Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Is It So Important to Use Different Passwords for Everything?

Because not doing so is one of the biggest reasons hackers can gain access to your account.

Using different passwords on different sites is not only good practice, it's necessary to keep your accounts safe. I'll review why, and how best to handle a plethora of passwords.
Question: I keep hearing that I’m supposed to use a different passwords for everything — a different one on every internet site where I have an account. What a pain! I can’t remember all of those passwords. Yeah, I know. You want me to use a password manager thing, but that seems like putting a bunch of really important things into a single basket. What if that basket gets hacked? I use a strong password. Why isn’t that enough?

The hacks of several online services have brought this issue to light once again.

I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account.

And yes, you must devise a way to manage them all.

Let me run down an example scenario that’s a cause of all this emphasis on different passwords.

Become a Patron of Ask Leo! and go ad-free!


Different passwords for different accounts

In addition to the risks of exposing your password to malware on your own machine, using the same password everywhere puts you at the mercy of the service with the worst security. Hackers take passwords, email addresses, and user names they discover and try to sign in with them at other online services, which works surprisingly often. Different passwords for everything prevents it.

The all-too-common scenario

The scenario I’m about to describe is very common. While the specifics won’t apply to you exactly, it will conceptually illustrate what can happen.

Let’s say you have an account at some online service, Service A. In addition, you have a Yahoo! account, because you used it years ago; a Google account, because you now use Gmail and a number of other Google services; a Microsoft account, because you have Windows 10; and we’ll throw in a Dropbox account, because you’ve been listening to me recommend it. You probably have other accounts I haven’t listed here, but you get the idea. You have lots of accounts at a number of online services.

You have a wonderfully strong password that you’ve memorized: 16 completely random characters. Maybe something like 24rZFPI69u$c%*jr.

And you use that same wonderfully strong password for all those accounts.

Here’s how it can go horribly, horribly wrong.

Anatomy of a hack

Service A has the best of intentions, but honestly, they don’t “get” security. Of all the accounts you use, they’re the worst when it comes to security.

Perhaps they store passwords in their database in plain text, allowing anyone with access to see them. They do that because it’s easy, , fast, and solves their problem quickly. They assume the database containing your password will be impenetrable.

Hackers love it when site designers make that assumption, because, of course, the assumption is incorrect.

One day, a hacker breaches service A’s security and steals a copy of the user database. The hacker walks away with a database containing the following information for every user:

  • Their login ID
  • The email address associated with the account
  • The password (or enough information from which the password can be determined)1
  • Password hints/security questions

They can log in to your account on Service A. That may or may not be a big deal, depending on what Service A is and how you use it.

But it opens a very dangerous door.

It doesn’t have to be a hack

It’s important to understand that while this example centers around what we hear about in the news most often — the hack of an online service and theft of their user database — it’s certainly not limited to that.

Essentially, anything that could compromise your password at service A brings you to this point. That includes:

And so on.

Anything putting your single password into the hands of a malicious individual puts you at greater risk than you might assume.

Password skeet shooting

They have your email address and a password you use, stolen from Service A. Now the hackers go hunting.

As most people have accounts on one or more of the major services I mentioned, the hackers start trying the information from Service A as if it were the correct information for Gmail, Microsoft, Yahoo, Facebook, Twitter, Dropbox, and more.

They try your login ID and password (or that email address and password) on as many other services as they can.

Very often, it works. The hackers gain access to some other account of yours that was completely unrelated to the initial security breach.

Unrelated, of course, except that you used the same password at both.

If you use the same password everywhere, a single leak of that password anywhere puts all your accounts at risk. Hackers will be able to log in to your other online accounts as well.

OK, maybe not all; maybe only a few. But a few is all it takes.

The weakest link

Note this has absolutely nothing to do with the security expertise of the sites where your account is eventually compromised. Gmail,, Yahoo, and others have excellent security, but that fact doesn’t factor into this scenario at all.

