Survey: 1 in 5 football fans admit to sharing passwords - putting their accounts at risk
With the FIFA World Cup 2026™ underway, an ExpressVPN survey of 6,000 football fans finds that 44% of those who have shared a password so someone else could watch sports also use that password on another account. In the U.S., that figure rises to 65%.
Sharing a password so someone else can catch a match rarely feels like a security decision, and a tournament like the FIFA World Cup 2026™ gives almost everyone a reason to ask. You send it to a friend or relative, the game ends, and everyone moves on. But the password may not stop there.
A new ExpressVPN survey of 6,000 football fans across the U.S., UK, France, Germany, Spain, and Australia found that around one in five had shared a password so someone else could watch a match or other sports content. Among those who had, 44% said the same password was also used on another account, such as email, online shopping, or banking.
That crossover was highest in the U.S., where 65% of fans who had shared a password used it elsewhere. Spain had the highest sharing rate of any market, yet American sharers were nearly twice as likely as Spanish ones to put that password to work on another account.
"The two numbers measure different things: how many fans share a password, and how often that shared password is also used on their accounts. Spain leads on the first, the U.S. on the second."
And sharing is only part of the picture. Across all six countries, around seven in 10 fans reuse the same password, or a close variation, on at least one other account, and nearly one in four have folded football into a password somewhere, drawing on a club, a player, a shirt number, a memorable year, or a stadium.
Put together, these habits map the three ways a single password can travel. It can be guessed from what a fan shows the world, exposed in one breach and tried against everything else, or simply handed to someone so they can watch the game.
Spain shares most, but U.S. fans reuse what they share
Sharing was common everywhere. Spain led, with 23.7% of fans saying they had passed a password to someone so they could watch football or other sports. Germany came next at 22.2%, the UK and France both sat close to 21%, the U.S. was lower at 18.6%, and Australia trailed at roughly 17%. What matters more, though, is what those passwords also protect. Among U.S. fans who had shared one, 65% said it was used on another account too, against 47.4% in France, 43.7% in the UK, 38.1% in Germany, 36.9% in Australia, and 34.8% in Spain.
| Country | Shared a password for sports | Among sharers, password used for another account |
| U.S. | 18.6% | 65.0% |
| France | 21.1% | 47.4% |
| UK | 21.3% | 43.7% |
| Germany | 22.2% | 38.1% |
| Australia | 16.9% | 36.9% |
| Spain | 23.7% | 34.8% |
So Spain shares the most but contains it the best, since a shared Spanish password is the least likely to reach anything else. The U.S. has fewer sharers, but the ones it has are recycling that password far more widely.
Handing over a password doesn’t automatically hand over the account. The other service might use a different username, or multi-factor authentication, or passkeys, or some other safeguard. What the survey does show is that the same secret is now in someone else's hands while still in use across the owner’s wider digital life.
And the password tends to outlive the favor. It lingers in a message thread, a browser, an autofill field, a note, or a device long after the final whistle, and the person who owns it has little idea where it’s settled or whether it has been passed along again.
Seven in 10 fans reuse passwords somewhere
The sharing numbers sit inside a much larger reuse problem. Across the six countries, about seven in 10 fans said at least one other account used the same password, or a close variation. The consistency between markets is striking:
France came out highest at 73.7%, though it, the UK, Spain, the U.S., and Germany were all bunched closely together. Australia sat lowest, and even there, two-thirds of fans were reusing a password or a variation somewhere.
That broad figure counts everyone with any reuse at all, down to fans who only do it on a "very few" accounts. Look only at those who reuse across some, most, or all of their accounts, and the number settles at just over half.
Reuse is what changes the stakes when a password leaks. Attackers take credentials leaked in one breach and run them automatically against other services, a tactic called credential stuffing.
"A password that guards only a streaming account is a contained problem. The same password guarding an inbox or bank account is not."
Email is the account that matters most here, because it is usually what resets all the others. Reuse an email password, and you put far more than the inbox on the line, even if every other account looks walled off.
“Password reuse is what allows one exposed credential to become a wider account-security problem,” warns Aaron Engel, Chief Information Security Officer at ExpressVPN. “Attackers can automatically test credentials leaked from one service against others, and email is especially valuable because it’s often used to reset access elsewhere.
“Sharing passwords increases the number of people and devices that may hold that password; in doing so, users are putting their security into the hands of others. Multi-factor authentication doesn’t undo reuse, but it can prevent a stolen password from being enough on its own.”
Younger fans are far more likely to share access
Sharing is overwhelmingly a younger habit, and in several markets, the gap between the youngest and oldest fans is enormous.
In the U.S., 34.9% of fans aged 18 to 29 had shared a password so someone else could watch sports, against 2.2% of those aged 62 to 80, making younger Americans around 16 times as likely to do it.
The UK gap is just as steep, at 35.6% of 18-to-29-year-olds against 2.1% of the oldest group, a roughly 17-fold difference.
