Empirical Analysis of Password Reuse and Modification across Online Service

Leaked passwords from data breaches can pose a serious threat to users if the password is reused elsewhere. With more online services getting breached today, there is still a lack of large-scale quantitative understanding of the risks of password reuse across services. In this paper, we analyze a large collection of 28.8 million users and their 61.5 million passwords across 107 services. We find that 38% of the users have reused exactly the same password across different sites, while 20% have modified an existing password to create new ones. In addition, we find that the password modification patterns are highly consistent across different user demographics, indicating a high predictability. To quantify the risk, we build a new training-based guessing algorithm, and show that more than 16 million password pairs can be cracked within just 10 attempts (30% of the modified passwords and all the reused passwords).