Text passwords—a frequent vector for account compromise, yet still ubiquitous—have been studied for decades by researchers attempting to determine how to coerce users to create passwords that are hard for aackers to guess but still easy for users to type and memorize. Most studies examine one password or a small number of passwords per user, and studies oen rely on passwords created solely for the purpose of the study or on passwords protecting low-value accounts. ese limitations severely constrain our understanding of password security in practice, including the extent and nature of password reuse, password behaviors specic to categories of accounts (e.g., nancial websites), and the eect of password managers and other privacy tools. In this paper we report on an in situ study of 154 participants over an average of 147 days each. Participants’ computers were instrumented—with careful aention to privacy—to record detailed information about password characteristics and usage, as well as many other computing behaviors such as use of security and privacy web browser extensions. is data allows a more accurate analysis of password characteristics and behaviors across the full range of participants’ web-based accounts. Examples of our ndings are that the use of symbols and digits in passwords predicts increased likelihood of reuse, while increased password strength predicts decreased likelihood of reuse; that password reuse is more prevalent than previously believed, especially when partial reuse is taken into account; and that password managers may have no impact on password reuse or strength. We also observe that users can be grouped into a handful of behavioral clusters, representative of various password management strategies. Our ndings suggest that once a user needs to manage a larger number of passwords, they cope by partially and exactly reusing passwords across most of their accounts.