Service A was the weak link. Their security wasn’t up to the task. Their database was breached. Their information was leaked. Your account information and password — the password you use everywhere — was exposed.

Service A was at fault. You were at the mercy of the service that had the poorest security.

But the real problem is your use of that single password everywhere.

It shouldn’t be this way

I’ll happily admit things like this shouldn’t happen.

But they do.

And most services are better at security than our fictional Service A.

But it’s also not a black-or-white equation. Even large corporations, which either don’t know any better or simply make a mistake, can put your information at risk. For example, a hack at Adobe a couple of years ago potentially exposed the passwords of 130 million Adobe account holders. I hate to say you can’t trust anyone, but ultimately, you shouldn’t trust anyone not to accidentally expose your password.

And, as I mentioned above, it doesn’t have to be a big service breach for there to be a problem.

Using a different password on each site limits your exposure if any site is compromised.

Managing lots of passwords

So it comes down to how to manage a lot of different, long, and complex passwords.

I still recommend using a password manager.

Doesn’t that put all my eggs in one basket?

Yes, it does, but it’s a very good basket. And I’ve taken additional steps to ensure that it stays that way.

I’ll highlight two important reasons I consider good password managers secure:

  • They don’t know your master password. They couldn’t tell you what it is if they wanted to. They cannot access your data at all; all they can see is the encrypted data. Even if a hacker were to somehow gain access to their databases the hacker would also be unable to decrypt and view your information, because the password manager does encryption right. Decryption happens locally on your machine, so the only thing ever transmitted between your computer and vault online is the encrypted data.
  • Of course I use a strong password. Add two factor authentication and if you somehow got my master password, you’d still need my second factor in your possession to be able to unlock my vault.

Ultimately, it’s up to you. There are several password managers out there.

The very short bottom line

My recommendation remains:

  • Use long, strong passwords. Twelve characters minimally, ideally more, and randomly generated (there are several random-generator tools available, including one in most password managers). Alternately, and if allowed, use a passphrase at least four words long, ideally with spaces.
  • Use a different password for every login account you have. Every single one.
  • Use a password manager to keep track of them all for you.
  • Use a strong password or passphrase on your password manager itself.
  • Enable two-factor authentication on your password manager of choice, for additional security of that very important basket of information.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio


Footnotes & references

1: Thankfully, services rarely store the actual password – though of course they could. (If your service can tell you your actual password, then they’re doing it wrong, and they’ve stored the password itself somewhere). Rather, they store what’s called a “hash” of the password. Depending on several factors – typically, poor decisions made by whoever implemented the authentication mechanism – it is occasionally possible for hackers to indirectly reverse-engineer passwords from hashes.

141 comments on “Why Is It So Important to Use Different Passwords for Everything?”

    • Same. Sits on my device(s) not in the cloud somewhere which could at some stage become unavailable… think power outages. Don’t laugh, think Hurrican Katrina type scenarios could easily take out a data centre.

    • I even placed my password database on a NAS placed at home and set up a SFTP connection. Not even on my device….my NAS is my cloud.

  1. One password over many sites. Easy to remember, but the problem is as Leo says.
    One password for a password manager. Easy to remember and passwords are different over all sites (LastPass actually tells you if you repeat a password on a different site.)

    To me, this is a no brainer because I only have to remember one password. And I don’t have to worry if the people at Service A are poor at security.

    p.s. I too use LastPass (I couldn’t get on with KeepPass) but you could always try a few to see what you like.

    • That’s why they call it LastPass. It’s the last password you have to remember. Make it long (20 characters) and strong (not a dictionary word or something available through googling you). Mine is a combination of the initials of a few friends plus a very old, no longer in use phone number.

