Reusing passwords pose as a terrible risk for users because in the event of a data breach, with the passwords not being stored securely enough, this means that, by default, all other services that they use this password for are also compromised. Typically with these breaches they store the password using only a hashing algorithm like SHA-1, or even still MD5 in some cases recently (which were never meant for storing passwords securely), making it easy for attackers to bruteforce passwords using just raw GPU hash power.

If a person was to create a properly random password of sufficient length (e.g. 100+) of very sufficient entropy which is mixed with many types of symbols, numbers and letters; in the case that their machine is not compromised in the sense that there is a keylogger installed or the like, and all their browsing sessions are done through an encrypted tunnel, is there a risk in reusing this password for multiple websites if it can possibly never be cracked in their lifetime if a data breach occurred on one of the services they use?

  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/77955/discussion-on-question-by-azxdreuwa-reusing-passwords-that-can-possibly-never-be). – Rory Alsop May 24 '18 at 19:04

12 Answers12


You don't need to bruteforce a hash to steal a password. A website might be compromised by an attacker so that they can read the passwords directly from the login form, in plain text. Or the website owner might be doing this, they could always do it if they wanted to, it's up to you whether you trust the owner or not (you wouldn't want to use the same password on Facebook and SomeBlackHatCommunity dot com). Also, there is always the good old shoulder surfing for stealing passwords. A password is like a key, and by using the same password you are actually giving the same key to different doors to different people. You can see it's never a good idea.

So you should never use the same password in different places, unless that password protects the same data or gives you the same privileges, so for example I believe you can use the same password to protect your backups.

  • 15,398
  • 6
  • 43
  • 64
  • 17
    obligatory XKCD https://xkcd.com/792/ – DRF May 20 '18 at 20:26
  • 3
    "same password to protect your backups" If you have multiple backups, then you may as well use separate passwords. Otherwise, all could be compromised together, and it defeats the purpose of having multiple backups, at least from a security perspective. – jpaugh May 22 '18 at 22:26
  • See recent example: https://twitter.com/twittersupport/status/992132808192634881 – R.. GitHub STOP HELPING ICE May 23 '18 at 01:08
  • @jpaugh, yes, it was an example, of course it all depends on how easy it is to access all of the backups, and if any intrusion is likely to be detected. If they are all stored in the same place it is indeed a problem. – reed May 23 '18 at 10:11

TL;DR: I don't need to recover YOUR password, I just have to find a string that generates the same hash, and as you don't control the hash the website developer uses until they all use a secure one, it doesn't help as much as it costs. And if I'm after you I keep hacking websites you use until I find a weak one. Or I use another method.

Relevant XKCD:


Because if there's not a relevant XKCD, there soon will be.

Reusing passwords pose as a terrible risk for users because in the event of a data breach,

Only if that password is protecting something that matters.

For general internet forum usage I have a nom de guerre with it's own email address, and four or five passwords for everything.

These passwords protect nothing. Even compromising the email account behind them gets you nothing but the ability to make my nom de guerre look dumber than he already looks.

with the passwords not being stored securely enough,

Password aren't stored. We'll come back to this.

this means that, by default, all other services that they use this password for are also compromised.

To be more precise that should be worded:

...this means that, by default, all other services using that email address and password should be considered compromised AND if the attacker knows your other email address, any that use that password should be considered...

Identity (for these purposes) are what you are (email address) plus what you know (password).

If I know you are "joebob@gmail.com" on somerandomforum.com and wellsfargo.com AND you use the same password for all three you're hosed.

But if you use "joebob@gmail.com" on webforums, and Azxdreuwa@yahoo.com for your "personal" use, and "Alexander.Scott@yourowndomain.com" for professional use, then it is extremely hard for an algorithmic attacker to sort them.

Typically with these breaches they store the password using only a hashing algorithm like SHA-1, or even still MD5 in some cases recently

I know you know this, and I'm being horribly pedantic, but generally we do not store passwords. If it's SHA-1, or MD5, or any other hash (including the poor, dead "crypt" or the newest unbrokenest one on the block) there is no provable reliable round trip from the hash to the password.

You CAN NOT and do not get from eaf4c33ae978d3f2852021214a061534 to "Fred is dead". You MIGHT be able to create two or more strings of indeterminate length to that same hash. What you can do is generate strings until they match. This is different, and it's a CRITICAL difference. And it's critical for this too.

(which were never meant for storing passwords securely), making it easy for attackers to bruteforce passwords using just raw GPU hash power.

What an utter waste of time and electricity that would be MUCH better spent ${WHATEVER}coin mining.

