Password reuse is highly insecure but, unfortunately, very common. The habit of reusing the same password for multiple websites and accounts – social media marketing, financial logs etc. – is one fraught with risk. Even so, most of us have so many accounts to keep track of, it can be hard to resist the urge to simply reuse the same password to avoid having to remember dozens of passwords for dozens of different purposes.
After examining a database with over 28 million users and their 61 million passwords, researchers discovered that an alarming 52% of people used either the same password, or a very similar variant of the same password, over multiple different services. Most people understand that this is not the most secure decision, but continue to reuse their passwords out of convenience, and to avoid password stress. Nobody wants to have to remember a 16-digit password for every single one of their accounts, especially when getting locked out of an important account can cause hours of lost work time. Many people may also hold onto the misconception that they won’t be the one unfortunate enough to be caught up in a breach.
Whatever your reason for doing it, reusing passwords is a practice best left behind.
If accounts are compromised, cybercriminals can do a great deal of damage, such as committing identity theft, or stealing money and sensitive information from your place of work. Password reuse only makes it that much easier for them to get their hands on important confidential information. Craig Lurey, CTO and Co-Founder of Keeper Security, explains that:
“Cybercriminals know that password reuse is rampant, so whenever they get hold of a working password for one account, they attempt to use it on dozens, perhaps hundreds of different sites. Therefore, if one password gets breached, cybercriminals can use it to access all of the accounts associated with it.”
Most of us know we should be using different passwords across all our accounts, but maybe not everyone understands why, and what specific risks this habit entails. So, we have put together a list of some very good reasons for you to stop recycling your passwords.
Reasons To Never Reuse Passwords
Risk Of Multiple Accounts Being Compromised
In today’s digital world, we often have several accounts on the go, some of which we are very concerned about keeping secure (like our bank accounts) and others that we may not worry about quite so much (like Facebook). In fact, studies have shown the average person has over 100 accounts to manage––which is increasing by 25% every year. So, you might put a lot of effort into crafting a stellar password to secure your bank account and then think, why not use this for everything?
Well, although it’s not very likely that your bank will suffer a security breach, other accounts of yours may be more vulnerable. Facebook, for example, suffered a serious security breach in 2021, when the personal information of 533 million users (around 20% of all Facebook accounts) was leaked online. This is serious, as your personal data could be used by cybercriminals to impersonate you, or to scam you into divulging your login credentials. If you’ve used the same password and email address for your Facebook and your online banking account and your Facebook account is breached, suddenly your bank account is not so secure.
The risk associated with sharing a password between multiple accounts is even greater if the password you use is weak, because it is then even more likely that cyber-criminals will try and compromise your other accounts. Reused, easy to guess passwords are one of the leading causes of account compromise. You can see if your passwords have ever been compromised by using this tool: https://haveibeenpwned.com/
Jeopardizes Corporate Accounts
Due to the prevalence of password reuse all over the world, hackers have been able to find quicker and easier methods to breach corporate, not just personal accounts.
There have been a number of high-profile data breaches that have exposed thousands, or even millions of users’ passwords.If a recycled password appears in one of these data breaches, belonging to an employee of a large tech firm, hackers could easily compromise the employee’s account and gain unauthorized access to their company network.
This can then lead not only to loss of data and reputation damage for the organization, but also means that several other users are made vulnerable, as the hackers now have access to their data too. The more personal data and passwords hackers can get their hands on, the higher the chances are that they will conduct a large-scale hacking attack with potentially devastating consequences.
Increased Vulnerability To Password Cracking and Brute Force Attacks
The brute force techniques used by cyber criminals are only made stronger, the more passwords they possess.
Initially, the idea was that it would be more difficult for hackers to use cracking attacks if users were securing their accounts with alphanumeric passwords. However, as ecommerce rose in prevalence and each person was having to secure dozens of accounts, people got a bit lazier with their passwords. With so many to remember, it made sense to use very easy to remember passwords – and to use them over and over again – for the sake of simplicity.
This led to hackers being able to more easily brute force alphanumerical passwords too. And, as a result of so many breaches resulting from credential stuffing, brute-forcing and password cracking, hackers have been able to increase their password database. With every new breach that occurs, they discover more and more clever or unique passwords that they can use in future attacks.
More Wide-Spread Consequences For Successful Phishing Attacks
Phishing attacks are a commonly used method employed by cybercriminals to access your information. Attackers might send you a communication posing as a trusted service provider, obtaining credentials such as your credit card details, date of birth, username, password and nicknames through a range of tricks – many of which can be difficult to spot.
They might contact you via instant message or email with instructions to go to a fake site (one that is very hard to distinguish from the original site) and enter your credentials. They might instruct you to update your information or tell you that your account was accessed by a suspicious login, capitalizing on your trust in the individual or provider they are impersonating to get their hands on your personal information.
Phishing attempts are a threat that we all must protect ourselves against, due to the prevalence of the attacks. However, there is additional danger if you have used the same credentials across multiple accounts as the exposure can be more wide-spread and, thus, the damage more severe.
There Are Better, Safer Options Available
Passwords were once the sole barrier between your information and the people that would like to get their hands on it – but not anymore. Now you can add additional layers of account protection with highly useful tools like two-factor authentication or a password manager.
Two-factor authentication offers a secondary barrier against possible attacks, blocking any unauthorized access to your account by refusing entry from any new device or location until a second, separate form of identity authentication is provided. The first factor is your password and the second usually involves a text with a code sent to your smartphone, or biometrics that use your fingerprint, face or retina scan. If hackers do not have access to that second “factor” then their access to your account will be denied, even if they have your password.
With a password manager, you can make use of varied, unique and strong passwords without the worry that they will end up forgotten. These programs generate complex passwords for you and save them, so you don’t have to remember them. A password manager can also suggest replacements for existing passwords that are too weak and change your password for numerous accounts at once if a major breach were to occur. All passwords are saved under the umbrella of your “master password”, which is the only one you will need to remember.
A lot of us reuse passwords out of convenience, not out of a lack of understanding of the risks. With these additional security measures in place, there is no need to forgo safety in favor of simplicity.
The reasons for ditching password recycling that we’ve covered in this article should give you a good understanding of what potential dangers you could face when taking a lax approach to password security. We risk hackers accessing our personal data every time we sign up for an account online, but we can avoid a snowball effect and other consequences if we simply take steps to mitigate the risks that stem from poor password hygiene.
Break the habit of using the same password across multiple accounts, and better protect yourself against the considerable risk and potentially devastating consequences of account compromise.