Setting passwords is the most common method to protect people’s online activities. Security of passwords has been recognized as an issue that is getting more serious along with time since password attacks are one of the most popular attacks people are facing within daily lives and the chain reactions after being attacked. Although many researchers proposed that the users need to avoid reuse passwords on different accounts along with other strategies, the consequences of password reuse have not been formalized. This thesis provides a formal model to quantify an attacker's effort in password attacks to indicate the level of security. Following theorems and rigorous proofs, the thesis illustrates that avoiding password reuse is more important than using strong passwords in terms of the security for user’s all accounts.