Why password reuse is so dangerous
A password is only as safe as the least-secure place you’ve used it. When you reuse one password across sites, you inherit the security of the weakest one. If a small forum with poor security gets breached, attackers now hold a password that may also open your email, your bank, and your cloud storage. This is the mechanism behind credential stuffing: attackers take credentials leaked in one breach and automatically replay them against hundreds of other services, harvesting every account where you reused the same login.
Why small variations don’t help
Adding “1” or the site’s name to a base password (Password!Amazon, Password!Bank) feels safer but isn’t. Attackers know these patterns and their tools try obvious variations automatically. If the base is exposed, the variants fall quickly. Real safety requires each password to be unique and unrelated to the others — which is only practical with a tool that remembers them for you.
The email account multiplier
One account makes reuse especially catastrophic: your primary email. Because email is the reset mechanism for nearly everything else, a reused password that exposes your inbox lets an attacker reset the passwords of accounts that weren’t even breached. This is why security professionals insist your email have a unique, strong password and the strongest available two-factor authentication — it is the keystone of your entire identity.