Actual password reuse between two breached web sites with hashed passwords

Study: Measuring Password Re-Use Empirically
Date: February 9 2011

Of the 456 filtered email addresses present at both Gawker and, the passwords were cracked for 161 users with accounts on both sites. 76% of these accounts used the exact same password, with an additional 6% using a password differing only by capitalization or a small suffix.

However, the author cautions that this isn't an accurate estimate since none of the other 123 user accounts with a password cracked for one site but not the other could have had an exact password match either. Taking this into account, along with the 6% similar but not exact match passwords, they adjust the estimate to 49% of the users having similar passwords on the two sites.

Further factoring in the remaining 172 users with uncracked passwords at either site and making the conservative assumption that none reused their passwords this would leave a low-end estimate of 31% password reuse between sites.

<-- Back to Authentication Statistic Index

[Home] [About Us] [News] [Research]

Copyright © 2017