  2. I’m sure that for people with things to hide, secrets they don’t want revealed and bank accounts with very healthy balances DO need high security. But most of us are not like that. Someone wants to die of boredom reading my emails – fine. They want to log on to the ‘accounts’ I have with online shops I buy stuff from on a regular basis and try to purchase stuff – they’re welcome; it won’t work. They want to see what hobby websites I’ve visited recently – OK. But I can’t believe they are going to waste time on people like me when there are far, far juicier pickings out there.

    • This is actually one of those scenarios where my usual admonition – “You’re just not that interesting” – is backwards. You’re right – they don’t care about most of your email contents or your shopping accounts and the like. But the aggregate of information and accounts that they can gain access to once compromised can add up to a lot of information about you. Identity theft is a common result. They don’t want or care about what you have, they want to set up false identities in your name from which to profit.

      • I think your shopping accounts are very interesting. If you’re using the same username and password for everything, including your Amazon account, and I have that username and password it’s trivial for me to change the shipping address on your account and start ordering up big screen TVs. Many folks leave their credit card info on file at Amazon so that’s not a problem and really good crooks have long ago figured out how to get things shipped to an address not their own.

        Even if I do none of that your credit card info is available to me for whatever nefarious purpose I conjure up.

        • The actual credit card would be encrypted on, so you couldn’t get the card and spend it elsewhere. But you could start ordering those TVs. Hopefully “you” wouldn’t be a very smart crook and would send everything to your home address… smile.

    • Tony Jones – following on from your remarks, I suggest that the use of passwords to get into many sites be recommended but not enforced. I am constantly irritated by required passwords to get into purely informational or discussion sites to ask a question or make a comment. It should be enough for the site to not publish your email address as this one apparently does not. But many sites frivolously require you to set up an “account” and a “password” when there is no possible security issue. Disgusting overkill in my opinion.

      • Actually there’s a very real purpose: spam. Specifically website spam. By forcing the creation of an account some amount of accountability is required … accountability that most spammers simply don’t take the time to engage in. The alternative is what I do here: a combination of an automated spam filtering, plus the expense of having real people monitor what’s being posted. Depending on many factors some sites simply can’t afford the expense.

  3. unless you need 150 different passwords the safest thing to do is buy a writing pad and and write your passwords down. don`t keep anything that could be compromised on your computer. just because you “can” do it electronically don`t mean you have to.

    • Glen, you missed the whole point. LastPass, and other quality password managers, *encrypt* all the passwords on your computer, and only transfer encrypted passwords over the Internet. Not only are your passwords within LastPass NOT compromised, they’re backed up online and safer than anywhere else they could be. If you think writing important information down on pieces of paper is “the safest thing to do,” you’re missing a whole lot more than the point of this article. BTW, I *do* need to track 150 passwords.

      • Reid. LastPass doesn’t encrypt the data that is transferred that’s sent over the Internet. They just fill them into the forms any data on your computer. You’d have to check for an https: (ssl, lock icon) connection to be sure that your transferred data is encrypted. It simply inserts the login information from your computer into the login fields when asked. Yes they are backed up online in encrypted form and synced to all of your computers that share the LastPass login. As for how safe a written password is depends on a lot of factors. I personally wouldn’t trust it.

      • I’m with Glen. I have never seen a computer system which never went down. When Lastpass goes down, you will basically have no access to the Internet. What guarantee do you have that Lastpass is in sufficiently good financial health that they won’t go out of business someday? Then what?

        I have over 100 passwords, well organized on paper. The most important half dozen are memorized.

        • Absolutely agree with Glen & Gord – sometimes technology is not always the answer – you can’t hack paper and a house burglar is only looking for valuables – ( but don’t leave the pad by the computer!!)

          • If you can keep your pad secure, fine. But if you use LastPass, you can back it up very easily so you don’t have to worry about LastPass going out of business. (The program should still work even if the LastPass website goes down)

            How do I back up LastPass?

            Or you can simply keep your passwords encrypted in a text file or spread sheet and copy and past. You can encrypt this file or keep it in an encrypted folder.

