Nearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.
Lists of real passwords are very useful for helping attackers crack passwords. Lists can be hashed with various algorithms and then the hashes compared against exposed password hashes. If a hash matches then you know the password, without having to actually brute force the password in order to try and match the hash.
Unique, strong passwords are the most safe. Reused passwords are for sure weaker if you use the same login/email along with them, but even if you use the same password with unique usernames, it’s still less secure than unique passwords.
I can use pishadoot everywhere on the internet (bad for other reasons, but as an example) and if I use unique passwords everywhere, my accounts aren’t any less secure, they’re just all easily tied together. If I use unique usernames everywhere but reuse the same password, in theory ALL of my logins are now more vulnerable to attack.
Lists of real passwords are very useful for helping attackers crack passwords. Lists can be hashed with various algorithms and then the hashes compared against exposed password hashes. If a hash matches then you know the password, without having to actually brute force the password in order to try and match the hash.
Unique, strong passwords are the most safe. Reused passwords are for sure weaker if you use the same login/email along with them, but even if you use the same password with unique usernames, it’s still less secure than unique passwords.
I can use pishadoot everywhere on the internet (bad for other reasons, but as an example) and if I use unique passwords everywhere, my accounts aren’t any less secure, they’re just all easily tied together. If I use unique usernames everywhere but reuse the same password, in theory ALL of my logins are now more vulnerable to attack.