Site navigation

Reusing Passwords | 60% of People Could Be Putting Their Data at Risk

Michael Behr


reusing passwords

As the number of data breaches grew in 2020, reusing passwords means one compromised account could give criminals access to many more.

A new report has warned that around 60% of people may be putting themselves at risk by reusing passwords online.

This is based on research from cybersecurity company SpyCloud, which recovered around 4.6 billion pieces of personally identifiable information, including names, addresses, birthdates, job titles, social media URLs and nearly 1.3 billion phone numbers, along with close to 1.5 billion stolen account credentials in 2020.

Account credentials include email addresses or usernames connected to plaintext passwords. Of the users who had more than one password stolen last year, SpyCloud found that 60% of the credentials were reused across multiple accounts.

Reusing passwords makes the user more vulnerable to password spraying attacks and at increased risk of account takeovers.

The data came from 854 breaches, a 33% rise compared to 2019. The average breach in 2020 contained just under 5.5 million records.

SpyCloud warned that the password reuse rate was unchanged from 2019.

In addition, the company analysed the number of times an email address appears across breaches and estimated that the average person, if exposed once, will be included in 8-10 other breaches, and 3-4 of those could be within a given year.

“These staggering numbers indicate a continued threat for account takeovers, identity theft and fraud at a time when people have been spending more time online during the Covid-19 pandemic,” said SpyCloud Co-founder and Chief Product Officer David Endler.

“Criminals didn’t stop for the coronavirus. In fact, attackers have been able to use the disruption of the pandemic to their advantage.”

SpyCloud warned that cybercriminals can use as few as one or two pieces of personal information to compromise a person’s identity. This could allow them to access and drain a victim’s bank account.

As cybercriminals increasingly leverage AI in their cyberattacks, reusing passwords is even more dangerous. AI can help increase the scale of attacks, analysing hundreds of millions of passwords to find trends and common variations. As such, common password variations, such as adding numbers or special characters to the end, can be quickly discovered and used.

In addition, AI can be used to help attackers discover where users may be reusing passwords and then perform brute force attacks with greater speed and precision than a person could.


SpyCloud warned that storing passwords as plaintext, or using outdated hashing algorithms, is putting victims of data breaches in unnecessary danger.

However, even strong hashing systems cannot compensate for using weak or common password choices.

“People have no control over whether a website uses a weak or strong hashing algorithm, and rarely do websites publicise that information,” Endler said. “As smart consumers, we need to take personal responsibility for setting strong, unique and complex passwords to protect ourselves because, as the data shows, we can’t expect websites and companies to do it for us.”

The report also found several common mistakes. The most common passwords were “123456,” followed by “123456789” and “12345678.” “Password” and “111111” showed up more than 1.2 million times each.

Also, passwords frequently reflected current events. More than 1.6 million passwords included “2020.” Another 107,595 included “corona,” “virus” or “coronavirus.” Thousands more were found using “Trump,” “Biden,” “BLM,” “vote” and “mask.”

Join the Debate: ScotSecure 2021

The evolution of cybersecurity and data protection will be key areas of discussion at the upcoming ScotSecure Cybersecurity Conference on March 24-25th.

Hear from leading experts from across the cybersecurity sector and explore the crucial issues.

Register your free place now at:

Michael Behr

Senior Staff Writer

Latest News

%d bloggers like this: