The typical person has 26 online log-ins – with the associated passwords and other ID – so it is no wonder that most of us use the same passwords for more than one service.
But this can be dangerous.
Kristy Jasper, 28, had almost £4,000 stolen from her business account by fraudsters 18 months ago and police told her the likely cause was her use of identical passwords for numerous online accounts. These included PayPal, Amazon, LinkedIn, Facebook and a website used to buy office supplies.
Upon checking her accounts she noticed nine online payments totalling £3,800 had been made to high street retailers such as Argos and Currys.
The crime was reported to the police and Metro Bank, the account provider, straight away.
Our emails alone could contain plenty of financial information. How many of us have sent our bank details to friends, business partners or guesthouses
Angela Sasse, UCL and RISCS
“We couldn’t understand how this had happened,” said Ms Jasper.
“The police suggested it may have had something to do with our passwords plus other information the criminals found about us on social media.”
The police never fully explained how the fraud occurred. Metro Bank repaid the money – so it ultimately bore the cost.
Angela Sasse, professor of human-centred security at University College London and director of the UK Research Institute in Science of Cyber Security, said most consumers were unaware of the data accessible via login details.
She said: “Our emails alone could contain plenty of financial information. How many of us have sent our bank details to friends, business partners or guesthouses?”
But that’s not the extent of it.
If you’ve got the same password for your social media accounts, fraudsters could glean personal information from friends and contacts, enabling them to develop a more detailed personal profile.
This would enable them to impersonate you or “steal your identity”.
Once criminals have your password and username for one service, they can check to see if they’ve been reused on other sites using free online software known as “credential stuffers”, said Chris Underhill, chief technical officer at Equiniti, the cyber security firm.
“Fraudsters enter millions of emails and passwords into this software. Once they click ‘go’, the software starts to build a database of other sites they can access with your information,” he said.
Your details can then be sold on or traded, broadening the risks to which the original owner is exposed.
The prize for the criminals is to be able to access bank accounts or other payment accounts, including PayPal, where payments can be made or money transferred.
In another twist, fraudsters could take over your email or social media account and ask your contacts to send you money, perhaps because you are abroad or have lost your cards, said Nick Mothershaw, director of fraud and identity solutions at Experian, the credit reference agency.
Ms Jasper and her business partner have since changed their passwords and have different ones for each of their accounts.
“It’s a huge lesson to learn and we won’t be making the same mistake again,” she said.
How do the fraudsters get your password?
Emails that appear to be from genuine firms are often able to garner personal information from recipients by suggesting their accounts have been compromised or that they need to verify their identification.
These messages may also contain links to sophisticated copycat sites, such as an online banking page, which asks for consumers to enter their security details, such as passwords and account details.
Fraudsters also send out “malware” via email which, when accidentally installed by an unknowing user, could access passwords saved on your computer.
“All it takes is one click in a cleverly disguised email, one promoting a special offer, for example, and the malware is downloaded without you realising,” said Mr Mothershaw.
Data breaches are another way criminals access your information.
Millions of MySpace, Adobe and LinkedIn users had their details compromised when the firms were breached between 2008 and 2016.
You can check if your credentials have been compromised in large-scale leaks on haveibeenpwned.com.
Making it easier to memorise “strong” passwords
Research by Experian showed that the “younger generation” rarely have more than five unique passwords for online accounts while a quarter of those aged over 55 have at least 11.
“We may well have reached ‘peak password’,” said Mr Mothershaw.
Few people can hope to remember scores of unique and complex passwords, so prioritise your email, work accounts and your online banking.
Eight characters is the ideal minimum for passwords – try using short, random words with a combination of lower case and upper case letters and a sprinkling of numbers and symbols.
Bruce Schneier, an American cryptographer and computer security professional, suggested making a memorable sentence into a password.
For example, “no man is an island” could become “N0mI5aI” and “two wrongs don’t make a right” could be “2Wdm1R”.
Don’t keep records of passwords on your computer, in an email or in notes on your smart phone.
Prof Sasse said “the safest way” is to write them down on a pad of paper and “keep this locked away”.