A password breach at one company almost never stays a problem for that company alone. Once a set of email-and-password pairs leaks, it gets tried automatically against thousands of other sites — a technique called credential stuffing. The account that actually gets compromised is often not the one that was breached. It's whichever other account happened to share the same password.
This is why a reused-password count matters more than a strength score, most of the time. A password can be long, random, and technically ‘strong’ by every measure a strength meter checks, and still be the reason two unrelated accounts fall together — because strength describes resistance to guessing, not resistance to reuse.
What a quarterly pass actually looks like
- Open your vault's security overview and sort by reused entries first — not weak ones. Reuse is the higher-leverage fix.
- For each reused password, change it on every account that shares it, not just the newest one.
- Prioritize anything tied to email, banking, or your password manager's own account recovery — these are the accounts that unlock everything downstream of them.
- Re-run the check after major public breaches, not only on a fixed schedule. A quarter is a reasonable default cadence, not a hard rule.
The audit takes minutes once it's a habit. What it prevents — a single old, forgotten, reused password on some account you signed up for once becoming the reason your email gets taken over — is the kind of incident that takes considerably longer to undo.