If you use the same password for more than one account, this article is for you.
85% of people reuse passwords across multiple sites (Bitwarden 2023). SpyCloud's 2024 report found that among users appearing in two or more breaches, 74% were still using the same password. Have I Been Pwned now contains over 17.5 billion compromised accounts.
Password reuse is dangerous because it turns one breach into a master key. But the real threat isn't just "if one leaks, they all leak." It's the industrialized attack infrastructure that makes exploiting reused passwords trivially cheap. This article explains how credential stuffing works, real-world damage cases, why common advice like "change passwords regularly" is wrong, and what actually solves the problem.
The Reality of Password Reuse
You might think you're the exception. The data says otherwise.
| Source | Finding |
|---|---|
| Bitwarden (2025) | 72% of Gen Z reuse passwords (vs 42% of Boomers) |
| SpyCloud (2024) | 74% of users in 2+ breaches still use the same password |
| Bitwarden (2023) | 85% reuse passwords across multiple sites |
| LastPass (2022) | 62% always or mostly use the same password or a variation |
| Proofpoint | Over 80% of web app breaches involve stolen credentials |
The Bitwarden finding is particularly striking: digital natives — the generation most comfortable with technology — have the worst password habits. Familiarity with tech doesn't translate to secure behavior.
Have I Been Pwned has catalogued over 17.5 billion compromised accounts from 959 breaches. Your email address may already be in there. Check with "How to Check If Your Password Has Been Leaked."
How Credential Stuffing Works
The attack that exploits password reuse is called credential stuffing.
The attack flow
- Acquire leaked data — attackers buy ID/password lists from past breaches on the dark web. Lists with millions of credentials sell for a few dollars
- Automate the attack — specialized bots try each username/password combination against other services at scale
- Access matching accounts — any account where the user reused the same password gets compromised
Why "only 2-4%" is still devastating
Credential stuffing has a general success rate of 2–4%. That sounds low.
But real attacks involve millions of attempts per campaign. In the PAL CLOSET incident (June 2025, Japan), 1,722,379 attempts resulted in 194,307 successful logins — an 11% success rate, far above average.
The cost to attackers is minimal: a few dollars for leaked lists, cheap automation tools. The cost to victims is enormous. Verizon's 2025 DBIR found that approximately 88% of basic web application breaches involved stolen credentials.
Real-World Damage Cases
Snowflake Customer Breach (June 2024)
Cloud data platform Snowflake saw a massive wave of customer account compromises.
- Affected companies: 165+ (including Ticketmaster, Santander Bank)
- Attack method: credential stuffing with leaked credentials
- Why it worked: targeted accounts had no multi-factor authentication (MFA)
Password reuse + no MFA is the classic combination that makes credential stuffing devastatingly effective.
23andMe (2023, USA)
DNA testing service 23andMe was hit by credential stuffing. Attackers used passwords reused from other breached services to access user accounts and steal genetic data. The company ultimately filed for bankruptcy in 2025.
PAL CLOSET (June 2025, Japan)
Fashion retailer PAL Group's e-commerce site was targeted by credential stuffing.
- Login attempts: 1,722,379
- Successful breaches: 194,307 accounts
- Leaked data: names, gender, birth dates, addresses, phone numbers
- Response: all user passwords invalidated, forced reset
194,000+ users had their personal information exposed because they reused passwords that had been leaked elsewhere.
The bigger picture
IBM's Cost of a Data Breach 2025 report puts the global average cost of a data breach at $4.4 million. For individuals, credential stuffing leads to unauthorized purchases, identity theft, and account lockouts — damage that takes months to resolve.
"Change Regularly" and "Make It Complex" Are Wrong
"Change your password every 90 days." "Use uppercase, numbers, and symbols." These rules are no longer recommended.
NIST's Updated Guidelines
NIST SP 800-63B (the latest digital identity authentication guidelines) overturned conventional wisdom.
| Old "wisdom" | NIST's new guideline |
|---|---|
| Change passwords every 90 days | Do not force periodic changes unless there's evidence of compromise |
| Require uppercase, numbers, symbols | Complexity rules are prohibited |
| 8+ characters | 15+ characters recommended for single-factor auth |
| Memorize and type manually | Password manager use is recommended |
Why periodic changes backfire: forced changes lead to predictable patterns like Password1 → Password2 → Password3. Security actually decreases.
Why complexity rules backfire: "must include uppercase, number, symbol" produces passwords like P@ssw0rd! — technically compliant but trivially crackable. Length matters far more than complexity.
Password Managers: The Real Solution
Set 100 different strong passwords for 100 services. Human memory can't handle that. That's why password managers exist.
How they work
- Store all passwords in an encrypted vault
- You remember one master password only
- Auto-generate random strong passwords per service
- Auto-fill from browser extensions and mobile apps
What to look for
- Zero-knowledge architecture — even the provider can't see your passwords
- Multi-factor authentication — master password + authenticator app for double protection
- Breach monitoring — automatic checks if stored passwords appear in leak databases
- Passkey support — future-proofing for passwordless authentication
NordPass offers all of these. Its Password Health feature auto-detects reused and weak passwords, while Data Breach Scanner checks if your email addresses have been compromised.
"What if the password manager itself gets hacked?"
The 2022 LastPass breach is a fair concern. But with zero-knowledge architecture, even if the vault is stolen, the encrypted data is useless without the master password.
The risk of not using a password manager (same password across 100 services) vastly outweighs the risk of using one.
3 Things to Do Right Now
1. Check for existing leaks
Find out if your email or passwords have already been compromised. Use NordPass Data Breach Scanner or Have I Been Pwned.
See "How to Check If Your Password Has Been Leaked" for detailed steps.
2. Change passwords for critical accounts first
You don't need to change everything at once. Prioritize:
- Email accounts — used for password resets on every other service
- Banking and credit cards — direct financial exposure
- Social media — identity theft risk. Recovery steps at "Social Media Account Hacked? How to Check and Recover"
3. Start using a password manager
Let the password manager generate and store new passwords. For existing services, add them to the manager as you log in. No need to change everything at once.
See "Can't Remember Passwords? You Don't Have To" for a setup guide.
Password manager by the makers of NordVPN
- Manage passwords, passkeys, and credit cards in one place
- Zero-knowledge architecture
- Built-in data breach scanner
Wrapping Up
Password reuse gives attackers their cheapest possible attack vector.
- 85% of people reuse passwords across sites
- Credential stuffing succeeds 2-4% of the time. At 1.7 million attempts, that's 194,000 breached accounts
- "Change regularly" and "make it complex" are outdated — NIST now discourages both
- Password manager + multi-factor authentication is the real solution
- Start with email → banking → social media
Check if your passwords are already compromised: "How to Check If Your Password Has Been Leaked." For stronger 2FA, see "Is SMS 2FA Still Safe? How to Switch to Secure Authentication."