Most people obsess over password strength and ignore password reuse. The math says they have it backward. A 12-character random password used uniquely across every account is more secure than a 30-character password reused on two sites. Here’s why — and what to do about it.
The math of password breaches
Every year, somewhere between 5 and 20 major services get breached. 2024 alone saw LinkedIn, Ticketmaster, AT&T, Snowflake, and dozens of smaller services. When a breach happens, the attacker gets a database of email addresses and password hashes. Within days those hashes are cracked (most are), and the email+password pairs are traded on criminal forums.
What happens next is called credential stuffing. Attackers take the leaked pairs and try them against every major service — Gmail, Amazon, your bank, Facebook, Netflix, Instacart. Any service where the same email+password combo works, the attacker gets in. The attack is fully automated, runs across millions of accounts, and costs the attacker almost nothing.
If you used the same password on the breached site and another site, you are now compromised on both. It doesn’t matter how strong the password was — it’s known now.
Why strength still doesn’t save you from reuse
Imagine you have one 30-character password: j#9K$mN2pQ!vX@8rT&5wL*3zH!7bF%cY. It would take centuries to brute-force. And then LinkedIn gets breached, and the cleartext of your password appears in a credential dump. It’s now worthless. The attacker doesn’t need to brute-force it — they have it.
If you used that password on Gmail, your bank, and Amazon — all three are now compromised. One breach, three accounts gone. Strength doesn’t matter once the password is leaked.
Unique passwords: the only real defense
Unique passwords turn every breach into a local event. LinkedIn gets breached, your LinkedIn password leaks, you change it on LinkedIn, nothing else is affected. The attacker’s credential-stuffing runs against Gmail and your bank fail because the password you used on LinkedIn never existed on those sites.
Unique passwords are the single most important thing you can do for your online security. Not strength, not complexity, not length — uniqueness. The only reason most people don’t have unique passwords everywhere is that remembering 200 unique passwords is impossible. Which is why password managers exist.
Password managers: the solution that actually works
1Password, Bitwarden, and Dashlane all solve this problem the same way: you memorize one strong master password, the manager generates and stores unique passwords for every site you visit. It autofills on login, so you never type (or even see) the actual password. The password is unique per site and long enough that it’s effectively uncrackable by brute force.
Bitwarden has a free tier that is enough for most individuals. 1Password costs about $3/month per user. Both are better than any spreadsheet or text file, and immensely better than password reuse.
How to move off of reuse
You don’t have to fix every account at once. Do this in order:
- Install a password manager. Today. Bitwarden is free, takes 5 minutes.
- Set a strong unique master password. 14+ characters. Write it down on paper in a safe place.
- Enable MFA on the password manager itself. Especially for cloud-synced ones.
- Pick 3 accounts to fix first: your email, your primary bank, your password manager itself. These are the crown jewels.
- Generate a unique password for each using the manager’s built-in generator. Or use our Password Generator.
- Continue for the next 20 accounts over the next week. Focus on anything that touches money, identity, or work.
- Check your existing passwords against breach data using our Password Leak Checker. Anything that’s been leaked needs to be changed.
Audit what you currently have
Most password managers export a CSV of everything they know. Run it through our Password Audit Tool — it’s 100% browser-local (we never see your passwords) and flags weak, reused, and short passwords so you know what to fix first. Then walk through the Password Reuse Checker as a self-audit across the accounts you use most.
FAQ
Isn’t using a password manager a single point of failure?
Yes, which is why you protect it with a strong master password plus MFA. Even in the rare event a password manager is breached (LastPass 2022), the vaults are encrypted with your master password — attackers get encrypted blobs, not cleartext passwords. Password managers are not a perfect defense but they’re dramatically better than reuse.
What if I already used the same password on 50 sites?
Assume that password is compromised and change it everywhere you used it. Prioritize email, bank, and any service with a stored payment method. Work through the list over a week or two — you don’t have to fix them all at once, but the longer you wait the bigger the exposure.
What about passkeys?
Passkeys are better than passwords for sites that support them (Google, Apple, Microsoft, 1Password, and growing). They’re phish-proof and breach-proof. Enable them wherever offered. Until every site supports them, unique passwords-plus-MFA remains the fallback.