Everyone knows reusing passwords is risky, yet most people keep doing it anyway. “Once you reach that state of IDGAF, life is so much better,” some Redditors say.
Every few months, a new breach makes headlines, or yet another service “confirms unusual activity.” However, until a breach affects people individually, most remain in a false sense of security.
For years, cybersecurity experts have warned that reusing passwords across multiple accounts is one of the easiest ways for attackers to gain access to your personal data. Many account takeovers and breaches could be traced back to credential reuse stemming from old leaks.
Still, that does not stop internet users from being predictable and using the same password across all of their accounts.
A 2025 NordVPN survey found that 62% of Americans admit they “often” or “always” reuse passwords. The same applies to 50% Germans and 60% Britons who say they reuse passwords.
So does that mean that password risks are underestimated by the general public? A recent Reddit discussion echoes the numbers and suggests that credential reuse might not just be misunderstood, but also normalized.
In the digital age, people still do not understand the risks
“The answer is no,” one Redditor wrote in a response to the question of whether the risks of reusing the same passwords are fully understood.
“Most users are either unaware that they're doing something unsafe or they don't care if their data is leaked or they lose their accounts.”
“Unbelievable as it may seem, people like that still exist in 2026, when almost everything is digital,” adds the Redditor.
Another commenter noted that even security professionals are not immune to the temptation of convenience, observing colleagues who protect their work accounts on one hand, but reuse credentials everywhere else.
Many users believe that accounts they “don’t care about,” such as junk email, old forums, throwaway social media profiles, are harmless if compromised.
“I see people say things like 'who cares, my email is just junk mail and why would I get targeted,' not realizing the value of an aged account of any kind and that a lot of account takeovers are automated with huge dump lists,” explains the commentator.
One Redditor argued that forced multi-factor authentication can also create a false sense of safety, leading users to use weaker passwords because they assume the extra step will protect them.
“Why do I need a secure password if they're just gonna send me a text message anyway?” they wrote.
If you reuse a password, you are helping an attacker hack you
“It’s absolutely underestimated by the general public,” another commenter wrote.
“Especially by people who refuse to use a password manager because they think having a single point of failure is worse than re-using passwords across services.” Other internet users believe they are being clever by slightly modifying the same password across sites.
“If that's not incredibly easy for an attacker to guess once they see the leaked one.”
“People don’t grasp the concept of credential stuffing and how old breaches feed into new attacks. It's a huge blind spot for most.”
The Cybernews research team agrees with the broader diagnosis. According to researchers, the public consistently underestimates the risk of credential reuse.
“Re-using the same passwords across different accounts may seem convenient from the user's perspective, but unfortunately, it’s more convenient for the attackers as well,”
highlight Cybernews researchers.
Many users, they note, simply don’t understand how industrialized password cracking and replay attacks have become. Using the credential stuffing technique, leaked username and password pairs are tested en masse across popular platforms.
Education is part of the solution, but usability matters just as much.
“Making the process of securing accounts more user-friendly is very important, since many people may opt out of using a password manager simply because learning how to use it can be a challenge,” our researchers continued.
Shouldn’t we use the same password? Well, no one cares
“Many users will enter the least secure password allowed and want it to work forever, everywhere,” one commentator noted.
Asking for more security from users is also troublesome. Enforce a password change, and support inboxes fill up with complaints, say Redditors. In one such case described, a service moved email access to app-specific passwords for IMAP, POP, and SMTP.
A self-described “privacy expert” canceled their subscription in protest, furious they were being forced to change a password they had “used securely everywhere for 20 years.”
That reaction isn’t unusual. Password fatigue is real, and it shows up fast when convenience is threatened. Even people who understand the risks admit to bending the rules.
“I have been guilty of it, but generally with stuff I don't care about,”
admitted another Redditor.
“No accessible PII if someone did log into like a forum account or something that is one-time use.”
Some users take a more radical perspective. Instead of believing breaches are rare, they treat them as inevitable. Social media gets one password. Banking gets another. Everything else lives somewhere in between.
“I reuse credentials on accounts I don’t care about,” one Redditor said.
“I save the complex ones for the important stuff. I just assume most companies will get breached eventually.”
“Once you reach that state of IDGAF, life is so much better,” they conclude.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked