The Risks of Using the Same Password for Different Accounts
‘Open sesame’ was a good enough password for Ali Baba and the 40 thieves to open a cave full of treasure. Times have changed, though, and the phrase is a weak password by today’s standards.
In fact, similar easy-to-crack passwords led to 1.7 billion successful hacking attempts in 2021, according to a survey by SpyCloud. Meanwhile, another survey by the Identity Theft Resource Center revealed that only 15% of people use unique passwords.
Since the average person has over 100 accounts, creating strong, unique passwords for each account and remembering them is an obvious challenge. So, most people opt for the unsafe path of using the same password for everything.
Still, the sheer number of compromised user accounts and large-scale data breaches show that good password hygiene is a must. Reusing the same password, even if it’s strong, is ill-advised.
Is it safe to use the same password for multiple accounts?
No, it’s not safe to use the same password for multiple accounts. If one of the websites you have a profile gets breached, hackers will have access to all your accounts without requiring too much effort.
How hackers steal passwords
Hackers have several methods to steal passwords, which may target either an individual or a company that stores customers’ information. Here’s how they get hold of your sensitive information:
- Data breaches: Most common way that cybercriminals get access to your passwords. By hacking into big companies like Facebook, they’re able to get access to thousands (sometimes) millions of passwords in one go, which they can then sell on the dark web.
- Brute force attacks: Method where the hacker uses a piece of software that repeatedly inserts random passwords until they find yours. Short and weak passwords can be cracked within seconds through this method.
- Phishing: Hacker tricks people into entering a fake website that looks similar to the original one. The moment the victim enters their credentials, the cybercriminal gets access to the information.
- Keylogging: Approach where the cybercriminal tricks the user into downloading malware that logs their keystrokes. This way, they’re able to steal the user’s password when they type it.
- Man-in-the-middle attacks: Cyberattacks where the hacker is able to intercept data while it’s being transmitted (such as through public Wi-Fi). Credentials are just one of the many pieces of sensitive information cybercriminals can steal this way.
- Password spraying: After getting a hand on the victim’s email, the cybercriminal inserts the most common passwords (such as ‘12345′) to see if one works.
- Social engineering: Using the victim’s personal information to steal their credentials from the source. Often, cybercriminals try to bypass a company or a loved one and create a fake emergency, so the victim shares their password before thinking straight.
The risks of reusing passwords
When cybercriminals successfully acquire a username-password pair, they most likely use the stolen credentials to try accessing other accounts. This activity, known as credential stuffing, is exceptionally dangerous if a person reuses passwords for multiple accounts.
A typically dangerous scenario is when a password is reused for online shopping. Even if the person is cautious and doesn’t save credit card details, a cybercriminal can still figure out which bank the shopper uses by checking the online store’s receipts. If the person uses the same password for their bank account as they do for online shopping, all their money is in jeopardy.
50% off Keeper for Best Reviews readers
Visit Keeper's website through our affiliate link and get a nice 50% discount on Keeper Personal and Family plans.
Get 50% Off Keeper
Other than potentially compromising your savings, there are numerous additional risks of reusing the same password:
- Identity theft: Hackers conduct illegal activities in a person’s name, such as making health insurance claims.
- Password cracking: Cybercriminals acquire several additional passwords when breaking into an account linked to others, such as an email inbox.
- Breach of corporate accounts: If an employee uses the same password for personal and business use, hackers may gain illegal access to business property. This may result in stolen intellectual property, the installation of ransomware, and more.
Real-life cases of hackers breaching thousands
Cybercriminals successfully hack thousands of accounts every day due to weak passwords. Colonial Pipelines’s breach in 2021 is a prime example, where hackers used an insecure employee account as a backdoor. The U.S. largest gas provider was forced to comply and pay a $4.4 million ransom to regain access to its systems.
Another deterrent is the LastPass hack in 2022. During this incident, malicious actors installed a keylogger on an employee’s home computer and stole their master password. From then on, hackers could go on and steal sensitive customer data of various users.
How safe is it to use variations of a strong password?
Reusing any password, weak or strong, is a security risk. As such, using slightly edited versions of a strong password can seem like a workaround. Unfortunately, while this method may slow down cybercriminals, it doesn’t stop them.
For example, adding an extra number, capital letter, or special character to one strong password may seem like a good idea. However, a hacker can use specified software to check for minor variations once they know the original password.
A mask attack is a similar, yet more dangerous, password-stealing method. With this approach, hackers can fill the gaps if they have just bits and pieces of a strong password.
How to protect yourself from password hacking
Cybercriminals don’t rest, and you can never know what information they’re after. Fortunately, you don’t have to because there are numerous ways to avoid password hacking and protect yourself:
- Creating and applying unique and nonsensical passwords is a no-brainer. Using at least 12 characters, both lower- and uppercase, as well as numbers and special characters, is a must. Above all, use different complex passwords for all accounts.
- A password spreadsheet is well worth creating to save yourself from the headache of having to remember numerous complex passwords. Moreover, a keylogger won’t be able to interpret copying and pasting since you’re not typing your credentials.
- You should also encourage everyone in your vicinity, like family and coworkers, to start paying attention to password hygiene. If you’re a business manager, consider enforcing the use of unique passwords. It’s also worth conducting pen tests – fake cyberattacks – to reveal who requires additional training in cybersecurity.
- Another brick in your cybersecurity walls is two-factor authentication. Most websites support at least SMS verification, but a handier alternative is to use an authenticator app.
- Use a password manager.
Password manager: the essential password security tool
A password manager like Keeper makes it a cakewalk to create and store randomized passwords. This software not only stores credentials but also other types of sensitive data in its vaults that use military-grade encryption.
Furthermore, Keeper is also a valuable tool for monitoring the dark web to check for stolen credentials. Another advantage is that not even the company has access to your vault, considering it follows a strict no-logs policy.
Generator
Security audit
Policies
While it may sound scary to recognize how much security you need to navigate online without fear, it’s the other way around. Following best practices can quickly become second nature, leading to worry-free browsing in the long run.
István F.
Adam B.
User feedback