John and Jane each have accounts at forty different Websites. John uses the same password at all of them because it is too difficult to maintain multiple passwords in his head, while Jane uses a password manager to ensure she can use a different password for each site without having to remember any of them.

Both of them have memberships at example.com, and by some twist of fate they both end up using the same password, OJ01GzVWR5. In fact, they both use the exact same forty Websites. Along comes Pat, a malicious security cracker. Pat manages to bypass the incredibly deficient security at example.com and download the unencrypted database of usernames and passwords.

With this database in Pat’s grasp, the malicious security cracker makes a list of a hundred high-value Websites, mostly including financial institutions. Pat starts running the username and password pairs in the unauthorized copy of the authentication database.

Because Pat’s strategy involves entering each username and password combination only once, a direct attempt to access each of the hundred sites once per account name is all that is needed. This neatly avoids problems like the potential of being locked out of a highly secured site. In fact, it turns most sites — however well-designed — into a trivial exercise to access under someone else’s credentials, as long as some people use the same username and password everywhere.

The end result is that Jane’s bank account remains secure, while John’s gets cleaned out the next day, and it is all because he took the advice of some security “expert” whose credentials largely consist of a piece of sheepskin and a job at a big-name security vendor that does not actually produce anything innovative.

Sometimes, though, when advice sounds too good to be true, that is because it is not true. The perfect example is when someone tells you that you do not need unique passwords to be secure.