        • Having all your passwords and passphrases on a piece of paper is realy not what I call “safe” nor “secure”. I’ve done just that in the past, and lost access to several accounts just because it was on a piece of paper and that paper became unreadeable due to humidity that made the ink bleed, or inks that I discovered as been poor quality as they faded out.
          What about loosing that paper?
          What about someone getting hold on that paper? That someone now have unrestrained access to absolutely all of your accounts.

          • I have a plastic filebox full of index cards on my computer desk. I keep all my IDs, PWs, security Q&As, and the URLs of the sites I use in the alphabetical files. Easy to update, and can also keep other info about the site on each card. I DO use a different PW for each site–about 50 of them–but can usually remember the ones I use most often. I am 78 years old and use a Desktop PC, so I don’t have to take the box with me to a Wifi hotspot.

  4. I have been using computers since Radio Shack produced one. Now in my seventies I have dementia and can’t remember the number of passwords. One of my biggest problem happens when a site says I have to change my password. All of a sudden I get mixed up. Has anyone in my position found an answer? I need help. I am on my own and get very frustrated. Thanks for the opportunity to seek assistance.

    • Doug, in addition to LastPass, I also send my new password to my regular email account (POP3) on my desktop…

      I write down the new password, use a secondary email account (I use, compose a new email there, with the subject line of the software or website name (say XYZ bank), the body of the text has the new password (I always add additional numbers and letters alongside the new password to confuse others if they happen to read my email), then send that email to my normal everyday email account.

      I have set up a file folder in that normal email called “passwords” from where I can alphabetize all the emails (click on the top header of the subject line to alphabetize the column), and can find my needed program or account name. Thus it’s saved in two places. I also use “hushmail” as my email server which can encrypt any email before delivery.

  5. I, too, use LastPass, and have for at least 4 years. Unlike Roboform, it’s free and has never had the problems I encountered some years back with Roboform not working with Firefox. However, there are a few sites that contain absolutely nothing of great importance to anybody (e.g., most forums) for which I use the same password, and it’s not a particularly cryptic one. I don’t care if somebody finds out what my password is on those sites because it won’t get them anything.

  6. I’ve used both keepass and lastpass. They both have their strengths and weaknesses. I’ve found that fewer “work arounds” are needed by me for lastpass so I use it.

    On a slightly different but related subject please be advised:
    A friend recently upgraded from windows 8 to windows 8.1. Please be advised that you will be required to change your administrator password for this update. Write the new password down or you won’t be able to use your Microsoft apps on the windows 8.1 start screen. (mail,people, calendar, one note, skydrive etc) You used to say that you don’t get much help from web based email accounts like,, It seems to me when signing in to your microsoft account to access your windows 8.1 system your should expect “more” help from microsoft then in the past. My friend didn’t write it down and therefore has a big problem.

    • Actually you don’t NEED to change your administrator password. The default process has you logging in with a Microsoft account, which is indeed a different username and password. You can later disassociate the Microsoft Account and login with your old account and password. I know, because I’ve done it. Twice. So far.

      • When I installed Windows 8.1 it appeared that I had to create/or log in to my Microsoft account but when I clicked on the create screen there big as life was an option to use the local account. You won’t see that choice until you click through the create button.

    • The latest Windows Secrets newsletter (Issue 408) (an excellent supplement to Leo’s newsletter) mentions that if you have configured Windows 8 to automatically sign you in, one should disable that feature before upgrading to 8.1 lest you be locked out of the admin account.

  7. Your article raised an idea in my head, not for me, because I do use different, strong passwords, but for those who resist, and will never change their actions.

    How would having a different address for every site be, security wise? Yahoo, for example, has disposable addresses, 500 I think, that you can add to your email account.

    Would having a different address for each account work, as the hacker wouldn’t be able to tie that one password to one email address?

    It seems to me it would at least limit the exposure of those who just use one password everywhere.

    Leo, I hope you’ll comment.

