Measuring the Risk Password Reuse Poses for a University

No ratings

Presented at PasswordsCon 2025 by

Password reuse can leave organizations exposed for years. We analyzed two decades of university account data to see how deep the risk goes. By cross referencing usernames with hundreds of known breaches and cracking weak hashes, we guessed the password for 32% of the university accounts. Many of these reused passwords stayed active for years, and those appearing verbatim in breaches were almost four times more likely to be exploited than tweaked variants. Most affected users had no idea their accounts were at risk. In this talk we will share what we uncovered about long term password reuse and how any organization can deal with this ever present threat.