Australia Markets open in 3 hrs 43 mins

This is what can happen if you use the same passwords over and over

Amelia Murray
Yahoo UK

Using the same passwords over and over again may be a necessity in a login-heavy world, but it's also dangerous.

The typical person has 26 online account log-ins – with the associated passwords and other IDs – so it is no wonder that most of us use the same passwords for more than one service.

But multiple-use passwords are also a hacker's delight.

Kristy Jasper, 28, had almost $6,400 stolen from her business account by fraudsters 18 months ago and police told her the likely cause was her use of identical passwords for numerous online accounts.

These included PayPal, Amazon, LinkedIn, Facebook and a website used to buy office supplies.

Upon checking her accounts she noticed nine online payments had been made to high street retailers such as Argos and Currys.

Police told Kristy Jasper that fraudsters may have been able to steal from her because she had the same password for 12 online accounts. Picture: Jeff Gilbert

The crime was reported to the police and Metro Bank, the account provider, straight away.

"We couldn't understand how this had happened,” said Ms Jasper.

"The police suggested it may have had something to do with our passwords plus other information the criminals found about us on social media.”

The police never fully explained how the fraud occurred.

Metro Bank repaid the money – so it ultimately bore the cost.

Angela Sasse, professor of human-centred security at University College London and director of the UK Research Institute in Science of Cyber Security, said most consumers were unaware of the data accessible via login details.

"Our emails alone could contain plenty of financial information,” she said, "How many of us have sent our bank details to friends, business partners or guesthouses?”

But that's not the full extent of it.

If you've got the same password for your social media accounts, fraudsters could glean personal information from friends and contacts, enabling them to develop a more detailed personal profile.

This would enable them to impersonate you or "steal your identity”.

Once criminals have your password and username for one service, they can check to see if they've been reused on other sites using free online software known as "credential stuffers”, said Chris Underhill, chief technical officer at Equiniti, the cyber security firm.

"Fraudsters enter millions of emails and passwords into this software. Once they click "go', the software starts to build a database of other sites they can access with your information,” he said.

Your details can then be sold on or traded, broadening the risks to which the original owner is exposed.

The prize for the criminals is to be able to access bank accounts or other payment accounts, including PayPal, where payments can be made or money transferred.

In another twist, fraudsters could take over your email or social media account and ask your contacts to send you money, perhaps because you are abroad or have lost your cards, said Nick Mothershaw, director of fraud and identity solutions at Experian, the credit reference agency.

If you've got the same password for your social media accounts, fraudsters could glean personal information from friends and contacts, enabling them to develop a more detailed personal profile. Picture:

Ms Jasper and her business partner have since changed their passwords and have different ones for each of their accounts.

"It's a huge lesson to learn and we won't be making the same mistake again,” she said.

How do the fraudsters get your password?

Emails that appear to be from genuine firms are often able to garner personal information from recipients by suggesting their accounts have been compromised or that they need to verify their identification.

These messages may also contain links to sophisticated copycat sites, such as an online banking page, which asks for consumers to enter their security details, such as passwords and account details.

Fraudsters also send out "malware” via email which, when accidentally installed by an unknowing user, could access passwords saved on your computer.

"All it takes is one click in a cleverly disguised email, one promoting a special offer, for example, and the malware is downloaded without you realising,” said Mr Mothershaw.

Data breaches are another way criminals access your information.

Millions of MySpace, Adobe and LinkedIn users had their details compromised when the firms were breached between 2008 and 2016.

You can check if your credentials have been compromised in large-scale leaks on

Making it easier to memorise "strong” passwords

Research by Experian showed that the "younger generation” rarely have more than five unique passwords for online accounts while a quarter of those aged over 55 have at least 11.

"We may well have reached "peak password',” said Mr Mothershaw.

Few people can hope to remember scores of unique and complex passwords, so prioritise your email, work accounts and your online banking.

A year ago, the accounts of Facebook founder Mark Zuckerberg were hacked after he broke the golden rule of online security and re-used passwords across platforms.

This was despite the social media giant listing the pro security tip on its website: "Don't use your Facebook password anywhere else online”.

This story originally appeared on The Telegraph and is republished here with permission.