More than 52% of Britons aged 18-25 are using the same password for lots of online services, suggests a survey.
By doing so they make it easy for hackers to hijack accounts, warned the UK government's Cyber Aware campaign.
The danger was acute because of the sensitive data people typically send via email and other accounts, it found.
About 79% of the 2,261 respondents of all ages said they had sent bank details or copies of passports and driving licences via messaging systems.
"Your email account is really a treasure trove of information that hackers won't hesitate to exploit," said Det Insp Mick Dodge, national cyber-protect co-ordinator with the City of London police in a statement.
The danger of identity theft was significant, he said, because many people who sent personal information via email rarely deleted it.
Bank statements, electronic copies of signatures and other important documents could all be sitting in lists of sent emails, said Det Insp Dodge.
"You wouldn't leave your door open for a burglar, so why give criminals an open invitation to your personal information?"
Reusing a password helps cyber-thieves because they try to use login names and password combinations released in data breaches on many different online accounts to see if they get a hit.
While operators of large online email services try hard to protect login credentials, smaller firms are less prepared for hack attacks which can mean reused passwords go astray.
On average, the survey found, people regularly used at least six other online accounts covering everything from social media to online shopping. Some said they had as many as 21 other accounts they logged into frequently.
The survey suggested that younger people were most likely to use their email password on other accounts. Across the whole sample of respondents 27% reported that they reused the key identifier that unlocked their email.
In response to the findings, the UK's Cyber Aware campaign recommended that people use a strong and separate password for their email accounts.
It also suggested that people should not use the names of children, pets or a favourite sports team for their password.
Such details can be easy to gain from social media accounts, it said.
Wherever possible, said the awareness campaign, people should use two-factor authentication which added another layer of security to online accounts.
Dr Hazel Wallace, a GP and an ambassador for the Cyber Aware campaign, said the start of a new year was often a time that people tried to "reset" their lives by dieting or getting fit.
"When you're making a lifestyle reset it's also important to make a reset to your online health as well," she said. "Hackers can use your email to access all of your personal information by asking for a reset to your passwords for other accounts."