well, shucks
With so many things around now that need passwords, its hardly surprising. I have ... let me count on my fingers a moment... maybe seven different "base" passwords I use, with a variety of variations on top - swapping letters for numbers, capitalisation and all that. All the same, there are many places I re-use the exact same one simply because there are so many services that require them. A multitude of shopping sites, webmail, messengers, messageboards (including this one), banking, online phone bills, computer logins... oh look at that, even just counting the CATEGORIES we're one-for-one. There's only so many you can remember. I have a feeling that at one point I had an eighth or even an ninth.... and i've since forgotten it and whatever account that was i've had to request a password reset and fallen back to one of the mainstays.
None of them, incidentally, are written down. If I sort out the mess of my life they may go in a sealed envelope in my will. Otherwise they die with me. And pretty much all of them, except one on a very, VERY old webmail account (we're talking mid 90s here) are "strong" - and the weak one is decidedly non-dictionary anyway.
So if someone was to sniff one of my passwords, AND knew much about my other online habits, AND got the usernames I have for them (again, a small selection, used randomly, and not matching up with passwords), they could get access to other parts of my life too. But then you could say similar for house or car keys... but if they can do that, what's to stop them sniffing the sensitive ones directly?
I'm not bothered however. My bank has other security measures on top, including a secret codeword that it asks for a specific letter out of, and use of an online account number that's not related to my actual current or creditcard accounts.
So if a criminal got the relevant password from elsewhere (1 in 7 chance) AND the right variation (about 1 in 18 or so overall), and knew my bank (a further 1 in 20 or more on top), and some of my typical usernames (call it 1 in 5 multiplication - we're up to about 1800:1 now?)... they've still got to discover the online account number (direct observation - in which case they can also get the password and at least one letter of the secret word - or about a 1:10,000,000 chance) and take a stab at what the codeword was (1 in 36 extra).
They could put the work in to try and discover all that, or maybe just pony up a quid for a lottery ticket. The chance of winning the sub-5-grand figure I can take out without having to call up to authorise a loan or extended overdraft/credit limit (phonebanking itself requiring a further password AND six-digit secret code) is SO much better than guessing all that lot.
Hell, even I can't get in some days, and I KNOW the right stuff to enter!