Identical passwords: The risks of repeated password use

One login hacked – all access at risk.

IT administrators bear the brunt of protecting systems and data. One particularly persistent risk is identical or reused passwords. This allows users – often unintentionally – to open the door to attackers for credential stuffing, account takeovers and lateral movement within the network. Studies show that the use of stolen access data is one of the most common initial vectors in security incidents (see sources below).

Risk of cross-compromise

When an account is compromised, attackers automatically test the same credentials on other services (credential stuffing). A single leak can thus become a chain reaction – from email to collaboration tools to cloud services. The result: data theft, identity theft and unauthorised access to company resources.

Basic web application attacks are particularly critical, with stolen or reused credentials dominating – a clear indication that password reuse is immediately exploitable in practice (see sources).

Ransomware & account takeovers

Once attackers have valid access data, they can extend privileges, move laterally within the network and roll out malware – right up to ransomware deployment. Official recommendations therefore emphasise: Eliminate password reuse and activate phishing-resistant MFA (e.g. FIDO2/passkeys) where technically possible (CISA, NIST).

Measures to improve password security

Guidelines (policy)

  • No preventive, regular password changes – only enforce if compromise is suspected or proven (NIST, NCSC).
  • One password per account/service – strictly prohibit reuse (NIST, NCSC).
  • Increase minimum length (e.g. ≥ 14 characters) and avoid unnecessary complexity requirements; instead, focus on length, uniqueness and blocking ‘common passwords’ (NIST).
  • Check passwords against compromised lists (NIST SP 800‑63B) – see practical note on Password Depot below.
  • MFA mandatory, preferably phishing-resistant (FIDO2/passkeys), at least for admin, remote and cloud access (CISA).

Technical controls

  • Enable rate limiting and monitoring for logins; detect and block suspicious patterns (e.g. multiple login attempts from distributed networks) (NIST).
  • Allow paste so that password managers can be used securely – no copy/paste prohibition in the password field (NIST).
  • Risk-based MFA challenges and consistent MFA registration (CISA).
  • Passkeys should be introduced wherever possible; replace password entries in the future.
  • Identify compromised passwords: Check in Password Depot via Tools → Security Check → Check for Pwned Passwords and change affected entries immediately.

Awareness & Operations

  • Regularly train users on credential stuffing, phishing, and password reuse (NCSC/CISA).
  • Recommend and provide password managers; aim for long, random, unique passwords for each service.
  • Define incidents (leaks, phishing, malware attacks) as triggers for immediate password changes and token renewal (NIST/CISA).
Plain text: Reuse is the real enemy. Forced, regular changes without cause reduce the quality of passwords – and do not solve the problem. Focus on length, uniqueness, MFA/passkeys and checking against compromised lists (e.g. directly in Password Depot).

Conclusion: The repeated use of passwords is a significant security risk and facilitates account takeovers and even ransomware incidents. Admin teams must implement clear, up-to-date policies and secure them technically — including regular checks for compromised passwords with Password Depot — to protect identities and systems in the long term.

Sources (selection)