Dangers of reusing passwords – Know why is it bad and how you can avoid it
There was a time when using or communicating with passwords or passcodes used to be a genius thing. In fact, most of you would have felt like a secret agent when asked to use a password for the first time.
But, today, you have to use password for almost everything you do online. That’s why reusing passwords is common now.
However, that’s where the problem exists.
Of course, we can’t remember so many passwords for every other account. But, using the same password on more than one accounts isn’t a good idea at all.
In reality, this habit is the main reason why almost every individual today gets hacked in one or the other way.
Wondering what’s the big deal here? Let’s take a look at why password reuse is a dangerous practice. We’ll also guide you about how you can protect your accounts with secure and unique passwords without having to memorize them all.
Dangers of reusing a password
Although, using the same password for multiple accounts saves us from remembering lots of passwords. You just have to type “abc123” to sign-in, whether it is your Facebook account, email, or online banking account.
Sounds pretty easy, isn’t it?
Let us tell you that this is a big no-no if you really want your accounts to remain secure.
Why? Let’s take a look.
1. Risk to multiple accounts
Are you wondering why reusing passwords is bad for all your online accounts?
Imagine you have set a solid password for your bank account. But you also used it for your emails to protect your email account with a secure password.
While your bank isn’t likely to suffer any breach, your email service might be vulnerable, and vice versa.
So, if an attacker successfully targets your email service provider and gets your password, no matter how strong it is, the attacker can subsequently gain access to all accounts set up on that email.
Now, if you have also reused the password on other accounts (which you’re likely to do), the attacker can take over all other accounts too.
And things are even more dangerous if your password isn’t a secure one. It’s because your password may likely be in use by other users as well. In that case, your password’s exposure risks thousands or millions of other users’ accounts globally.
2. Increase in hacking attacks
As we stated above, due to the chances of password reuse by multiple users globally, the hackers find it easy to breach organizations.
For example, if a password “sha123” appears once in a data breach, and it belongs to an employee of a big tech firm, the hackers can easily exploit that employee’s account to breach the firm’s network. In turn, this won’t only cause loss of data and integrity to the firm, but also makes many other users vulnerable as their data would land at criminals’ hands.
Now, the criminals get more data, more passwords, and more chances of conducting large scale hacking attacks. And the cycle goes on!
3. Vulnerability to password-guessing and brute force
The higher the number of passwords criminals get, the stronger they can make their brute force techniques.
Earlier, it was thought that using alphanumeric password make the password secure from guessing attacks.
However, as the practice turned ubiquitous, and people started to use easy passwords more commonly, like admin123, the hackers can easily brute force alphanumeric passwords too.
In turn, the subsequent breaches happening due to credential stuffing, password guessing, and brute-forcing are only making the attackers increase their password database. With each breach, they can get some unique passwords as well that they can use to improvise their techniques.
4. Loss of financial and sensitive data
Did you just ask what is the number one reason not to reuse passwords for multiple sites? Here’s your answer.
Though we have listed it here, in the end, the ultimate reason why we advise you not to reuse passwords is your loss. This may be a monetary loss, data loss, loss of sensitive personal details, and more.
If you use the same password on your online bank account and Facebook, an attacker can easily breach both of your accounts even though you may not have reused the same password on your email. But since the attacker has already got your email address, which you have likely used on all your accounts, guessing your password for other accounts becomes easy.
Ultimately, the attacker can not only hack into your bank account to steal money but can also take over your social media accounts and email ID(s) to steal your photos, videos, invoices, addresses, and much more.
You must have noticed how all these problems are inter-related. That’s how this singular practice of reusing passwords does harm to you from so many dimensions.
Password reuse statistics
Considering all the dangers of using same password multiple times that we just listed, you must be wondering whether people really do it today (leaving you, of course)?
The answer is, YES!
Password reuse is very common, not today, rather from several years.
It’s like when the first netizens were asked to use passwords; they reused it on all other sites. (We’ll keep our discussion limited to reusing passwords on the internet. Reusing passcodes on debit and ATM cards is another thing that we won’t discuss here. Though, you need to be careful about that too.)
As evidence of password reuse, check out this video:
So, you see, people not only reuse passwords but are also willing to share it with anyone after a little trickiness.
That’s the reason why data breaches and hacking attacks are on the rise despite reiterating the top online security tips countlessly.
According to password reuse statistics 2019 by Security.org, the majority of people reuse or recycle passwords. Precisely, they found 72% of the users in their survey recycle passwords. Of these, 63% used the same passwords on both essential and entertainment sites.
In simple words, they would be using the same password for their Netflix account, Facebook, and bank account. It means if they suffer a breach via an entertainment site, their bank accounts can likely get compromised.
They even found some fairly smart users in their survey who didn’t reuse their passwords as they were. Instead, they did minor tweaks with their passwords by substituting letters with special characters or numbers.
However, given the extent of data breaches that affect millions and billions of customers (like the Equifax and Marriott breaches), guessing such passwords doesn’t remain challenging for the criminal hackers anymore. They know you would be using numbers (0-9) or special characters (again, a finite range) and that you would have made only minor tweaks; it won’t be difficult for them to guess “adm1n,” “@dmIn,” “adm!n,” or “@dM1n” as your password if you previously have used “admin.”
