top of page

84% of people admit to password re-use

Studies by multiple cyber security organisations have revealed worrying figures around the practice of password re-use in businesses, despite regular education, advice, and examples where the re-use of passwords has led to huge data breaches.

Studies found that users of both corporate and personal online services continue to use passwords across multiple services.

The re-use of passwords across multiple devices or accounts is a significant cause of many compromises and data breaches, yet sadly the issue, despite regular advice, isn’t being taken seriously by end users.

Research by Microsoft found that 44 million users of their products had been re-using passwords in the 3 months prior to the study, meanwhile a survey by LastPass found that 69% of workers were using a variation of a single password (usually adding a number or changing a letter to a similar looking number or special character).

With Verizon’s 2023 Data Breach report reporting that 80% of data breaches come from lost/stolen passwords, the evidence is clear to see: password re-use is a major cause of compromised accounts and services.

So why is it still so common? Well, today, people face an increasing burden of having to recall numerous passwords. Even in a working capacity, people use multiple websites and apps to do their work, and then there’s the personal side of things like Netflix, social media, emails and all those cheap holiday deal websites you’ve signed up to. It’s usually when we forget a password that the reset password is one that has been used elsewhere for ease of access.

On average, organisations utilise 130 SaaS (Software-as-a-service) applications, and this adoption rate is continuously on the rise. Bitwarden's assessment suggests that a significant 68% of internet users are tasked with remembering more than 10 passwords, and within that group, 84% acknowledge resorting to password reuse.

It’s a case of human nature, people can only remember so much and it’s obviously easier to use a password (or variation of) that they can already easily remember. There’s also a correlation between the older a generation and the increased use of password reuse, with “baby boomers” (born between 1946-1964) being least savvy with password use and remembering unique combinations of credentials.

Generation Z (born 1990-early 2000s) are the most password security capable and conscious, but as society continues to remain in work longer, the risk to organisations is therefore plain to see.

However, with tools available that can alleviate the need to resort to brain cells for memory recall, the fact that the numbers still reusing passwords isn’t falling is a mystery.

Password managers are free, Multi-Factor Authentication is hugely available and with biometric login (fingerprint and facial recognition) now more available the need for passwords could potentially begin to dwindle.

Some vendors are even developing processes of “passwordless” systems but this roll out is likely to take some considerable time to be fully embraced by the majority of vendors and then, in turn, theirusers.

Organisations are advised to roll out regular password audits, paying particular attention to systems where passwords never expire.

Education to staff and enforced regular password changes and the use of password managers or authentication via pass cards should also be considered along with enforced use of multi-factor authentication where applicable.

There are also services available now that will audit passwords using automation and can be set to block any passwords that appear on regular breach lists or are amongst those most commonly used.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page