New study shows the average online user recycles their passwords at least 4X

Your password is the only thing that keeps you protected from a cyberattack. It protects your streaming services, your online banking and social media accounts and just about every other facet of your vast online life. But your personal information may not be as secure as you think.

We’ve all been warned the overused “1234” and “qwerty” won’t cut it anymore. Using your pet’s name is no good, either. Still, many of us continue to make mistakes when creating our online credentials.

Passwords have become a coveted set of keys to our virtual kingdoms, and using an easy-to-crack, simple password has become the equivalent of hiding your house keys under the rug. It’s a security faux paus, exposing yourself and your information to anybody that can find it.

While large-scale cyber attacks are becoming increasingly common and hackers’ methods have evolved, some of our questionable habits in making passwords have not kept up.

Half a century ago, Fernando J. Corbató had an idea: the password.

Corbató, who recently passed away, invented the password back in the ‘60s simply to protect his computer so others wouldn’t rummage through his files. Password-protected accounts also had a four-hour limit, which served as a way to keep people from using the computer too much.

He commented later in life on how the Internet had made passwords “kind of a nightmare.”

Anyone who has sat behind their screen, struggling to remember one of their passwords or create one “complex” enough to proceed would probably agree.

The average online user is putting their personal information at risk in more ways than one, according to a recent study by Security.org about password strategies and security habits.


Getty Images

Now, almost every website we use requires login and password credentials. Remembering them all can be a headache, and this can make it tempting to reuse a password across several different sites.

It’s an unsafe strategy, but it’s a common one. 72% of consumers admit to recycling passwords, up to four times each.



Cybercriminals are now able to utilize algorithms to guess and try thousands of possible combinations within seconds, yet 68% of people only slightly tweak an old password, leaving them vulnerable to an attack.

We tend to think of millennials as the most tech savvy generation, but they’re the most likely to reuse passwords.

And only 44% of them are using “moderately complicated” passwords, meaning their credentials register as more difficult to guess by using a series of special characters and uppercase letters.

Recycling a password can make a hacker’s job even easier. If a password has been leaked or guessed before, a cybercriminal can simply use that same password to gain access to the user’s other accounts.

While it may seem unlikely that your information has been compromised due to a data breach, devastating leaks occur more often than you may think. Twenty-nine percent of users believe someone has logged into their account without their permission.

Data breaches happen every day, all over the world. More than 3 billion credentials spilled in 2016 alone. These leaks make headlines frequently, yet 30% of people don’t even know their information has been compromised.

As a result, a new need has arisen. Sites like “have you been pwned?” have been created, allowing users to enter any of their passwords. It will check if your credentials are publically available on the dark web due to a breach. Perhaps unsurprisingly, many weak passwords show up as leaked.

The site was created by Troy Hunt after he discovered the largest data breach of all time.

The breach was dubbed Collection #1, which was the name of a database of sets of email addresses and passwords that appeared on the dark web around January 2019.


Around 140 million email addresses were released, along with additional email addresses and passwords from 2,000 other recorded data breaches.

These passwords were available at no cost to hackers, resulting in 773 million personal records being leaked. Many people affected by the monster breach still do not know their information was released.

If you’ve ever received a security alert that your account was accessed somewhere far away or noticed a fraudulent charge that you didn’t make, you know the accompanying feeling of panic and devastation that ensues.

Those affected by breaches are also at risk for credential stuffing—a type of cyberattack where hackers use stolen account credentials, typically found from a breach, to gain access to other sites using the same password.

Data breaches don’t discriminate, even affecting big names like Google, Yahoo, Marriott, 7-Eleven and British Airways. The effects are devastating to both the corporations targeted and the users who were involved.

Recycling a password can also be problematic if you plan on sharing it with someone you “trust.”

It’s not uncommon to share a Netflix or Hulu password with a friend or family member, but you may be sharing more than you even realize. Sixty-three percent of users admit to recycling the same password for both entertainment sites, like streaming services, and important sites, like business and banking.

Using private information (such as your birthplace) as a password is another common mistake people are making themselves vulnerable online.

Even though it can be easy to remember, personal information is commonly used and easy to hack. Still, one-third of people are still using their pet’s name, 27% used their birth year and 18% even used their first name.

Much of this information could be found online with a simple Google search, making these passwords open season for hackers.

Hackers frequently use “password spraying,” where they attempt to gain access to a large number of accounts by guessing commonly used passwords. Often times, these attacks are executed without sounding any sort of security alerts to the user.


Password manager applications like Lastpass and Dashlane attempt to combat our poor memories, but only 27% of people actually use them. Even Firefox is planning on releasing its own password generator, which would help users create highly secure passwords.

Some users still prefer old-school methods of storage; twenty-six percent of users store their passwords in notebooks.



The majority of users, especially millennials, tend to rely on their own memory to store passwords, even though 54% of people admit to forgetting them.

Many sites having different requirements for creating a password, like using a mix of uppercase, special characters and numbers. This undoubtedly makes our accounts more secure, but can be problematic when it comes to remembering those credentials.

Many of us anxiously await transitioning into a “passwordless” future; Microsoft recently announced plans to begin to phase them out of their new software. Apple has begun to phase out passcodes on their devices, instead turning to face recognition software. Many businesses are abandoning their policy of routine, forced password changes.

We live so much of our lives online, and each working part seems to be guarded by a password. Phasing out passwords entirely will take time, and security in the meantime is still important.

Until then, it’s important to keep our passwords secure and strong so that our credentials and accounts remain just that: ours.

Read next: The Most Commonly Hacked Passwords in the World Revealed
Previous Post Next Post