According to Verizon’s 2020 Investigations Report on Data Breaches, compromised passwords are the reason behind 81% of hacking-related breaches.
And this goes on this year too!
According to Microsoft’s password reuse statistics 2020, around 44 million out of the 3 billion users reused passwords in their study.
How to avoid risks of using same password
Of course, password reuse is easy. You don’t have to work out on memorizing a whole list of gibberish that serve as strong passwords for you. Nor would you have to note them down somewhere to approach if you ever forget them.
However, now you know that re-using passwords isn’t a safe practice. So, you may wonder about the ways you should adopt to get rid of password reuse vulnerability. Perhaps, you would prefer the methods as easy as duplicating passwords, won’t you?
Check out the following ways that serve as a savior to protect your login credentials.
Use a password manager
The number one method that saves you from the hassle of remembering passwords is to use a password manager.
A password manager is a simple tool that allows you to create secure passwords and save your credentials for all accounts together. For this, all you have to do is to create an account on it and remember just one password.
You can install this password manager on all devices you use so that you can sign-in to your accounts everywhere.
These password managers also come with password generators that help you set up strong passwords. While you can’t remember them easily, your password manager can. And so, you don’t have to use your pet’s name or your birthday anymore as your password.
Besides, despite knowing your birthday, favorite color, pet name, and other details about you, nobody else could ever guess your password.
If you do a quick search online, you will find many password management tools, both free and paid. However, not all of them are secure enough to manage this sensitive data of yours. Some even lack key features, such as password suggestions, that render the tools useless.
So, if you’re confused about which one you should use, take a look at our detailed guide on the best password managers.
Use suggested passwords
Whether you use password managers or not, many websites today give the users clear instructions about creating a password.
For instance, signing-up for LinkedIn now requires you to set up a password that is of a certain length, is alphanumeric, and has some special characters. Similarly, Google and many other websites also give similar suggestions.
Many websites even show you a password strength indicator as “weak,” “medium,” and “strong.”
Whereas, some other services, like WordPress, step ahead to show suggested passwords, just like password managers.
In all these situations, make sure you take into consideration what the websites say about your password. It is often better if you use their randomly-generated suggested password as your own to keep your account secure.
Always create unique passwords
Simple as that!
Though, if you use a password manager, you can skip this section as your password manager already ensures creating unique passwords for all your accounts.
In case you aren’t, still, using randomly-generated password suggestions save you from this hassle.
However, if you are adamant about setting up passwords on your own, then make sure to use “unique” passwords.
What does unique mean here?
Imagine you set up a password, a very long one, something like “crackmeifyoucan” for your Facebook account. Now, setting up its variants, like “crackmeifyoucan123,” “cr@ckmeifyoucan,” or “cr@ckmeifyoucan123,” doesn’t make your password unique.
In fact, you’re only making it easy for hackers to guess your passwords via brute force.
So, make sure you do not reuse passwords, even with modifications. Set up entirely different passwords while considering the following.
- Use long phrases instead of one or two words.
- Include numbers.
- Include special characters.
- Never use commonly known phrases.
- Never use words that you frequently speak.
- Do not use anything as your password that you mention in your CV, profiles, scrapbooks, quizzes, and elsewhere.
- Never share your passwords with anyone.
- Do not ever share passwords with anyone at your home or workplace.
- Never save your passwords on paper or digital documents.
Check the password for breach
Because of the recurrent data breaches that mostly involve login credentials, it is almost impossible that your email address or password has remained veiled from the public.
If not the exact sequence, then a variant of your password must have appeared in at least one breach. Likewise, your email address would also have been breached via a direct incident, or an impact due to third party sites.
A 2015 study by Dashlane revealed that, on average, an individual maintains 90 online accounts. Obviously, no one can actually maintain 90 different email addresses for all these accounts.
In turn, it means that a user would have a maximum of 5-10 email addresses, each bearing at least 9 to 18 online accounts. Now if, the user has reused passwords on accounts set up on a single email address, imagine how devastating it would be in case of a data breach!
To tackle this problem, ideally, you should also use separate email addresses for your accounts to prevent the spreading of the impact of an incident. However, this isn’t a practical thing for many.
But you can certainly ensure that you have a unique password for every online account. And that it remains unique even after you suffer a breach.
Today, thanks to the services like Troy Hunt’s Have I Been Pwned, that you can now know if your email address or your password, or both, have suffered a breach.
If you use a password manager, the tool will likely notify you if your password has appeared in a breach.
Also, almost all popular browsers have introduced built-in features to inform users of a breach.
For instance, Mozilla launched Firefox Monitor in 2018, after joining hands with HIBP, to inform users of hacks.
Likewise, in 2019, Google rolled out Password Checkup feature as a built-in tool for Chrome browser users. When you sign-in to your Google account on Chrome, you can use this feature to see if your password is safe. (Find it here: Menu > Settings > Passwords > Check passwords.)
Following the trail, in March 2020, Microsoft Edge also introduced Password Monitor bearing the same functionality for users.