Either way, you don't reconstruct the hash, you keep throwing strings at the algorithm until you get a match

Precomputed rainbow tables are a LOT faster when through the five million email:name:password tuples you just extracted from BigWebSiteInc, and are going to get you a LOT more results a LOT faster.

And yeah, know GPUs can compute that s*t really fast., but lookups are WAY faster, and I'm going to want to break LOTS of passwords, not just yours.

If I want YOUR credentials I have other ways of getting them and if I want them bad enough...yeah, that's probably not a forum Stack Exchange wants to host. There's a lot of aspects to security and cryptography only protects some of them.

If a person was to create a properly random password of sufficient length (e.g. 100+) of very sufficient entropy which is mixed with many types of

True story. A little over a decade ago I was in the reserves of the US Military, and they have (had?) a system where your military ID was part of your credentials for your network account. To log in to most of their computers you had to put your military ID in a smart card reader and put in your "pin number".

At one point I got a new ID card, which necessitated a new PIN. So I went to the pin entry place, and put a IIRC 10 digit number into the keyboard, then put it in again. It said my PIN matched and off I went.

I got back to my unit and tried to log in. Failure.

So back I went. A couple times. We were confused. Then I shortened the PIN and it worked.

There was a 8 or 9 character limit on the PIN (or whatever. It was $MY_NUM-2). The FIRST entry system was silently discarding the extra numbers. The second wasn't, leading to a mismatch. (Or the other way around)

ISTR there is some stuff in the SAMBA readme about early version of NT's password database storing the hash in 2 parts because old LANMAN (??) stuff only did 8 character passwords. Not sure how THAT worked.

Anyway some of the times the workflow from entry screen to password storage is going to have a limited number of characters, some aren't. And this can change as various websites change their software. Heck, it could be different on different parts of a federated system. You want to make sure you don't overflow their expectations.

symbols, numbers and letters; in the case that their machine is not compromised in the sense that there is a keylogger installed or the like, and all their browsing sessions are done through an encrypted tunnel, is there a risk in reusing this password for multiple websites if it can possibly never be cracked in their lifetime if a data breach occurred on one of the services they use?

Honestly, for high security applications (e.g. protecting SSH keys etc.) I use the first couple stanzas from a couple of well remembered songs. At least one of them has an accidental misspelling that is permanently fixored in my brane.

The thing is that if I am looking at a ID:pw hash in a password store (file, database,whatever) I WANT the easiest to break that I can. I don't want the guy who's using some sort of strong key store and has a different password for every other site, I just want the low hanging fruit. Those are the ones most likely to reuse passwords.

So yeah, it makes your password more secure, modulo a couple things.

You don't get to pick the hash used on the far end, and as long as people are using "broken" hashes (md5, SHA-1 etc.) you can get more than one string to match the hash. And as long as one website you use continues to store passwords in a bad hash you're vulnerable.

This is why I was being pedantic. We don't store passwords, we store a hash of the password, and I don't need to recover YOUR password, I just have to find a string that generates the same hash.

It may be that your 100 Character string composed by the output of the finest whitened random number generator just happens to match the hash of "Fred is dead" and then you've lost.

That's on top of someone putting a camera where it can watch you type, running a MITM attack on your SSL session (which is about half the major corporations I've worked at over the last few years--they do it on their proxy server to do DLP), hacking the website to put some extra code in their login page, or any one of a dozen other hacks.

Or just putting a gun to your knee. Or more grisly methods.

Using throw away passwords for throw away data, multiple online "identities" and some sufficiently secure key storage for the important stuff is probably the best way to go. This is a sort of "defense in depth", and is fairly easy to do (heck, I can do it, it can't be that hard).

To address something @IMSoP brings up as a comment.

The actual stored hash is usually the password + a hash so it IS unlikely that your favorite insecure web forum and your bank will use the same hashing algorithm and salt. They might, but unlikely.

However, a secondary point is that for ANY site using an insecure hash--and that's a LOT of them (see Another True Story below) an attacker can retrieve a string that hashes to what is stored and then interact with that site as you.

This does wander afield of the "password reuse" issue, but does address the super-long password issue. It's like in ...um...other areas in life. A certain amount is good, more is better, but too much will cause problems.

As to the use of "insecure" hashes, businesses tend to worry most about lawsuits, and secondarily about publicity, and finally about really being secure. A friend of mine has a patent on a fairly secure storage mechanism that would significantly increase security for laptops and desktop (among other things). He has tried to get a couple large companies involved in this, and every one he's approached has indicated the same thing--that their current security meets both "common industry practices" and legal standards, so they are not interested in any expense beyond that. They are, in their opinion "lawsuit proof", and are much less concerned about publicity because of it.

