Password Reuse
What is Password Reuse?
Password ReuseThe practice of using the same password across multiple accounts or services, which lets a single breach compromise many of them.
Password reuse occurs when a user picks the same or a trivially modified password for personal email, work, banking, and dozens of other services. If any one of those services is breached and the password is cracked or leaked, attackers can replay the credential against other sites in a credential-stuffing attack and take over additional accounts. Studies and incident reports consistently show that reuse is the dominant amplifier of password-based breaches. Defences include unique passwords per site generated by a password manager, mandatory checks against known-breached password lists, multifactor authentication, and gradual migration to passwordless options such as passkeys that eliminate shared secrets entirely.
● Examples
- 01
A leaked forum password later used to break into the same user's email and cloud storage.
- 02
An employee reusing their personal password on a corporate SSO account.
● Frequently asked questions
What is Password Reuse?
The practice of using the same password across multiple accounts or services, which lets a single breach compromise many of them. It belongs to the Identity & Access category of cybersecurity.
What does Password Reuse mean?
The practice of using the same password across multiple accounts or services, which lets a single breach compromise many of them.
How does Password Reuse work?
Password reuse occurs when a user picks the same or a trivially modified password for personal email, work, banking, and dozens of other services. If any one of those services is breached and the password is cracked or leaked, attackers can replay the credential against other sites in a credential-stuffing attack and take over additional accounts. Studies and incident reports consistently show that reuse is the dominant amplifier of password-based breaches. Defences include unique passwords per site generated by a password manager, mandatory checks against known-breached password lists, multifactor authentication, and gradual migration to passwordless options such as passkeys that eliminate shared secrets entirely.
How do you defend against Password Reuse?
Defences for Password Reuse typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Password Reuse?
Common alternative names include: Reused password, Shared password across accounts.
● Related terms
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- identity-access№ 230
Credential Harvesting
The collection of usernames, passwords, tokens, and other authentication secrets at scale, usually for later account takeover or sale.
- attacks№ 800
Password Spraying
A low-and-slow attack that tries a small set of common passwords against many user accounts, staying under lockout and rate-limit thresholds.
- identity-access№ 793
Passkey
A phishing-resistant FIDO2/WebAuthn credential — a device-bound or syncable asymmetric key pair that replaces passwords with a cryptographic challenge-response.
- identity-access№ 797
Password Manager
An application that generates, stores, and autofills strong unique credentials, secured by a master passphrase and increasingly by passkeys.