July 11, 2026
One Password, Three Accounts, Zero Backup Plan
What auditing real accounts taught me about the habit quietly wrecking our security and the ACSC breakdown that finally explains it simply.

By Iyanu Akintan
3 min read
A few months into running account security audits as part of my SOC analyst training, I stopped being surprised by malware. Malware is predictable. It does exactly what it's built to do.
People are not.
What actually stopped me mid-scroll was something painfully simple: the same password protecting someone's personal email, their Instagram, and their online banking. Three different accounts. Three different levels of "this would ruin my week if it leaked." One password holding the whole thing together.
That's not a hacking story. That's a habit story.
And it turns out it's a universal one. A 2025 enterprise survey by 1Password found that 91% of people know reusing passwords is risky. Only 66% do it anyway which tells me most of us aren't careless, we're just exhausted by the sheer number of logins modern life demands. Verizon's 2025 Data Breach Investigations Report backs this up from the other side: compromised credentials were the leading way attackers broke into systems for the second year running, showing up in 88% of "basic web application" attacks.
So when this infographic from the Australian Cyber Security Centre (ACSC) landed in my feed, I knew I had to share it. Not because the advice is new because I've rarely seen it laid out this cleanly. Here's what stood out to me, plus a few things I'd add from my own time in the trenches.
Stop writing passwords. Start writing passphrases. "Password123" and "Welcome1" aren't passwords, they're invitations. The fix isn't more symbols and forced capital letters, it's length. Four random, unrelated words strung together something like "Purple-Kettle-Mountain-7!" beats an eight-character jumble of symbols every time. Longer is simply harder to brute-force, and a phrase like that is far easier for your brain to hold onto than "Xk9!mQ2".
One password, one account. No exceptions. This is the one people underestimate most. Attackers don't sit there guessing your password. They take logins leaked from one breach and try them everywhere else: your email, your bank, your work account, your socials. It's called credential stuffing, and it works precisely because so many of us reuse. One leaked password can quietly become four break-ins.
Let a password manager carry the weight You're not supposed to memorize 40 unique passphrases. That's what tools like Bitwarden (free and solid), 1Password, or KeePassXC exist for. Remember one strong master passphrase, let the vault generate and store the rest. This one habit change removes most of the temptation to reuse.
MFA is your seatbelt Even a strong passphrase can leak. MFA is the second lock on the door: an authenticator app, fingerprint, Face ID, or security key standing between a stolen password and your account. If you have to choose, pick an authenticator app over SMS codes, SIM-swap fraud makes text message codes the weaker option.
Protect it like it's already compromised Never share a password, write it on a sticky note, save it in a plain text file, or send it over email or chat, including to someone claiming to be "IT support." That specific request is one of the oldest social engineering tricks in the book, and it still works.
Why this hits different from Nigeria Here's the part that made this personal for me. Nigeria's Inter-Bank Settlement System (NIBSS) reported that financial institutions lost about ₦52.26 billion to fraud and cyber-enabled crime in 2024. In 2025, that number fell to roughly ₦25.85 billion a drop of more than half — as banks poured investment into cybersecurity infrastructure and fraud detection, including AI-powered tools. Across the continent, some estimates put the cost of cybercrime to Africa at close to 10% of GDP every year.
That drop isn't an accident. It's proof that when the right defenses go in, losses go down. It's a big part of why I'm building toward AI-powered threat detection for African businesses the fundamentals in this infographic are exactly what I want to help SMEs actually implement, not just know about.
Quick wins before you close this tab
- Pick a password manager and move your top five accounts into it today.
- Turn on MFA for your email first. It's the master key to everything else you own online.
- Run your email through haveibeenpwned.com and see what's already out there.
- Stop reusing even if it's just for banking and email to start. Non-negotiable.
Your password isn't just a string of characters. It's the front door to your digital life. Lock it like you mean it.
Before you go: check haveibeenpwned.com right now.
Come back and tell me what you found I'll go first in the comments. 👇
Further reading: cyber.gov.au