Skip to main content
Dashlane Logo

How Password Reuse Leads to Cybersecurity Vulnerabilities

Originally published:|Last updated:|Dashlane

Reusing passwords is a common habit. Our growing lists of accounts, apps, and devices have only accelerated this trend. After all, isn’t it easier to remember one password instead of 100 or more? Although the obvious answer is yes, password reuse vulnerability is a real security problem that can be addressed through improved password habits and new cybersecurity tools.

What makes a password secure?

Avoiding password reuse is one of several behaviors that contribute to better password hygiene and improved cybersecurity. The goal of these best practices is to prevent data breaches by making passwords less vulnerable to common hacking tactics. A secure password should be:

  • Unique to each account. Since there’s always a chance that your logins could be lost or stolen, having a unique password for each account is essential since it limits your exposure to just one account. If you have been reusing passwords frequently or don’t have an accurate list of your reused passwords, you may need to review and update over 100 accounts in the event of a breach.
  • Random. Each of your unique passwords should also be random so that it can’t be guessed easily by a cybercriminal and their software tools. Randomness implies a lack of predictability. That means leaving out sequential strings (ABCD, 1234, qwerty), common phrases, and words like your name or street name that can be associated with your identity.
  • Long. Each of your passwords should be long enough to bump up the number of possible character combinations to an acceptable level. How long does it need to be? Although not all experts agree, increasing the number of characters from 8 to 12 makes a password significantly more secure since the number of possible combinations goes from 200 billion to 95 quadrillion.
  • Complex. A complex password includes a combination of uppercase letters, lowercase letters, numbers, and special characters. You can create an unconventional format by inserting special characters within the body of the password, using more uppercase letters, or switching between letters and numbers more than once.
    • Created with a password generator. The most efficient way to create complex passwords while saving your creativity for more important tasks is by using the password generator feature of a password manager. After automatically creating each random and complex password, the password manager will also save and autofill the password for you so that you won’t need to write it down or memorize it.
    Created with a password generator. The most efficient way to create complex passwords while saving your creativity for more important tasks is by using the password generator feature of a password manager. After automatically creating each random and complex password, the password manager will also save and autofill the password for you so that you won’t need to write it down or memorize it.
  • Securely stored. Storing passwords in unlocked drawers, notebooks, or spreadsheets can undermine your privacy and password security. Built-in browser password managers back up your information on their servers but also provide an unencrypted list of your vulnerable passwords during a breach. The best way to store passwords is by using a password manager to store them on a secure, encrypted cloud server.
Alt text: Infographic with examples of poor passwords and further instructions on better practices when creating and managing passwords.

The risks of reusing passwords

A recent study showed that nearly 20% of passwords are compromised, and 51% of passwords are reused. Although these password reuse statistics aren’t surprising, they shed some light on some dangerous (and avoidable) cybersecurity issues. Password reuse not only exposes multiple accounts in the event of a breach but also makes us vulnerable to common hacking tactics and causes more headaches for computer users and IT teams when password updates are necessary. Here are some of the risks of reusing passwords:    

  • Easier to fall victim to hackers: Cybercriminals are well aware of password reuse statistics and other published facts about passwords, and they develop their hacking tactics based on the weaknesses they see. Password reuse makes us more susceptible to hacking, including:
    • Credential stuffing: Username and password combinations (credentials) are purchased on the dark web to give a cybercriminal unauthorized account access. The purchasers of these stolen credentials will attempt to use them on many different websites, banking on the fact that they may have been reused multiple times. This potential ripple effect makes credential stuffing one of the most effective forms of hacking.  
    • Ransomware attacks: Ransomware can deny an individual or organization access to their own files and accounts, using encryption to hold a device and its contents hostage until a ransom is paid using a credit card or cryptocurrency. Reused passwords can increase the number of locked accounts during the ransomware attack.  
    • Brute-force attacks: A brute-force attack also uses automation and trial-and-error to find a target, but instead of being stolen and resold, the logins are generated by a computer algorithm. The hacker will try random combinations of usernames and passwords until a match is found. Long, complex passwords effectively counter this tactic, and unique passwords contain the impact of successful brute-force attacks by limiting the exposure to just one account.
    Credential stuffing: Username and password combinations (credentials) are purchased on the dark web to give a cybercriminal unauthorized account access. The purchasers of these stolen credentials will attempt to use them on many different websites, banking on the fact that they may have been reused multiple times. This potential ripple effect makes credential stuffing one of the most effective forms of hacking.  Ransomware attacks: Ransomware can deny an individual or organization access to their own files and accounts, using encryption to hold a device and its contents hostage until a ransom is paid using a credit card or cryptocurrency. Reused passwords can increase the number of locked accounts during the ransomware attack.  Brute-force attacks: A brute-force attack also uses automation and trial-and-error to find a target, but instead of being stolen and resold, the logins are generated by a computer algorithm. The hacker will try random combinations of usernames and passwords until a match is found. Long, complex passwords effectively counter this tactic, and unique passwords contain the impact of successful brute-force attacks by limiting the exposure to just one account.
Graphic representing a computer hacker trying out different user credentials and then successfully accessing the user’s bank, email, and social media accounts.
  • Increased likelihood of being locked out of multiple accounts

Password reuse is like discount shopping for cybercriminals because many important accounts are accessed with just one set of logins. If a hacker attempts to access several of your accounts at once, their failed login attempts might cause you to be locked out, and the account recovery process could be time-consuming. Even without hacking or data breaches, losing or forgetting passwords you’re reusing for multiple accounts might force you to spend hours resetting logins.

