Edinburgh Napier University

  Security and authentication are ubiquitous problems that impact all modern networked systems. Password-based authentication systems are still prevalent, and information leaked via other channels may be used to attack networked systems. Researchers have previously used email addresses as an identifier in leaked data breach information to understand password reuse and behaviours, but this has its limitations. In this work, we explore the use of passwords themselves as identifiers in linking accounts together to provide an alternative view of large-scale reuse. We filter for high entropy passwords on the Compilation of Many Breaches (COMB) data set, which contains 3.2 billion email/password combinations. Using this approach, we find that passwords are reused 13 times on average, with a username reuse rate of 66.7% (compared to 40% when considering emails mergers). We identify that potentially malicious actors are engaging in large-scale email and password generation and reuse, which also appears to be prominent on social media.