Psybersafe Blog

Read our short, informative blog posts to understand more about cyber security and how people’s behaviour is key to improving it.

We’re Not Lazy, we’re Efficient..

(3 min read)

Why everyone still reuses passwords.  

You’ve got 143 accounts. You’re asked to create a new password again! 
So you tweak the one you always use. You add a “!” and a year. Good enough, right?

You’re not alone.

In 2025, despite decades of “don’t reuse passwords” campaigns, 94% of leaked credentials were reused across multiple accounts. That’s why 81% of corporate breaches still come down to one thing: weak or duplicated passwords (CyberNews, Spacelift).

But this isn’t a story of laziness. It’s a story of efficiency and the human brain doing exactly what it’s wired to do.

Behavioural Science and why our brains love password reuse.

There are a number of biases and shortcuts we mere humans use subconsciously to the information overloaded world we live in:Blog Oct 2025 reuse password 500x340

  • Cognitive Ease: We default to what’s easy, especially when overloaded and juggling too much.  
  • Goal Gradient Effect: The closer we get to a goal (like finishing the signup), the faster we rush through and cut corners.  
  • Decision Fatigue: Constant password requests can exhaust our willpower, and every new password feels harder when you’ve already made 100 decisions today.  
  • Present Bias: We optimise for convenience now, ignoring future risks. 

Add a system that makes “doing the right thing” harder, and password reuse becomes the path of least resistance.

How hackers exploit (not just “abuse”) our so-called laziness

This isn’t just theory; it happens all the time.

In April 2025, attackers used leaked credentials from other breaches to hijack Spotify Premium accounts. They could do this because people reuse passwords across services. 
(BleepingComputer)

Blog Oct 2025 spotify hack 700x300

How?  They used something called credential stuffing attacks.  Credential stuffing sounds fancy, but it’s just a digital “copy and paste” for hackers. They take stolen usernames and passwords from old breaches and try them everywhere, for example banking apps, email, even Spotify.

So, if one of your passwords is leaked in a breach, attackers will try that same combination on your Spotify account, your banking apps, and other online services.

If you want to check whether your email credentials have been leaked anywhere, enter your details into https://haveibeenpwned.com/ , a trusted service which provides details of where and when your email may have been compromised.

Blog Oct 2025 Haveibeenpwnd image

Sample output from https://haveibeenpwned.com/

Okay, so what actually works (without turning your life into a cybersecurity bootcamp)?

  • Use a password manager: It removes the friction that causes reuse in the first place.  This is the easiest fix. 
  • Let go of ‘memorable passwords”: If you can remember it easily, attackers can probably guess it easily, so let the tech do the remembering (see use a password manager, above) 
  • Watch for weird activity: Unexpected logouts, login alerts from odd locations, or MFA prompts you didn’t trigger.
  • Use passphrases only when you must: If you’re not using a manager, use a long, unique phrase, and certainly do not use a variation of an old one.
  • Treat your main email account like a vault: It’s the key to your entire digital life, so never reuse anything there.
  • Enable MFA (Multi-factor authentication) where possible: It’s one extra hurdle a hacker can’t jump through without you.  This is the best way to keep your accounts more secure! 

Here is a closing thought 

Most people aren’t careless, they’re just overloaded.  And developing good cyber habits is not about preaching; it’s about designing ease, removing friction, and understanding how humans behave.

Want to nudge your team toward better cyber habits (and fewer password headaches)? Check out Psybersafe, where behavioural science meets practical, fun, and bite-sized cyber trainingFewer lectures and more “aha” moments.

We love behavioural science. We’ve studied it and we know it works.  If you want to know more about the science of persuasion and influence and behavioural science in general have a look at our sister site https://influenceinaction.co.uk/

Sign up to get our monthly newsletter, packed with hints and tips on how to stay cyber safe. 

Mark Brown is a behavioural science expert with significant experience in inspiring organisational and culture change that lasts.  If you’d like to chat about using Psybersafe in your business to help to stay cyber secure, contact Mark today.