Therefore, before you finalize your login credentials for an account, check the security status of your password to use.
More ways to secure passwords
Now that you know how to avoid reusing passwords let’s take a look at ways to keep your passwords secure.
Apply two-factor authentication
Since credential stuffing and password hacking is becoming increasingly common, many online services offer two-factor authentication. You can at least find them available on all major services like Google, Apple, Facebook, Twitter, Dropbox, online bank accounts, email services, and more.
If you don’t know of it yet, then let us simply describe it for you.
Two-factor authentication (2FA), as the term hints, applies one more layer of user authentication on top of a password. Without 2FA, you only use one factor to authenticate yourself online, your password.
But with 2FA, the site doesn’t let you in unless you authenticate another factor aside from your password.
In most cases, the sites send an authentication code or PIN number to your phone number or email address. This helps protect your account from fraudulent login attempts.
When you have this turned on, then even if your password suffers a breach, since the attacker won’t have access to your phone, the authentication code’s receipt will let you know that somebody else is trying to enter into your account. Whereas the attacker won’t succeed in doing so.
This will even prove useful if your phone number also gets leaked in the breach. (Though, it’s not 100% fool-proof.)
Apply multi-factor authentication
Multi-factor authentication (MFA) also employs more than one authentication method before allowing access to an account. In fact, 2FA is also a part of MFA.
However, in technical applications, MFA is used when the service uses something else other than 2FA. It means that the other authentication factor may include something aside from the verification code.
Biometric authentication (via fingerprint, iris scan, etc.), authenticator apps, use of knowledge factors (like secret questions), and other such procedures are all part of MFA.
Another way to protect your accounts from the risks of password reuse or password theft is to ditch passwords for passwordless authentication simply. It means you would no more have to remember passwords. Nor would you have to invest in secure password vaults or password managers.
This is what the World Economic Forum 2020 also stressed considering the digital disaster due to the COVID19 pandemic. Their report “Passwordless Authentication. The next breakthrough in secure digital transformation” elaborated on the benefits of going passwordless.
Below we list the two popular strategies to set yourself free of the risk of using the same password.
1. Hardware security keys
The first measure involves the use of hardware security keys. You can connect these keys to your devices, such as your laptop or desktop, via the usual USB port, Bluetooth, or NFC technology, to sign-in to any account that supports these keys.
Security keys usually implement the secure U2F (Universal Second Factor) powered by the FIDO (Fast IDentity Online) Alliance for authentication. Since you do not have to use login credentials while using them, you don’t have to worry about password hacking and theft. All you need to do is keep your security key safe with you.
Even in case of key theft, you can easily disable the key to protecting your account.
2. Digital passwordless authentication tools
Another way to go passwordless and avoid reusing passwords is to use passwordless authentication apps.
For instance, services like MIRACL.com, DUO.com, and IANUM.com, let you sign-in to your accounts via secure PINs using a mobile app. These services are handy and save you from the burden of remembering passwords or taking care of hardware security keys.
You can easily download the app on to your smartphones and protect your accounts. The only problem you might face would be an incident of mobile theft. In that case, you can simply report and get your stolen phone locked to avoid any breach.
Bonus: Password security best practices
We know that you might be a little hesitant to go passwordless altogether. So, until you use passwords, keep in mind the following best practices for online security.
- Don’t duplicate or reuse passwords on multiple accounts – simple as that. This is what we have stressed throughout the article.
- Use password management apps to create and store passwords.
- Never type passwords with the characters shown onscreen, especially if you’re in a crowd or someone is standing beside you.
- Never leave any of your home and work devices unattended with your accounts signed-in.
- Be careful of phishing emails, and never enter your credentials on phishing web pages.
- Keep your devices (laptops, desktops, tablets, and phones, etc.) loaded with robust antivirus/antimalware tools. Make sure to run periodic full-scans of your device to fend-off malware attacks.
- Avoid using your online accounts on shared computers, like the ones at public places and internet cafes. Despite logging-out safely, the risk of getting hacked might remain due to caching.
- Never sign-in to your accounts when connected to public WiFi. If that is something inevitable, make sure you have a VPN installed and running on your device.
- Change your password frequently. Ideally, it would be best if you changed them every three to six months.
- Read and implement 1 to 9.
Besides, make sure that you employ general cybersecurity safety tips while surfing.
Ensuring password security should be your top priority if you are really serious about your online accounts’ privacy. Reusing passwords is the biggest threat to it.
That’s the reason we created this detailed guide for you to emphasize on not replicating passwords ever.
As you must have observed after going through this guide, the single practice of copying passwords on all accounts causes damage to you from multiple aspects.
Whereas with a little vigilance, you can overcome this problem and keep all your personal, social, and banking, and other online accounts safe.
So, try to implement all the best practices for password security – the first being never reusing passwords ever.
As always, you are welcome to share your concerns with us if there is any ambiguity via your comments.
About the author
Abeerah is a passionate technology blogger and cybersecurity enthusiast. She yearns to know everything about the latest technology developments. Specifically, she’s crazy about the three C’s; computing, cybersecurity, and communication. When she is not writing, she’s reading about the tech world.