Constella Web Logo white e1703116556868

Password Reuse: Rampant and Risky

dan nelson ah HeguOe9k unsplash scaled 1

Today is World Password Day, a day to promote awareness of and address the critical need for strong password hygiene. It’s also a great day to brush up on your password security best practices. Recent data has shown 65% of adults in the U.S. reuse their passwords for multiple, if not all, accounts, yet 91% ostensibly know that using the same or a variation of the same password is a risk. Had Bill Gates’ prediction at the 2004 RSA Conference been correct about the demise of the traditional password, this disconnect would not be an issue. Passwords, however, are still ubiquitous and alternatives such as biometrics have their own drawbacks. The bottom line is that password credentials are the first and easiest defense against threat actors, so it is important that we all take password security more seriously in 2021 to protect ourselves and, by extension, our organizations.

Verizon’s 2020 Data Breach Investigations Report notes that more than 80% of hacking-related breaches involve brute force or the use of lost or stolen credentials. Enterprises are more likely to suffer a breach as a result of stolen or weak credentials as compared to any other single reason, which illustrates the prevalence and detriment of poor password hygiene. The disconnect between understanding and action is largely driven by convenience. Namely, the average person has close to 30 online accounts that require passwords. It can be frustrating and even inefficient to keep track of countless, unique login details.

Why is Password Reuse Harmful?

The problem is analogous to owning multiple safes yet using the same code for each of them. Once one safe is at risk, they are all vulnerable. Similarly, threat actors will take leaked credentials from one service (for example, LinkedIn) and use them on other services (such as your work email account). If you use the same or similar passwords across personal and work accounts, it only takes one breach to potentially compromise all of your accounts.

A recent report by NordVPN found that “Despite daily logins across our social media and computing devices, only about half of Americans (57%) change their passwords immediately after a site they frequent has a data breach, followed by 25% who change their passwords within a week or two, 10% within a few months, and 8% who never do. When it comes to sites Americans rarely visit, less than half (43%) change their passwords immediately after a data breach followed by 33% within a week or two, 14% within a few months and 10% who never do.”

“Only about half of Americans (57%) change their passwords immediately after a site they frequent has a data breach.”

This issue doesn’t just affect you; it affects your network, too. Poor password hygiene with your personal and work accounts could provide an easy entry point for cybercriminals into your employer’s network, for instance. Simply put, the biggest cybersecurity risk to U.S. businesses is employee negligence. The Dropbox data breach, resulting in the theft of more than 60 million user credentials, started with an employee reusing a password at work. A seemingly innocuous error made by an individual can potentially cost a company millions of dollars, hefty legal fees and, most importantly, the trust of its customers.

Steps to Improve Password Hygiene

Although it will not fully prevent all future cyber-attacks, strong password hygiene (a unique, complex password for every account) is a simple yet necessary step in safeguarding your personal information and mitigating your chances of suffering a breach. Unique does not mean changing a letter or number from account to account, either. In 2018, Constella Intelligence found that 21% of individuals surveyed use similar passwords to log into most accounts, 20% rotate 2-3 completely different passwords across accounts, 18% rotate 4-5 different passwords across accounts, and an alarming 17% use the exact same password to log into most accounts. If it’s easy for you to remember the different variations you use, it’ll be just as easy for a cybercriminal to figure out your passwords.

Other tips to maintain good password hygiene include:

  • Implement multi-factor authentication, when possible. With this extra barrier, threat actors will need more than just a password to access your account.
  • Periodically update passwords. Annual password resets with a password generator can help render breached or leaked data obsolete.
  • Use a password manager. Password managers can help generate and store complex passwords in an encrypted database, making it easy to keep track of all your various accounts.
  • Avoid sharing passwords. This one is self-explanatory – sharing your password with someone else opens up your network to any of their potential mistakes.
  • Invest in an identity theft solution provider. Constella Intelligence has the largest breach data collection on the planet, with over 100 billion attributes and 45 billion curated identity records spanning 125 countries and 53 languages. We alert individuals when their credentials or other personally identifiable information are exposed and circulating in underground markets, and alert businesses when their employees are compromised.

Passwords aren’t going away anytime soon so protect yourself and your enterprise: stop reusing credentials and make a concerted effort to improve your password hygiene.

To learn more about improving your cybersecurity hygiene read “Six Steps To Safeguard Executives, Employees, and Corporations from Digital Risk”.


By Cynthia Crossland, Chief Marketing Officer at Constella Intelligence