  8. I have used LastPass for quite some time now. I really think it’s great. Hitting the eighty year mark, I need all the help and peace of mind I can possibly get.
    thanks Leo for all your info. Sure comes in handy. chester

  9. “Decryption happens locally on your machine – that means that the only thing ever transmitted between your computer and LastPass is the encrypted data.”

    I have Lastpass installed on one machine, and sometimes log in to my Lastpass online account from a couple of other machines which don’t have Lastpass installed on them. If my data on the Lastpass server is encrypted (and maybe it is not, and I am misinterpreting your statement), then how can I see it when I log in to their server? Is it somehow decrypted the moment I log in?

  10. I just have a six-letter, lower-case base password, then for each account, start with a couple of capital letters that relate to the site, and end with a four-digit number (I have a few different ones I use). Thus, a password for the Ask Leo site would look like this: ALfuture1234 (And no, “future” is not my base word and “1234” is not one of my numbers.) This is easy for me to remember, and none of the passwords could be used to access any other accounts.

  11. I generate all my different passwords using a generator, alpha/numeric/upper/lower/symbol and then, I am sorry, I’ve yet to see a hacker getting into my paper & pen library card system. Pain, but works

      • Yes, one could lose (not loose that’s as in your pants are too big) everything in a fire. Including the pc/laptop/tablet/(not so) smart phone. So all the more reason to back up, back up, back up. And on more than 1 cloud server. Personally I’d use minimum of 3 different servers… because Mr Murphy and I have a very close (and uncomfortable) relationship. Unfortunately. ; )

  12. Good article. This changed my way of thinking and I am a seasoned veteran of Windows IT/repair for twenty years. (Took me long enough.) What you have to understand (and I am telling all my customers) is, the bad guys have upped their game a lot! If you don’t increase security you will go the way of Butch Cassidy and the Sundance Kid (firing your guns into the teeth of technology that is far superior).

  13. I know its not what many think but writing the password down and keeping the sheet of paper amongst other documents is actually the safest option – after all no one can hack that and if you are burgled is the burglar going to search the house for this sheet of paper or are they going to concentrate on loading up your laptop/tv/hifi/jewellery etc??

  14. Good article, as usual, Leo. However I think it misses what I consider as a huge weak spot in one’s defense against attackers : the so-called secret questions.

    If I were a hacker, I would not bother for one second about trying to break the log-in password. I would simply check the “forgotten password” button, and would be redirected to the question “what is the name of my favorite pet ?”. I’d then pull a list of the most used pet names (there mustn’t be more than a thousand…), and voilà : within seconds I receive a fresh, official password bypassing the super-duper one painfully produced and recorded by the user ! Of course, the other questions may vary, but again, mothers’ names are not so many, certaninly not in the many gazillions.

    So, what is the point of protecting your front door by a thick steel door, whereas the back one is left unlocked ?

    Following this enlightening paper, I not only changed my main password, I also posthumously called my first pet zU4hcztrMQ8rX54qkiki, and went to the M2XfqSnPasd96NDP University.

    • Dom, as a genealogist I really want to caution people not to use anything connected to their family, or family pets, as a”hint” for forgotten “User name” or “Password” recovery. Realistically, even an amateur genealogical researcher knows enough to search the internet for such data on family history or background, which for the most part is readily available on that or entire family private information which is easily accessible on current or archived birth, marriage. baptismal/christening, death, memorial announcements, to name a few.
      Robert A.

      • Unless your mother’s name is Eiffel Tower, for example. Pet could be Hamouli. Place I was born was… oh I don’t know Chikfila, Masarati?? So long as you have a strategy for the dumb questions then you are better (never good) to go.

  15. The problem with LastPass, is that when I went to Google it, I got as far typing LastPass and Google suggested some extensions such ‘LastPass Hacked’, which lead to many stories about just how safe EVEN that may be.

    Please note, I read no further.