This is why banks have decided that asking a stupid question is "three factor authentication", and other clearly questionable security practices.

This means that their hashing algorithms are what shipped with the OS when it was installed. Because that is the "common industry practice".

A 16 or 20 character password stored in a secure password tool is just as good as a 100 character password under these conditions.

To wrap it back around I am not as opposed to password reuse as some here--I have several home computers that I share the same password on (and a few that are different), but I never duplicate some of them (my personal, professional and work email accounts, bank passwords etc.). Just not worth the risk.

  • 784
  • 5
  • 5
  • 7
    The method mentioned in the second to last paragraph is sometimes called "rubberhose decryption". And of course, there's an xkcd for that: https://xkcd.com/538/ – Orphevs May 20 '18 at 23:52
  • 13
    This is one of the most easily-consumed and thorough answers I've read on here. I didn't learn anything new from it, but I feel like I understand the same information better. – Οurous May 21 '18 at 02:53
  • 1
    Just being pedantic here - if you Google `eaf4c33ae978d3f2852021214a061534`, now you get directed to this question whereby you can quite easily see it maps to "Fred is dead". – muddyfish May 21 '18 at 18:15
  • 4
    `as long as people are using "broken" hashes (md5, SHA-1 etc.) you can get more than one string to match the hash.` True, but overly restricted. A necessary property of fixed length hashes is that multiple inputs will map to each hash. Your statement is true for any fixed length hash algorithm, not just "broken" ones. – Matt May 22 '18 at 03:08
  • 9
    "we do not store passwords" - this isn't quite true, though. It's more accurate to say "we *shouldn't* store passwords" or "places using even a bare modicum of security don't store passwords". There have been many times where I click "forgot my password" only to have the service helpfully send my plaintext password to my email address. And just like that, I know that password is never secure, anywhere, on any service. – David Rice May 22 '18 at 16:38
  • @David Rice Fair cop mate. – Petro May 22 '18 at 17:55
  • 3
    @DavidRice _"places using even a bare modicum of security don't store passwords"_ Even that assumption can't be relied upon. Twitter is normally responsible enough to use bcrypt to hash their passwords, yet a mistake in their logging process caused all those passwords to be stored in plaintext regardless, with no way for their users to know this had happened prior to their recent and public mea culpa. – jmbpiano May 22 '18 at 19:14
  • 5
    I don't know why this is upvoted so much. So much incorrect information. Rainbow tables are useless against salts, so attackers *absolutely are* going to use GPUs to attack hashes and get much better results in most cases. Email account compromises are not "nothing", they let you *reset your password* on any account using that email, no matter how strong. Email is the "key to the kingdom" and deserves a VERY strong password. An email address is *not* "what you are", it's *not* a secret and knowledge of which address goes with whihc password should *not* be considered part of account security. – Ben May 23 '18 at 16:23
  • 3
    Continuing: the first couple stanzas of a popular song is *not* a good password. Attackers have already used pop songs, bible verses, wikipedia quotes, etc. Easy misspellings and character substitutions can be handled by transformation rules. It's better than "password123" by a long shot (so good for you) but you're comparing it to a 100 character randomly generated password. Song lyrics are nothing even close to that strength. And you talk about hash collisions which are *irrelevant* to the length of the password, along with other unrelated things that just confuse the issue. – Ben May 23 '18 at 16:29
  • Regarding email as "what you are", I had an unexpressed assumption that generally "email address" is used as your identity by many websites/places. Three factor authentication is "Something you are, something you know, something you have"--meaning UserID, Password, Token (lots of places screw this up). So in this sense email address is the proxy for "Something you are". Where do I say that email compromise is nothing? As indicated I have 4 email accounts (at least) with different passwords that *DO NOT GET REUSED* – Petro May 23 '18 at 22:27
  • Also I never said "pop song". If they're using the 20 to 40 characters out of every punk song sold in the 80s...Those are some big a$$ databases. And I I never said a it was as good as a 100 character string. The whole *point* is that a 100 character string doesn't make you secure and doesn't add *much* security over a 16 to 20 character string. I use songs to protect my .ssh keys or gpg encrypted files. Or keepass. You need a long passphrase and there's no place to store it. In keepass I usually use a different randomly created string for everything. But not 100 characters. – Petro May 23 '18 at 22:32

Typically a website will use a weak hashing function for storing passwords, but are you willing to say that none of the websites you use will store the password using encryption, or worse, in plaintext?

By re-using a password, your security is only as strong as that of the weakest of the sites you use it on. It doesn't matter how long or complicated your password is if an attacker can simply read it off a badly-designed server's password-change log.