  • Potential for financial loss

Although hacktivists might use their programming skills to promote a political agenda, most hackers are in it for the money. Each breached account can lead to financial loss from identity theft or banking and credit card information exposure. If your email account is impacted, the hacker might launch phishing attacks from your account and attempt to lure your contacts into sharing their own private information.

6 ways to keep your passwords secure

Password reuse can become a habit, and breaking this habit is a process. Fortunately, there are many cybersecurity tools and practices available to help you improve your password hygiene:

  1. Use unique passwords for each account

Don’t reuse passwords—ever. As simple as this sounds, it can still be difficult if you’ve recycled the same password dozens of times over the years. In the workplace, some IT departments create a password reuse policy that prevents you from repeating logins. Dashlane’s Password Health score also helps you decrease your password reuse vulnerability by providing up-to-date lists of your weak, compromised, and reused passwords.    

  1. Change passwords when necessary

Forced password changes at set intervals have little value if we replace strong passwords with weaker ones or make minor changes that hackers can easily decipher. However, there are some situations, like discovering malware, being hacked, or sharing your password unsecurely, that merit immediate password resets. You should also update any reused passwords you discover while ensuring the new passwords are long, random, and complex.

  1. Only share passwords securely

Much like password reuse, sharing passwords with friends, family, and coworkers is a common habit. It can also have similar consequences since it magnifies your vulnerability if a cybercrime ever impacts these friends or relatives. Secure login-sharing practices rule out sticky notes, email, and text messages. Even online sharing portals aren’t inherently secure without adequate controls and encryption.  

Dashlane’s password-sharing tool can be used to securely share passwords and other information. Since the data is encrypted and passwords are safely autofilled, there’s no need to continue using paper notes or online communication platforms.

  1. Turn on 2-factor authentication (2FA)

As you eliminate your reused passwords, 2FA can provide an additional security layer to protect important accounts. 2FA uses a second credential, such as a code sent through an app or text, to verify your identity when you sign in to the account. Since a hacker is unlikely to have both your login credentials and device, the chances of unauthorized access are lower, and the risk of password reuse is mitigated.

  1. Use VPN on public WiFi networks

Public WiFi networks found in airports, cafés, and malls can be subject to hacking tactics like man-in-the-middle attacks designed to intercept your information. A VPN (virtual private network) protects your logins and accounts in public settings by encrypting the data going into or out of your device and routing it through a secure portal. The VPN also masks your IP address so you can browse the internet privately.

A VPN lets you browse, shop, and pay your bills online with complete privacy, no matter where you are in the world. Learn more about the best-in-class VPN available at no extra cost with many Dashlane plans.

  1. Use a password manager

Common hacking tactics like credential stuffing and brute-force attacks rely on weak and reused passwords to fulfill their intended purpose. A password manager protects all your important accounts by encrypting passwords and account logins, storing your information in a secure vault, and enabling 2FA for an additional layer of security. Automatic password generation features and autofill eliminate the need to create and remember complex passwords for each account.

How Dashlane keeps your passwords protected

Dashlane helps you eliminate reused passwords and boost your password hygiene with industry-leading features and support. One Master Password is all you need to remember as you automatically generate and store your logins. Standard features include 2FA, a Password Health score that shows you the passwords you should update to improve your security, AES-256 encryption, and a secure password-sharing portal. An additional VPN and Dark Web Monitoring features ensure that your passwords, accounts, and devices remain secure at all times.

The convenience and flexibility of the hybrid workplace are balanced by cybersecurity challenges for employers and IT teams. We take a look at some potential barriers to maintaining a security culture in The Future of Security in the Hybrid Workplace.


References

  1. Dashlane, “7 Password Hygiene Best Practices to Follow,” February 2023.
  2. Tech.co, “Study Reveals Average Person Has 100 Passwords,” May 2022.
  3. Dashlane, “The Power of Unpredictable Passwords,” August 2020.
  4. LMG Security, “How long should your password be? The data behind a safe password length policy,” January 2020.
  5. Dashlane, “Resist hacks by using Dashlane's password generator tool,” 2023.
  6. Dashlane, “Best Way to Store Passwords at Home or Work,” September 2022.
  7. Dashlane, “A look at Password Health Scores around the world in 2022,” 2022.
  8. Security Magazine, “450% surge in security breaches containing usernames and passwords,” June 2021.
  9. Dashlane, “What the Hack is a Brute Force Attack?” February 2020.
  10. Cybersecurity Magazine, “What is a Hacktivist?” 2023.
  11. Dashlane, “Why Dashlane Will Never Ask You for Credentials in an Email (Because That’s How Phishing Works),” November 2021.
  12.  Dashlane, “Understanding your Dashlane Password Health Score,” October 2020.
  13. Dashlane, “How Often Should You Change Your Password for Online Accounts?” January 2023.
  14. Dashlane, “Case Study: How VillageReach eliminated hundreds of reused passwords within a global workspace,” February 2022.
  15. Dashlane, “Share your saved items in Dashlane,” 2023.
  16. Dashlane, “How Dashlane Makes 2FA Easy,” June 2022.
  17. Dashlane, “Why Do You Need a VPN? Don’t Miss These 3 Key Benefits,” August 2020.
  18. Dashlane, “Trusted Personal Password Manager,” 2023.
  19. Dashlane, “SSO Technology Overview & Integration With Dashlane,” September 2022.
  20. SimpliLearn, “What Is AES Encryption and How Does It Work?” February 2023.
  21. Dashlane, “The Future of Security in the Hybrid Workplace,” 2023.
  22. Dashlane, “7 Dangers of Sharing Passwords Without a Password Manager,” March 2023.

Sign up to receive news and updates about Dashlane