A new study finds more than eight in 10 Americans reuse their passwords, and many others continue to use inadequate security practices when it comes to the passwords they use to protect their accounts.

The data gathered by multi-authentication security provider SecureAuth and research firm Wakefield Research found that not only do people use the same password more than once, they also use the same login credentials for at least 25 percent of their accounts.

Read: Five Steps Businesses Can Take To Make Two-Factor Authentication Better And More Secure

While most millennials are more tech savvy and open to new and more secure forms of authentication like biometrics, their password practices are worse than the general population. A whopping 92 percent of millennials said they reuse passwords, compared to 81 percent of Americans overall.

Even more troubling, more than one in three people—36 percent—reported they use the same password for 25 percent or more of their online accounts.

Despite the rampant reuse of passwords—a major security shortcoming—most Americans are very concerned about the possibility of their account information being stolen. Sixty-nine percent said they were more worried about their online information being stolen than their wallet.

Structure Security
Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco Newsweek Media Group

Many Americans have already experienced such a breach of an online account. Thirty-six percent of people surveyed said they have had an online account hacked—including 50 percent of millennials.

Read: OneLogin Hacked: ID Manager Database Breached, User Information Compromised

Of those people who have fallen victim of a hack, 91 percent reported the account breach carried severe repercussions for them. The biggest issue for those who have been hacked include spam messages (42 percent), account lockouts and money stolen (38 percent) or an unauthorized purchase being made from their account (28 percent).

About one in five people—19 percent—who had an account hacked reported having personal information stolen, including Social Security numbers, date of birth, photos, tax records and other sensitive personal files.

“Adaptive access control and identity-based detection techniques such as, geo-location, device recognition, and phone number fraud prevention work invisibly to the user simultaneously strengthening security and providing a positive customer experience,” Je Kukowski, CEO of SecureAuth, said.

The practice of reusing passwords puts users at increased risk in the case of a data breach. Once passwords are stolen from one site or service—an occurrence that happens regularly—a malicious actor could use that password to gain access to another account belonging to the same user.

Given the number of massive database breaches, including those from sites like LinkedIn or Yahoo that included millions of users, it is relatively easy for an attacker to cross reference an account and use the stolen credentials to attempt to break into another account.

Additional security protocols like using two-factor or multifactor authentication or using a password manager to generate more secure, unique passwords can provide some additional protection from these types of attacks.