  • 34,390
  • 9
  • 85
  • 134
  • 7
    My bank (in Germany) only allows passwords of exactly 5 digits. At least the account gets locked after three false entries, but this still doesn't give me much confidence in their IT systems and the security reviews they went through. – helm May 21 '18 at 04:34
  • While storing plaintext passwords has become (thankfully!) uncommon, virtually 100% websites use plaintext authentication. – el.pescado - нет войне May 21 '18 at 08:13
  • @el.pescado What's that supposed to mean? If the stored password isn't plaintext, the authentication itself can't be plaintext either. Am I misunderstanding? – Chris Hayes May 21 '18 at 19:43
  • 1
    You authenticate by sending your password in plaintext (hopefully through secure channel). Server then reads your password, computes hash of that password, and then compares resulting hash with reference hash stored somewhere. That way, server for a moment is in posession of plaintext password. Compare that to eg. Digest authentication (eg. Digest-MD5) and/or Challenge-Response schemes (eg. CRAM-MD5) – el.pescado - нет войне May 21 '18 at 20:19
  • 3
    @el.pescado More than "a moment." One of the things that made Heartbleed so bad was that it exposed such in memory, decrypted information for time frames long enough that they could be retrieved. But barring new vulnerabilities like Heartbleed or using unecrypted connections, the only way to get at that info is to compromise the machine itself, and at that point, you've lost anyway. Also, I'm not convinced that storing passwords plain text is *that* uncommon. – jpmc26 May 21 '18 at 22:16

You assume a perfect system with

in the case that their machine is not compromised in the sense that there is a keylogger installed or the like, and all their browsing sessions are done through an encrypted tunnel,

or at least I assume you do -- that encrypted tunnel had better be good.

But you have no control over the server that holds your password. Even companies that should know better have screwed up their password system recently: GitHub and Twitter have both internally logged or cached plaintext passwords.

There's also no advantage -- you'll never remember that password so you store it in a password manager. At that point you may as well use unique passwords (which are shorter in case you ever have to retype them).

Chris H
  • 4,185
  • 1
  • 16
  • 22

You can find different solutions for password hashing on websites: Memory-hard functions like Argon2 or Scrypt, custom hardware vulnerable, but at least salted functions like PBKDF2, simple hash functions without salt and work factor and - unfortunately not so rare - also storage or transmission of plaintext passwords.

Once a password is compromised, it may appear in password lists that are used to attack other websites. So the problem with password reuse is that security is set by the weakest function and if there is plaintext storage somewhere, the security has dropped to zero, even for actually secure passwords.

  • 246
  • 1
  • 5

There is a risk in reusing passwords even if your password is very strong. If a website that stores passwords in plaintext is breached then your strong password will be available to attackers with no need to brute-force any hashes. In other words, if you use your very strong password on a website that stores passwords in plaintext, the strength of your password achieves nothing.

Unfortunately a lot of websites store store passwords in plaintext and it's not always immediately obvious whether or not a website does this. So it is not safe to reuse a very strong password on the assumption that the hash will not be brute-forced, because it may still end up being stored (and breached) in plaintext.

Micheal Johnson
  • 1,746
  • 1
  • 10
  • 14

TL;DR: Password cracking isn't the only security consideration with password re-use. Sharing a password with multiple sites means if there are any issues with the other sites/your computer/your network apart from crackable passwords you're still at risk.

Some great answers here already but just to add a few more considerations and a summary.

Your question assumes a lot of statements that most people will not be in control of:

their machine is not compromised in the sense that there is a keylogger installed or the like

Don't forget network security too, does your encrypted tunnel validate that it's not being MITMd? What about HTTPS issues, a compromised CA? Another HEARTBLEED style scenario where all the traffic to the site has been compromised because the certificate has been hacked out of it? Also if I wrote a keylogger now, unless there's a large number of infections you're not necessarily going to be able to detect it. Do you log in on other machines that others have used? Do you let other people use your machines? How about mobile devices? Are you updating your computer regularly? What if I watch you type in your password in a public place that has CCTV? Hardware keylogger? Evil maid attack?

..I think this is all a big assumption...

is there a risk in reusing this password for multiple websites if it can possibly never be cracked in their lifetime if a data breach occurred on one of the services they use?

Recently it was revealed while Twitter may store the passwords securely, their logging functionality was leaking it. You're also having to rule out some other implementation specific weakness in all of the site's implementation.

You hint at it in the preface about insecure sites, so I'll assume you're also assuming all the sites you will use this password you know also secure the password securely. For most sites I use online how will I know this? I won't and even if they say they hash passwords securely, there's no guarantees they do.

