NEAR-IDENTICAL password reuse is a persistent, often overlooked risk even where password policies exist. The article explains that attackers increasingly obtain access through credentials that technically meet policy requirements, using small, predictable changes to an existing password rather than creating a brand-new one. Examples include Summer2023! → Summer2024!, P@ssword → P@ssword1, Welcome! → Welcome?, and AdminPass → adminpass, which barely alter the underlying structure.
Specops research found that a 250-person organisation may collectively manage an estimated 47,750 passwords, broadening the attack surface and making near-identical reuse a practical workaround. The piece notes that traditional policies fail to stop this pattern because modest variations satisfy history and complexity checks, while still being highly repeatable and exploitable, with Specops Password Policy highlighting the problem by scanning for known breached passwords and enforcing centralized policy management.