We’re all still using the same passwords, even after they’ve been breached

Passwords are a problem that big tech is trying to fix but they are still essential for accessing pretty much anything online. And even now people aren’t changing them after a breach and then still use the same password to access multiple sites. 

SpyCloud, a security firm, highlights in a new report how people are struggling with passwords for multiple online accounts. Based on 1.7 billion username and password combinations it gathered from the 755 leaked sources in 2021, it estimates that 64% of people used the same password exposed in one breach for other accounts. 

Reused passwords are a potential security problem because if a password has been compromised once then hackers can use it to access other accounts if it’s been used as the sign-in for another site. 

SEE: Cybersecurity: Let’s get tactical (ZDNet special report)

People also continue to pick bad passwords. This habit is common, with the leading examples remaining “123456”, “qwerty”, “admin”, and “password”. 

SpyCloud, which focused on reused passwords, found an uptick in passwords based on content from online streaming services such as Netflix and Disney+. The top ‘pop culture’ password was Loki, followed by Falcon and Wanda.       

Of the passwords it scooped up in publicly available breaches from 2021 and earlier, 64% were used for multiple sites today. 

SpyCloud’s definition for password ‘reuse’ is a bit fuzzy and only shows likely trends. For example, it counts reuse samples as credentials it collected in a leak at one point in time that were observed in subsequent leaks it had access to. That doesn’t mean that people were necessarily using the same password at a given point; only that the same password combination was observed in data breaches it had access to over a given period.    

“For users we can tie to breach exposures in 2021 and prior years with the same email address or username explored, 70% were still reusing the same exposed passwords,” it notes. 

While the statistics are imprecise, the company does point out a trend that many people would be familiar with. That is that people have so many online accounts that they can’t remember good passwords and most people are not using password managers for Windows, macOS and Android. Apple’s built-in password manager is KeyChain, but third-party apps for Windows, macOS and mobile devices include LastPass and Dashlane.   

Arguably the single best answer to securing a computer when a password has been compromised is to use multi-factor authentication (MFA). It means a remote attacker needs physical access to a second factor, such as the legitimate user’s smartphone. 

But even Windows-maker Microsoft has found that only 22% of enterprise customers that can implement MFA actually do it. That’s despite Microsoft sharing that 99% of compromised Microsoft accounts didn’t have MFA enabled. 

And for anyone who might be perplexed by passwords, it should be remembered that even top engineers at Microsoft struggle with what it admits is a human problem. Only three years ago, Microsoft dropped its Windows policy for passwords to be changed every 60 days. That’s because when we change passwords, too often we only make a small and predictable alteration to the existing passwords – or forget the new ones.