Password reuse
The practice of using the same password — or near-identical variants — across multiple services, turning any single breach into a multi-account compromise via credential stuffing.
Password reuse is the practice of using the same password — or a trivially-modified variant (Summer2024! → Summer2025!) — across multiple services. It is, behaviorally, the single most damaging habit a workforce carries from personal life into enterprise systems, because it turns any third-party breach into a key that fits other locks.
Have I Been Pwned, the breach-aggregation service operated by Troy Hunt, lists more than 13 billion exposed credentials across thousands of public breaches as of 2025. Hunt’s Pwned Passwords dataset — the corpus enterprise password-strength APIs check against — exceeds 850 million unique hashes. Independent academic studies consistently find that 50-70% of users reuse passwords across personal and work accounts (Pearman et al., Carnegie Mellon, 2017; Wash et al., 2016; subsequent industry surveys converge on similar ranges). The Verizon DBIR has reported for years that the use of stolen credentials is among the top two attacker entry vectors.
Why password reuse is the gift that keeps giving for attackers:
- Breach corpora are public. Lists from LinkedIn 2012, Yahoo 2013-2014, Collection #1 (2019), the 2024 “Mother of All Breaches” (26 billion records compiled) — all are freely traded and queryable.
- Reuse is hard to self-detect. Users routinely underestimate their own reuse rate; password managers report the true number when audited.
- Variation is not protection. Attackers run mangling rules (append year, increment digit, capitalize) against breach lists, so
Acme2024!falls to the same dictionary asAcme2025!. - It defeats password-only sign-in entirely. The only structural fixes are removing passwords from the critical path — SSO, MFA, and ultimately FIDO2 / passkeys — or pairing strong password policy with real-time breach-corpus checking.
Password reuse is the precondition that makes credential stuffing economically rational at scale. Eliminating reuse inside the org doesn’t eliminate the risk — employees still reuse credentials on personal accounts that share a password with work — which is why behavior monitoring at the sign-in layer matters as much as policy.
Related terms
- Credential stuffingAn automated attack that replays username/password pairs leaked in third-party breaches against unrelated services, exploiting password reuse to take over accounts at scale.
- Multi-factor authentication (MFA)An authentication scheme that requires two or more independent factors — something you know, have, or are — to verify a user, raising the cost of credential theft.
- Single Sign-On (SSO)An authentication architecture where one identity provider issues tokens that grant access to many downstream applications, reducing credential surface but concentrating blast radius.
- FIDO2 / PasskeysOpen authentication standards using device-bound asymmetric cryptography to deliver phishing-resistant sign-in — the practical answer to MFA fatigue and adversary-in-the-middle phishing.
- PhishingA social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.