Should users be allowed to reuse/recycle the same login credentials across a network for different systems? Should this be disallowed/discouraged, or are the security implications minimal? If it's frowned upon, should the usernames and passwords be unique, or is reusing usernames okay?
(This is an extension of an earlier question: Does username length/complexity/uniqueness positively impact security?)
It depends on the situation really. If you use radius authentication and it's connecting back to you AD infrastructure and your using it within say your routing and switching environment to gain access to the CLI then it's OK. However this only because radius is a aaa service. If you use the same user and password to create domain administrator level changes it's very bad and is not a best practice by any means. In general you should never allow passwords to be reused even if it's say 6 months down the road. Usernames in the windows AD world typically have to be reused. However password as I mentioned before should never be refused as they become more insecure over time.
When it comes to usernames, its generally better to keep them same. The good with that, is that it eases account termination when a user no longer should have access. If all users have different usernames for different systems, then it would be heck of a job to find out which accounts that belong to a user that is leaving employment, and theres high risk that there will be leftover accounts.
Note here that im talking about username reuse, not password reuse.
Now to the talk about password reuse: And now to the basics of when password reuse may be acceptable or not.
I would say, it depends on the circumstances. I would suggest that you should carefully consider "What happens if this username/password is leaked". If the impact of leaking a single password that goes to both of the systems in question, would be similiar to the impact of just one password, I would say, theres no danger in allowing credential reuse here.
For example: A user account on a computer + a email account on the same premises. That would not be such a big deal if these are identical, because if you as a attacker lacks the email password, you could normally access the cache/database of the mail client and get the emails that way, and the email content is normally more sensitive than just a local user access, so even the other way around the impact would be negligible by allowing credential reuse here.
One thing you need to be aware of in addition to this, is that certain software may contain vulnerabilitys that would allow a adversiary to discover the password.
One example: A bookkeeping software might store the userdb as plaintext on the harddrive. If credential reuse is then done, a adversiary can easily get other user's passwords.
The best way to do this, is to zone everything in different security zones, based on their capabilities and security risk.
Low: Softwares that are not well made, may contain vulnerabilitys. Accounts that do not have a big importance of protecting. Also cloud accounts or external web services fall into this category, as you cannot know the security level of the web service in question. However, well made web services, like company accounts for Google and internal accounts on well made external services for managing company assets, should be categorized in the "Medium" zone.
Medium: Local user accounts for normal users. Login systems and software that is well made by a reputable vendor, and you can be confident that the software is not recklessly made. Local user accounts belongning to external services belongning to the company (For example Google Apps accounts, authoring accounts on the company's blog etc) should also fall in this Medium category.
High: Administrator accounts. Passwords used for encrypting data. Very important accounts. Phone-in/VPN/RDP accounts (remote access).
And then make sure passwords are not reused across zones. Passwords within a zone is a good idea to reuse to avoid "password fatigue" that would instead cause write-downs of passwords.
In this zoning system, a normal user would need to only remember 2 company-internal passwords, and administrators would have to remember 3 company-internal passwords.