Germany posted one of the highest young-adult rates of all, at 42.2% among 18-to-29s, with France close behind at 39.9% against 8.5% for the oldest group. Australia tells the same story, with about 26.9% of younger fans sharing against 3.4% of the oldest.
The U.S. data also hints that sharing and reuse stack up in the same young fans. Of the 30 American respondents aged 18 to 29 who had shared a password for sports, 22 said it was also used on another account. That works out to 73%, but the group is small, so it is better read as a sign of where the behavior clusters than as a firm measure of all younger American fans. The steadier national number is still the all-sharer figure of 65%.
Younger fans run most of their fandom through screens, from streaming and ticketing to social feeds and group chats, which simply creates more moments to share access in a hurry, especially once a match has kicked off and someone still can't get in.
Nearly one in four fans has put football into a password
Sharing and reuse decide how far a password travels. The password itself can also carry clues, pulled from the most public corners of a fan's identity. Nearly one in four respondents had built football-related information into a password.
The UK led at 31.2%, just ahead of Spain at 30.8%, followed by the U.S. at 25.5%, Germany at 25.4%, and France at 25%. Australia was the clear outlier at 11.2%.
| Country | Have used football information in a password |
| UK | 31.2% |
| Spain | 30.8% |
| U.S. | 25.5% |
| Germany | 25.4% |
| France | 25.0% |
| Australia | 11.2% |
The survey ran through the usual ingredients:
- A favorite team's name
- A club abbreviation or acronym
- A player's name or nickname
- A player's shirt number
- A memorable football-related year
- A tournament name
- A stadium name
Team names, player names, and shirt numbers kept surfacing at the top. In Spain, shirt numbers led at 11.6%, with favorite team names at 9.9% and player names or nicknames at 8.6%. In the U.S., 11.3% had used a favorite team's name, 9.9% a player's name or nickname, and 8.6% a shirt number. UK fans reached most often for a favorite team's name, at 13.2%, with almost 10% using a player's name or nickname.
The age divide shows up here as well: in Germany, 40.5% of 18-to-29-year-olds had used at least one piece of football-related information, against 11.8% of the oldest group.
"A club, a favorite player, a shirt number: these are exactly the things a fan puts on display, which makes them poor secrets."
They sit in profile pictures, posts, usernames, replica shirts, match-day photos, and ordinary conversation. None of it reveals a password by itself, but it narrows the field fast when a password is built from familiar words, numbers, and the patterns people reach for again and again.
Most football-password users think another fan could guess one
Fans who had used football-related information were then asked how easily someone who knew their football interests could guess one of their passwords. Across the six countries, 56.8% of that group said very or somewhat easy.
That is not 57% of all fans. It is 57% of the fans who had already said they used football in a password, conceding that anyone who knew their team had a useful head start.
It ran highest in the U.S., where 73.1% of football-password users thought someone who knew their interests could guess one, followed by Australia at 63%, the UK at 56.1%, France at 54.4%, Germany at 53.4%, and Spain at 46.6%.
| Country | Believe a password could be guessed¹ |
| U.S. | 73.1% |
| Australia | 63.0% |
| UK | 56.1% |
| France | 54.4% |
| Germany | 53.4% |
| Spain | 46.6% |
¹ Among fans who had used football-related information in a password.
These are gut checks, not technical audits, but they expose a real tension: plenty of fans know the detail they have chosen is easy to find, and lean on it anyway. Bolting a number or a symbol onto a familiar word does not necessarily fix it. A club name trailed by a shirt number or a winning year is still anchored to information sitting in plain view on public profiles, and still follows a pattern attackers expect.
The three ways one password can travel
The survey traces three separate routes a password can take out of the account it was made for.
1. It can be guessed
Football interests hand someone a shortlist of likely words, names, numbers, and dates to try. Public fandom never spells out a password, but it offers clues the moment a password follows a common pattern.
A long, random password from a password manager breaks that link entirely, since it owes nothing to whether anyone knows the fan's club, favorite player, birthday, pet, or memorable season.
2. It can be exposed and reused
Any service can be breached, no matter how careful its users are. If the exposed password is unique, the damage mostly stays put.
Reuse widens it, because the same password, or a near-match, may open other doors. Attackers test leaked credentials at scale, and they lean hardest on services where multi-factor authentication is switched off.
3. It can be shared voluntarily
A password does not have to be stolen or guessed if its owner simply sends it on. The recipient may be completely trustworthy, yet the password can still come to rest on a device, or inside an account, the owner has no control over.
A friend types it into a shared television, lets a browser save it, or hands it to another relative, none of them aware that the same password matters somewhere far more important.
And the routes overlap. One football-themed password can be easy to guess, reused across several accounts, and shared with someone else, all at once.
Why the World Cup raises the stakes
A major tournament doesn’t invent password sharing or reuse, but it changes the threat model. The FIFA World Cup 2026™ gives fans more reasons to open accounts, log in on the move, share streaming access, chase ticket news, and reply to messages in a hurry.
The passwords they share already sit on more than one device, the ones they reuse already work in more than one place, and the football-themed ones are already half-guessable from what they post in public.
