Using a single password across all accounts remains a widespread problem, leaving millions of people potentially exposed. Traditionally, users would be advised to change their passwords regularly, but with the evolution of cybercrime techniques, this may no longer always work.
-
Password reuse is rampant and risky with account breaches on the rise.
-
Experts warn reuse fuels account takeovers; advise unique passwords, MFA, and password managers.
-
Policy shift: NIST drops routine password changes, favoring blocklists, secure hashing, rate limiting; firms add token-based logins.
A new survey in the UK has shown that 12.45% of the country’s population – or just over six million people – use a single password for every account they have, a worrying trend in a country where social media and email account hacking is on the rise.
“Password reuse remains one of the most consistent and preventable drivers of account takeover,” said Guy Hawkridge, head of IT and security at DTP Group, a cloud services company.
The firm said it commissioned the survey in response to a “shocking” spike in hacking attempts targeting people in the UK. More than 35,400 reports of social media and email account breaches were recorded in 2024, up from 22,500 the previous year, according to Action Fraud, the national reporting center for fraud and cybercrime.
Research showed that only one in five adults in the UK uses a unique password for every account, while the remaining roughly 80% reuse passwords across multiple accounts. Nearly 60% reported reusing up to six passwords, which is better than using a single password for everything, but still puts them at higher risk of being hacked.
The numbers are consistent with similar studies elsewhere. One from the American software company JumpCloud showed last year that 60% of people reused passwords across multiple sites, and 13% used the same password for all accounts. Another, from Nord Security (which is owned by the same company as Cybernews), showed that 50% of Germans reused passwords.
According to DTP, this means that millions of users could have multiple accounts compromised if just one password is leaked, which could cascade across personal, work, and financial platforms.
“Password reuse remains one of the most consistent and preventable drivers of account takeover,” Hawkridge said.
He added that “a single step of using unique credentials… combined with multifactor authentication and password managers, would reduce a significant portion of credential-stuffing and phishing success.”
The risk is "absolutely" real
Cybercrime investigator Calum Baird, who was not involved in any of the studies, agreed, saying that relying on one password for all accounts "absolutely" increases the likelihood of being hacked.
“Using the same password across multiple platforms is like having one key that opens all your locks... If it's stolen or copied, there's a huge risk,” he told Cybernews.
While loopholes exist that cybercriminals exploit to maintain access long after passwords are reset, layered approach to cybersecurity is still the best bet to keep data safe.
“Proper identity and access management is one aspect of this approach, and just because cybercriminals might be able to use other technical means to bypass system security, you can reduce their chances of getting in by using strong and unique passwords,” Calum said.
However, overzealous password requirements may do more harm than good, the National National Institute of Standards and Technology (NIST), which oversees cybersecurity guidelines for the US government, warned in its recently updated rulebook.
It said that frequently changing to lengthy and increasingly complex passwords has a negative impact on usability and memorability, suggesting that other mitigations, including blocklists, secure hashed storage, machine-generated random passwords, and rate limiting, are more effective at preventing attacks.
As a result, NIST no longer recommends mandatory password changes in its new guidelines, saying they should only be implemented when there is a risk that a password could be compromised.
For individuals, the best approach to protect their accounts is to use a reputable password manager, according to AJ Thompson of Northdoor, an IT consultancy firm.
“One strong password to manage the app, with the rest then managed by the app,” he said.
Thompson also noted that businesses are increasingly responding to consumer nervousness about online fraud by rolling out “tokenization” – meaning that users can only log in after signing up if the token stored on their browser matches the one stored on the website.
“It is a similar process to the old-fashioned approach to security, where someone tore a playing card in half. If the other party’s card married up with yours, then it was genuine. This can be especially useful when phishers use spoof websites,” Thompson said.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked