Two thirds of web users re-use the same passwords

I may never get tired of talking about password reuse (using the same password on different sites), but you may get tired of hearing me go on about this. So I will keep this post short.

Troy Hunt has done an excellent analysis of the passwords of the most recent Sony breach. There are lots of scary data in there, but I wish to highlight that two thirds of users whose data were in both the Sony data set and the Gawker breach earlier this year used the same password for each system.

If you use 1Password on the Mac, take a look at Mike’s tips on how to use 1Password to help identify duplicate passwords and get you strong, unique passwords for every site.

1Password for Windows users can identify passwords that may be identical simply by sorting their passwords by password strength.

To change an existing password for a site, you can’t just change it entirely within 1Password, but you need to go through the website’s password change mechanism. Take a look at our guide for changing passwords for how 1Password can help you every step of the way.

[Edited 2011-06-09 to correct Troy Hunt’s name and affiliation]

Other posts in this series

  1. More than just one password: Lessons from an epic hack (August 19, 2012)
  2. Password reuse strikes again, and a bit closer to home at Dropbox (July 31, 2012)
  3. Friends don't let friends reuse passwords (July 12, 2012)
  4. On password breaches and security processes (June 6, 2012)
  5. Two thirds of web users re-use the same passwords (June 7, 2011)
  6. Tips: How to Find Duplicate Passwords (April 29, 2011)
  7. When websites are breached, 1Password saves the day! (April 14, 2011)
  8. Security firm falls victim to password reuse (February 17, 2011)
  9. xkcd Hits Nail on Head (September 14, 2010)
8 replies
  1. Alan Shutko
    Alan Shutko says:

    A quick way to determine duplicated passwords is to export the passwords to a file and run

    awk -F’\t’ ‘{print $4}’ 1Password.txt | sort | uniq -c | sort -nr

    That will sort the passwords by the number of times it’s used. Remember to delete the file (securely, if desired).

    • Jeff
      Jeff says:

      That’s nice, Alan. I’m an old Unix guy myself.

      For those following this at home, this is Mac only and should only be done if you are very comfortable with the Terminal command line.

      In the text export, if you uncheck everything other than password, then you can leave out the AWKwardness from the pipeline. Also the temporary file that you create will now not contain the username or the URL.

      Also, as we are only interested in things with duplicates we should kill out the unique passwords. So with only passwords listed in 1Password.txt we can use

      sort 1Password.txt | uniq -c | egrep -v '^ *1 ' | sort -nr

      Afterwards you should remove 1Password.txt and any temporary files you create using srm or dragging to the Trash and using Secure Empty trash. You may also wish to check that the 1Password.txt file listing your unencrypted passwords didn’t get saved to a backup during the time it existed.



    • Jeff
      Jeff says:

      Thanks, Thom.

      I was so tempted to title this post, Two thirds of web users re-use the same passwords. The other third use 1Password. But that would have implied things about our number of users which I certainly couldn’t claim.



  2. Phill Tran
    Phill Tran says:

    Thanks for helping people chip away at the two-thirds statistic.

    My question is whether sign in via facebook and twitter is any better. True web apps do not have your credentials, but all the logins are tied back to one password. Have your facebook password compromised and all of your other logins are compromised too.

    At least users running 1password are informed to make their 1password extra secure. Many facebook users do not.

    • Jeff
      Jeff says:

      Some passwords are more important than others, and if you use “Login with Facebook” on many sites, it does make your Facebook password more important. One of the most important passwords is actually your email password, as your email account can be used for “password reset” mechanisms at many sites.

      Using a “sign on with Facebook”, while providing a single point of attack for numerous sites, it still going to be better than password reuse because (1) only Facebook has the encrypted from of the password, so attacks on the other sites aren’t likely to discover the password, and (2) in the case of a breach, you would only need to change the Facebook (or Twitter, or whatever) password instead of having to change passwords are dozens of sites.

      Still, as you note, users of 1Password don’t need to rely on things like “Login with Facebook” which may raise privacy concerns for some.



    • Jeff
      Jeff says:

      Hi Liston,

      I’m not entirely sure what you are asking, but the strong password generator in 1Password does not look at your existing passwords to avoid duplicates. That is because it is extremely unlikely that the strong password generator would generate something that already exists.

      I hope that this answers your question, but if not please do let us know more about what you are asking.



Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.