Password reuse — why one weak link exposes everything

Password reuse is the most common and most consequential password security failure. Surveys consistently show that the majority of people reuse the same password across multiple accounts. The security problem is not that any individual account is weak — it is that accounts are linked. When a low-security site is breached and passwords are exposed, every other account using that password becomes vulnerable without any of those accounts being directly breached.

The mechanism is credential stuffing: automated systems test breached username/password pairs against hundreds of services simultaneously. If you used the same password on a breach-vulnerable gaming forum that you use for your email, the attack doesn't target your email directly — it just tries the forum's leaked password against your email address.

Password managers exist specifically to solve this problem. The reason to use one isn't that your current passwords are weak — it's that uniqueness at scale is impossible to maintain manually.

The assumption 'I only reuse passwords on unimportant accounts' misunderstands how credential stuffing works. The value of a reused password is not determined by the service where it was first created. It is determined by all the services it unlocks. A password reused on a forum and an email account makes the email account vulnerable to any breach of the forum, regardless of the forum's importance.

A second assumption is 'I vary my passwords slightly — I add a number at the end for different sites.' Password cracking dictionaries include common variations. Automated tools test base passwords with numerical suffixes, common substitutions, and site-name appending as standard attack patterns. Minor variations don't provide meaningful protection against targeted credential-stuffing.

A third assumption is 'I would know if my account was accessed from a reused password.' Most credential stuffing is designed to look like normal traffic. Successful logins from new devices or locations may trigger security alerts on some services, but many services do not alert on this. Account takeover is frequently discovered only when visible damage — password changes, fraudulent transactions, email forwarding rules — has already occurred.

The scale of credential stuffing attacks makes reuse a quantifiable rather than theoretical risk. Have I Been Pwned tracks over 12 billion exposed accounts across thousands of known breaches. Most email addresses have appeared in at least one. The credential sets from these breaches are tested automatically against major services. The automation means that the risk applies immediately when breach data becomes available, not just in targeted attacks.

The solution is uniqueness, not strength. A unique password on every account means that a breach on any one service exposes only that service. The password does not need to be memorisable — a password manager generates and stores a random credential for each account. The only password requiring memorisation is the manager's master password.

Vault health reports — available in Bitwarden, Dashlane, and others — identify reused passwords across all vault entries. This is the fastest path from 'I have a reuse problem' to 'I know specifically which accounts to fix.' Prioritise: email accounts (recovery keys for everything else), banking and financial services, work systems. Those first; the rest can follow.

Unique passwords address credential stuffing and reuse exposure. They do not address phishing — an attacker who obtains credentials on a fake site gets credentials regardless of whether they are unique. Two-factor authentication provides an additional layer that unique passwords alone do not.