One of the challenges that Microsoft spent a lot of time thinking about while planning Windows 8 was how to help their customers manage their digital identity in a way that is both convenient and secure. In today's world, there are a number of very interesting details with respect to digital identities, how they are used, and how they are protected.
Currently, the most common way people verify their digital identity is by using a password. Passwords are used to sign in to your computer, to your bank, to web merchants, and lots of other places. Our research has shown us that the average person using a PC in the United States typically has about 25 online accounts.That's a lot to keep track of! In fact, the data also shows that the number of unique passwords across those 25 accounts is only about 6.
For folks who spend time thinking about security, that's a worrisome finding as it shows that the average person reuses the same password quite frequently across accounts. Additionally, given that different websites have different password policies (some require alphanumeric with special characters, some disallow special characters, some have minimum password lengths, some don't, etc.), it's likely that the number of unique passwords across accounts would be even lower if websites actually had the same password policies.
On the one hand, that's completely understandable. Remembering a bunch of different passwords is difficult, especially for accounts that we don't use frequently. On the other hand, password reuse is very useful to hackers...they know that if they can learn your password for one site, it's highly likely that you use the same password on other sites. Even worse, an attacker can often use your sign-in information to reset the password for other accounts where the password actually is different.
For example, if an attacker can somehow gain access to the password for one of your accounts, there's a strong probability that you use the same password for one of your web email accounts. Given that there are only a handful of major web email providers, finding yours is often pretty easy. Once an attacker gains access to your email, they can go to other common sites (major banks, major online merchants, etc), and use the "lost password" functionality to send a password reset link to the email account that they've already taken over.