Password Security Still Stuck in 2015, Experts Warn

Password habits appear to be improving, but not nearly fast enough to protect users from account takeovers and credential theft, security experts say. According to recent analysis, many people still reuse passwords, pick weak credentials, or rely solely on single-factor authentication — behaviors that mirror patterns seen as far back as 2015.

What’s changed is incremental rather than transformational. Basic awareness of password hygiene has grown: more users now understand the value of unique passwords and longer phrases. Still, large segments of the population stick with easily guessable passwords, and the uptake of stronger, phishing-resistant solutions remains sluggish.

Experts highlight two concrete shortfalls. First, password reuse across sites continues to be a primary vector for credential-stuffing attacks; when one service is breached, attackers try those same credentials elsewhere. Second, adoption of modern alternatives such as passkeys and wide-scale multifactor authentication (MFA) is uneven. Many services either don’t offer these options or present friction that discourages users from enabling them.

Companies also bear responsibility. Security teams are urged to remove outdated password-only workflows, implement stronger default protections, and simplify account recovery methods that don’t compromise security. Usability improvements matter: if safer choices are easier and less disruptive, users are more likely to switch.

For everyday users, practical steps include switching to a reputable password manager, enabling MFA where possible, and moving to phishing-resistant logins like passkeys when available. Those measures can drastically reduce the chance of compromise even if a single password is exposed.

In short, progress is visible but slow. The security community says a sharper push from both service providers and users is needed to bring credential safety into the modern era.