All an attacker still needs is a believable reason to get in touch, and the World Cup supplies an endless run of them: ticket and travel updates, streaming glitches, subscription notices, match alerts, account-verification messages.
Live sport adds urgency on top. A fan scrambling to join a stream after kickoff is not about to slow down, study a login page, rework a reused password, or weigh up what else that one credential protects.
"A fake login page never has to break a service's security. It only has to coax a fan into typing a password that may also work somewhere else."
Email reuse is what makes that especially dangerous, since whoever holds the inbox can often reset the password on everything attached to it.
Sharing piles on one more layer. You can lock down your own devices and spot a suspicious message instantly, and still have no say over the security of every other device where someone else has typed or saved your password.
How the six countries compare
No single market leads on risky behavior.
| Country | Used football in a password | Believe it could be guessed¹ | Reuse on at least one account | Shared a password for sports | Shared password used elsewhere² |
| U.S. | 25.5% | 73.1% | 71.7% | 18.6% | 65.0% |
| UK | 31.2% | 56.1% | 73.3% | 21.3% | 43.7% |
| France | 25.0% | 54.4% | 73.7% | 21.1% | 47.4% |
| Germany | 25.4% | 53.4% | 71.1% | 22.2% | 38.1% |
| Spain | 30.8% | 46.6% | 72.5% | 23.7% | 34.8% |
| Australia | 11.2% | 63.0% | 66.6% | 16.9% | 36.9% |
¹ Among respondents who had used football-related information in a password.
² Among respondents who had shared a password so somebody else could watch sports.
Spain shares the most, yet its sharers are the least likely to use that password anywhere else. The U.S. shares less, but what it shares travels furthest. The UK and Spain lead on putting football into passwords in the first place, while France edges the field on overall reuse, if only just. Australia is the outlier on football-themed passwords, using them at less than half the rate of any other market, and yet two-thirds of Australian fans still reuse a password or a close variation somewhere, which is the exposure that counts most day to day.
It all adds up to one point: there is no single “riskiest” country here. Each market mixes sharing, reuse, and predictable password-building in its own way.
Four ways to protect your accounts during the FIFA World Cup 2026™
The tournament drops fans into exactly the situations where these habits do the most damage. Engel's advice:
1. Give important accounts their own passwords
The best defense against credential stuffing is a different password for every service. Begin with the accounts that can unlock everything else. Your email, banking, cloud storage, mobile account, and main social profiles should never share a password with a streaming or sports service. Get that right and a breach at one company stops causing damage at the others.
2. Use a password manager, MFA, and passkeys
Unique passwords are impossible to keep up with if you are trying to remember them all. A password manager generates and stores long, random ones for you, with no team names, players, shirt numbers, or birthdays involved. ExpressKeys, ExpressVPN's password manager, does exactly that across all your accounts.
Multi-factor authentication then adds a second check whenever someone signs in with a password, which matters most on email and anything else that can reset access elsewhere. And where you can use them, passkeys offer a passwordless option that resists most common phishing.
3. Never share a password that’s used anywhere else
Treat any password you send to another person as no longer private. It should open only the account you are sharing, and never match the one on your email, your shopping, your bank, or anything else that matters.
Where a service offers household, family, profile, or delegated-access options, use those instead, and some password managers can share access in a controlled way, too.
4. Be cautious with tournament messages
Messages about tickets, streaming, travel, match alerts, and account verification will all feel routine during the World Cup, and that is exactly what makes them such useful phishing cover. Be wary of unexpected links. Reach an important account through its official app, or by typing the address yourself, rather than tapping through a message.
If you enter a password on a page that turns out to be suspicious, or it surfaces in a breach, or it gets shared more widely than you meant, change it straight away, then hunt down every other account using the same password or a close variation and give each one its own. Strong, unique passwords don't need changing on a set schedule. Change them when there's a reason to think they've been exposed.
Methodology
ExpressVPN commissioned this survey in May 2026 with online market research provider Pollfish. It surveyed 6,000 people who follow football or soccer closely or casually, 1,000 in each of the United States, United Kingdom, France, Germany, Spain, and Australia. Some questions allowed more than one answer, and percentages may not total 100% because of rounding.
Three questions went to the full national samples: whether respondents had used football-related information in a password, whether they reuse passwords, and whether they had shared a password so someone else could watch sports. Two were asked only of subgroups, so their bases are narrower. The guessability question went only to fans who had already named a football-related element, so those results describe football-password users, not all fans. The question about whether a shared password was used elsewhere went only to fans who had shared one; it referred to the same password, gave email, shopping, and banking as examples, and did not establish which account was involved or that the full login credentials matched.
On reuse, the seven-in-10 figure counts anyone reusing a password or close variation on all, most, some, or very few accounts; excluding “very few” brings it to just over half. The finding that 73% of younger U.S. sharers reused the password elsewhere rests on 22 of 30 respondents aged 18 to 29 who had shared one, and should be read as a small-subgroup signal.
ExpressVPN is a proud Official Supporter of FIFA World Cup 2026™.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
Get ExpressVPN
