Identical Passwords

A study by Microsoft, published in 2007, analyzed the use of passwords on websites over a period of three months. It revealed that users used the same password on an average of four different websites.

Joseph Bonneau, a researcher from the University of Cambridge, analyzed in 2011 a list of passwords that were stolen from the two websites rootkit.com and gawker.com. The analysis revealed that from a total of 456 email addresses that were used on both websites, at least 31% also used the same password for both sites. Even some of those who used different passwords, still used very similar one (e.g. "password1" and "password2").

How hackers crack passwords

Phishing

The user receives e.g. an email with a link in it. The text in the email says he needs to click on that link and log in. The link leads to a fake website and the attacker saves the user's input.

Malware

Malware saves e.g. all keystrokes, visited websites or regularly takes screenshots on the user's computer. After the malware gathered some information, it's sent to the hacker.

Social Engineering

The attacker interacts directly with the user (e.g. by telephone) and tries to get confidential information (e.g. the Wi-Fi password).

Dictionary Attacks

The attackers goes through a large list of words that are often used as password or are put together to create passwords.

Brute Force Attacks

The attacker tries every possible combination of characters until he finds the right password. You can find further information about this method of attack here.

Identical passwords are a security risk

You need two things to log in on a website: a username and a password. In most cases the user name is an email address and, leaving different email accounts aside, usually it's the same email address (e.g. for Facebook, Twitter, Amazon, eBay, etc.).

Once an attacker has a user name and its passwords, he can try them on other sites as well. A password that's used on multiple websites raises the attacker's chances of success considerably and represents a high security risk.

Ideally mass media or websites inform you about large scale password thefts. But not every hacking victim has the luck to know that his password was cracked. In such cases the hacker has enough time to search for the other accounts of the victim and access them with the already known password.

Conclusion: Never use the same password for different accounts. Create an individual and strong password for each account. You can use the integrated password generator of Password Depot to do this.