Use different passwords for different sites. Use a password manager, KeePass is pretty good :-).

  • 1,124
  • 10
  • 14

You're assuming that none of the sites they visit are hostile. If I register on a site and give them my email address and use the same password for this site as I do for my email address then they can log into my email.

Something Mark Zuckerberg actually confesses he did when starting up the facebook.

Mark Z
  • 41
  • 1

If a person was to create a properly random password of sufficient length (e.g. 100+) of very sufficient entropy which is mixed with many types of symbols, numbers and letters; in the case that their machine is not compromised in the sense that there is a keylogger installed or the like, and all their browsing sessions are done through an encrypted tunnel, is there a risk in reusing this password for multiple websites if it can possibly never be cracked in their lifetime if a data breach occurred on one of the services they use?

There's a few problems with this. First and least, the passwords you're suggesting are way too long. There's about 2^6.6 printable ASCII characters. A 20 character uniform random password therefore is sufficient for 128-bit security, and a 39 characters are sufficient for 256 bits. Strong passphrases could conceivably get into the 100+ character territory, but their strength has little to do with the amount of symbols or letters.

The second and bigger problem is that you're putting unnecessary trust on site implementers. If none of the sites ever has a bug that allows an attacker to recover the password, then yes, it'd be safe to reuse the password. The problem is that's a huge "if." It's very easy even for a website that has designed a good password storage system to accidentally disclose your passwords. Consider this very recent Twitter incident (from earlier this month):

Today, Twitter issued an alert to users prompting them to change their passwords after the discovery that some users' passwords had been recorded in plain text in a log file accessible only by Twitter employees.

[...] But because of a coding bug, Agrawal explained, "passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

This is a very easy mistake for a programmer to make; you just throw in a log(LogLevel.DEBUG, "loginRecord = {}", loginRecord) line or similar into your program and somebody else inadvertently turns on debug logging in production. Now multiply this by thousands of programmers over thousands of days over dozens of websites, and the dice are very much against you. Don't reuse passwords. And use a password manager.

Luis Casillas
  • 10,181
  • 2
  • 27
  • 42

Modify the original idea

A modification of your idea could be pretty secure, though. Let's say you generate 64 random bytes of data, then save it to a file. You then choose a "Master Password" that you never tell anyone, and then use that password, the saved file, and the name of the site to generate a site-specific password:

(echo super-secret-password; cat test-rand; echo amazon.com) | md5sum | sed 's/ .*$//' | xxd -r -p | base64

The above command line will always produce the password Tj02tXSPT+cQvN+79QqtjA== from the particular random file I created, but if I change amazon to google, it will produce oX9uOqM0/wUaNzUlTMUcfg== instead.

If I type the master password incorrectly, I get something completely different as output, but so long as I put it in correctly, I always get the same output for the same site, but different output for each different site. Now no one has the "key file" and the master password (a sort of two-factor authentication) needed to generate the site-specific passwords. If amazon is compromised, my google password is not. The passwords each contain 128 bits of randomness, which ought to be good enough for about anything.

Monty Harder
  • 476
  • 3
  • 6
  • 3
    But what happens if for some reason you need to change the password for one website? If you change the master password or the random file you are going to get different passwords for all the websites. So it's a very interesting idea, but it can't beat the convenience of a password manager. – reed May 21 '18 at 22:29
  • 1
    Congratulations, you've invented a rudimentary password manager! Now you can start adding features and hoping you don't mess anything up...or just use an existing one. – Ben May 23 '18 at 16:34
  • 1
    @Ben The difference between this and a password manager is that it doesn't have to store the site-specific passwords. To accommodate changing passwords as reed suggests would require tracking some kind of increment counter per-site, which would be included with the other three items so that the password for amazon.com could be changed to amazon.com-2. And if you have to store that, you might as well just encrypt the actual password and store it instead. – Monty Harder May 23 '18 at 19:08

Password re-use is always a risk evaluation. In practical terms, password re-use is a fact and the question is where to use which set.

However, the real answer to your question is that there are many ways to compromise a password and brute-forcing is actually the least likely one. Sniffers, keyloggers, MitM, compromised servers, various forms of XSS and other web attacks, shoulder surfing, and probably a dozen other ways to your password exist, and for many of them the complexity or length of the password makes no difference.

  • 10,124
  • 18
  • 51

There are many ways a password can be compromised. Using uncrackable passwords, at best, does nothing to mitigate the risk of compromise by other means. In reality, it makes other weaknesses worse.

  • 1,974
  • 1
  • 12
  • 20