Why Can’t I Just Use One Password Everywhere?

//
Can you use the same password for everything you need one for? Having a lot of different ones is really hard to remember, to the point that I have had to write each one down.

Yes, you can use the same password everywhere, but I really, really, don’t recommend it. The general consensus is that it significantly increases the risk of your accounts being compromised.

There are several approaches to password management that don’t require using one password everywhere, and also don’t require you to remember dozens, if not hundreds, of different passwords.

Become a Patron of Ask Leo! and go ad-free!

The risk of one password

There are two risks when using only one password.

First, if any of your accounts are compromised, all accounts are vulnerable. If a hacker is able to get your password for one account, they can now run around and use that password on all your accounts. Not knowing where your accounts are doesn’t stop them, either. Once they have a known good password, they can and do try it on dozens, if not hundreds, of online services. Chances are high they’ll hit one you use.

Second, by using the same password everywhere, there are that many opportunities for your single password to be discovered. Even if service A, B, and C, all have perfect security1, if you use the same password at all of them, as well as service “D”, which has poor security, your password for all has been discovered.

The ideal world

PasswordIn an ideal world, you would use a different password for every login.

In an ideal world, your passwords would all be long and complex.

Passwords should be unique, long, complex, and hard to guess — yet you need to remember them all.

Yikes.

I have three alternatives for you.

Let the computer do the work

I don’t mean let your browser remember passwords; I mean invest in a tool like LastPass, which automatically remembers your passwords for you.

In fact, you may never need to actually know any of your own passwords. The fact that your email password is “Z26F2DWPrXux8XjzjDf5” and your bank account’s is “YwRJTNNVqBDcpj28dQ4U” is something you might never actually need to know yourself. LastPass simply keeps track and remembers it all for you.

It can also generate random passwords for you — those two password examples came from LastPass’s “Generate Secure Password” function.

All you need to do is remember exactly one password: the password to unlock your LastPass vault. That’s what LastPass calls the “last password you’ll ever need”.

LastPass can synchronize your information across machines, across browsers, and even across mobile devices. I use LastPass myself and swear by it.

The problem is, of course, if you ever find yourself without LastPass, you may not have your passwords available. I can’t tell you my Gmail password, for example, and that was an inconvenience the other day when I used a computer that didn’t have my LastPass data on it.

Use an algorithm

My second alternative to password management is to use an algorithm. By “algorithm”, I mean a set of rules that you use each time you create a password that you can then use later to remember all your passwords.

For example, you might say your passwords are:

  • The first two letters of the site URL for which you are creating a password
  • The first three characters of the name of your first pet, spelled backwards
  • Your age on your birthday in the year 2010
  • Two characters that indicate what the site is about – perhaps “ba” for bank, “em” for email, and so on – with the first letter capitalized.

According to those rules, my Gmail password might be “goons53Em”.

No one would guess that password, but it’s something I can re-create by the rules without remembering the actual password.2

That’s just an example. You would create your own set of rules, using things you can fairly easily remember and some personal information you’re not likely to forget. You can even jot down the algorithm without seriously compromising the passwords themselves.

Use a tiered approach

Alternative #3 works if you can remember three passwords and distribute them accordingly.

  • One password for a few but extremely important sites. Make this a very secure password — long and complex.
  • A second password for a more numerous but less important sites. This should be secure, of course, but you might make it a tad easier to remember.
  • One other password for everything else. Perhaps you don’t change this very often, or maybe you only use it for sites where you really, truly don’t care but are required to have a password anyway.

This isn’t an ideal solution, but it’s certainly better than having only one password everywhere.

Additional notes

For years, I used the last alternative. I had four passwords that ranged from extremely important to not-so-much.

I’ve since transitioned to a blend of all of the above.

  • I use LastPass-generated secure passwords on everything I possibly can. I could not tell you these passwords if my life depended on it, but LastPass remembers.
  • I have a select few algorithmically generated passwords. These are passwords that are lengthy and complex, but if need be, I can recall. I still store them in LastPass, because it’s easier to let LastPass do the data entry when if offers.
  • I have a couple of passwords I’ve been using for years on accounts that ultimately don’t matter. Many of these, ironically, are simply accounts for which I haven’t yet done a password change. Most could work just as easily with a LastPass-generated password.

If you do choose your own passwords, make sure they’re good passwords. A frighteningly high number of account hacks are simply due to password guessing. People who know just a little bit about you are able to simply make guesses at your password, and they’ll be right a frightening amount of the time.

A word about paper

Don’t write your passwords down.

That’s exactly where password thieves know to look.  If you must write something, write down a hint to help you remember. But ideally, either use something you can remember on its own, or something your computer can securely remember for you, using a tool like LastPass.

Podcast audio

Play

Footnotes & references

1: No such thing, by the way.

2: For the record, that’s not my password. I do use an algorithm for a couple of key passwords, but it’s quite different than what I’ve described here.

2 comments on “Why Can’t I Just Use One Password Everywhere?”

  1. An excellent alternative RoboForm is the free KeePass Password Safe. It runs on many platforms including most smartphones, which means you can always have passwords securely with you.

  2. I use Roboform and Roboform for Palm (its a readonly version thats maintained via a
    conduit & hotsync). When i need the passwords,
    I unlock the palm database and look it up there.

Comments are closed.