The Password Mistake Nearly Half of Americans Make

Written By Tanya Evans

View on Substack

This is a guest post by NBTV Community Member Incognito Cat.

Have you ever considered that nearly half of Americans admit to reusing the same password for multiple online accounts? According to a survey commissioned by Yubico in their blog post "Survey says: Your dog’s name isn’t a password", this is a stark reality. If a cybercriminal gets ahold of a single username and password combo, they could potentially unlock a treasure trove of your personal information across various platforms.

The Power of a Unique Password

In our post "Privacy Strategy: Synthetic Data", we talk about using unique information to protect and secure every online account you have. When you use a different, unique password for each site, you create a powerful barrier. If one account is ever compromised, your others remain safe and sound.

Why is this so critical? The headline from Cybernews says it all: "16 billion passwords exposed in record-breaking data breach: what does it mean for you?". Cybercriminals use a variety of methods to steal your login credentials, often combining technology, social engineering, and human error.

Common Ways Criminals Steal Your Data

  • Phishing and Social Engineering: This is a deceptive but common tactic. Criminals trick you into willingly giving up your information.

    • Phishing Emails/Messages: They send fake emails or texts that look like they're from a trusted source, like a bank or social media site. These messages often create a sense of urgency, urging you to click a link and log in. But the login page is a fake, and when you enter your credentials, they are stolen.

    • Vishing and Smishing: These attacks use fraudulent phone calls (vishing) or text messages (smishing) to trick you into revealing your account details.

  • Data Breaches and Credential Stuffing: This is a major source of stolen credentials. When a company or website is hacked, the attacker may steal a database of user information. For example, in a famous incident, "Facebook stored hundreds of millions of passwords in plain text". Once a database is stolen, criminals use a method called credential stuffing. They take stolen login information from one breach and use automated tools to try those same username and password combinations on other popular websites. This is the biggest danger of reusing passwords.

  • Malware and Keyloggers: Malicious software can be designed to steal information directly from your device.

    • Keyloggers: This type of malware records every keystroke you make, capturing your usernames and passwords as you type them.

    • Spyware and Information Stealers: These programs secretly collect a wide range of sensitive data from your device, including saved passwords and financial details.

  • Brute-Force and Dictionary Attacks: These attacks use automated software to guess your password.

    • Brute-Force: The software systematically tries every possible combination of characters until it finds the right password.

    • Dictionary Attacks: A more refined version that uses a list of common words, phrases, and weak password combinations to try to gain access. To see some of the most common passwords, check out "25 Worst Passwords of 2025: A Comprehensive Breakdown".

  • Man-in-the-Middle (MitM) Attacks: These attacks happen when a criminal intercepts communication between you and a website.

    • Unsecured Public Wi-Fi: When you connect to public Wi-Fi without a Virtual Private Network (VPN) and without using https, a criminal on the same network can intercept your data, including login credentials.

  • Other Methods:

    • Shoulder Surfing: A simple but effective method where someone peeks over your shoulder to see your password. Our post "Don't Be a Digital Lighthouse: Why You Need a Privacy Screen" discusses this danger.

    • SIM Swapping: A sophisticated attack where a criminal tricks your mobile carrier into transferring your phone number to a new SIM card they control. Once they have your number, they can intercept two-factor authentication (2FA) codes and gain access to your accounts.

As you can see, criminals have many ways to get credentials and try them everywhere. So, how can you protect yourself?

How to Protect Yourself

  • Use a Password Manager: This is one of the most effective ways to protect yourself. A password manager generates and stores unique, complex passwords for all your accounts, so you don't have to remember them. Look for one with strong security features like end-to-end encryption. Good options include 1Password, BitWarden, and Proton Pass.

  • Create Unique, Strong Passwords: A password manager makes this easy by autogenerating long, random strings for you, but the principle is simple: every account needs its own password.

  • Switch to Passkeys: As we explain in our post "Why Passkeys Are the Future of Online Security", passkeys are a much more secure alternative to traditional passwords.

  • Enable Multi-Factor Authentication (MFA): This adds an extra layer of security, typically requiring a code from your phone in addition to your password. Even if a criminal has your password, they can't log in without the code. A great authenticator app like Ente Auth makes using MFA simple and secure.

  • Use a VPN: When on public Wi-Fi, a trustworthy VPN encrypts your internet traffic, keeping it private and secure. We use Proton VPN but there are other great options, such as Mullvad VPN.

  • Delete Old Accounts: Unused accounts are a security liability. If you're not using them, it's best to get rid of them.

Take Your Next Steps

It can feel tedious, but taking control of your online security is a vital step. Start by choosing a good password manager and migrating all your accounts. As you go, update your passwords to be unique and strong, or switch to passkeys if a site supports them. Enable multi-factor authentication everywhere you can, and delete any accounts you no longer need. This is one area of your digital life where you have full control, so take advantage of it.

Remember, we may not have anything to hide, but we have everything to protect.

Yours in privacy,
Incognito Cat

Consider supporting our nonprofit so that we can fund more research into the surveillance baked into our everyday tech. We want to educate as many people as possible about what’s going on, and help write a better future. Visit LudlowInstitute.org/donate to set up a monthly, tax-deductible donation.

NBTV. Because Privacy Matters.

Privacc.org

Subscribe to Substack 

Tanya Evans
Next

What I Learnt at DEFCON