check if your email address or passwords have shown up in any dark web databases
- Delete any online accounts you no longer use. If the service suffers a data breach, it could leak your username and password combination
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.
Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.
Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.