    So I’ll just continue to do what I do now, use separate passwords for Banking and important things like that, but as for Forums and general stuff I use a ‘masterword’ and an extention to the password that has something to do with the site. For example for Ask Leo, I’ll use MasterPass(leo)

    And as suggested, I keep a notebook. (in my small $50 safe with my latest updated passwords on it!!)

    However I do get the point that if one of those sites, say lame Site A is hacked, they can get other info about me from there, even if it’s some no-name forum.


  16. I am a long time reader of Ask Leo and thank you Leo for all the good advice over these years. At one time you recommended RoboForm as a password manager and I used it up until I had a break-in and my desktop was stolen. I had a long hard PW as you suggested and really didn’t think there was any danger. On my new computer I went to Lastpass as you recommended. There are lots of similarities in the two but a learning curve for each also. Since the break-in I have talked to all of my highly personal accounts and followed up with them, there have been no attempts to sign in to any using my old PWs, so that gives me confidence in PW managers. Thanks Leo.

  17. I use Lastpass as well. The problem for me is using it on my Android phone and iPad. There are Lastpass apps for both and they share the database(paid version of Lastpass). However, the integration is not nearly as good as it is in Windows. It doesn’t appear that Lastpass will fill in username and passwords in other mobile apps, only in the Lastpass browser. Yes, you can copy/paste a complicated password by switching between apps on my mobile devices but it is really a pain to type in a complex rqandowmly generated password. I am hoping to see Lastpass integrate better with mobile apps.

    • Nat,
      I’ve seen this problem also. I think it has something to do with the way Android sandboxes (for lack of a more exact term) apps from one another. It seems apps are restricted from communicating with each other for security reasons. If you use the Lastpass browser then the passwords are part of the app and can be accessed.
      I have encountered cases where the log in fields are properly filled in while using other browsers but it’s not consistent and I can’t determine why it works sometimes and not others.
      I get better results if I access LP from the browser extension while in the browser and enter the master password there. For instance, I use Dolphin a lot. Swiping left from the right edge brings up a screen with the list of add ons. Touching the LP app add on allow you to enter the master PW which often allows Dolphin to fill in the log in fields of the web page.

  18. Oops.

    Re-reading my previous message, I realized that the hacker need not only SEND the message using his target’s address (which I understand is mundane), but also RECEIVE the response thru the same channel, which is not so obvious.

    Sorry for the silly message ; I always thought I’d make a lousy hacker…

  19. Great article Leo. If I could add another suggestion – most people these days have smart phones, and there is a plethora of Apps available that allow you to store your passwords, in a similar way to Lastpass. That is to say that they keep a local (on the phone/ device) unencrypted version of your passwords protected by a password – often the encryption key (so think carefully!). And they often allow you to keep a remote encrypted copy – generally Dropbox or SkyDrive, or another similar service. Actually, I would only select an App that has the remote (encrypted) storage feature.

    This means you have a locally protected copy – phone password, then App password should surely suffice And a remote, recoverable copy that only you have the key for. So, if you lose your phone, you can still retrieve the password database on a new one, or if you upgrade, obviously the same deal.

    And speaking from experience, having different passwords for all sites is a MUST. I couldn’t agree more. I had a fright when LinkedIn was hacked a little while ago, and I realised that my LinkedIn password was used at over a dozen others. Suffice to say that as soon as I heard that news, I spend an hour remedying that little issue.

  20. Just thought I’d point out the ‘ole “Sarah Palin hacknique.”
    Where Gmail, and especially yahoo, are vulnerable to anyone just answering the security questions.
    Yahoo still has default questions like, “The Make of The First Car you Owned.” Which has about 10 possible answers assuming you know the age of the person and the country they live in.
    Others are common like Name of First Pet, which you can easily get by just asking them what their first pet’s name is/was; what street were you born on, what city did you grow up in, etc….
    These questions may as well be what’s your favourite colour between red and blue?
    Whose going to remember that 20 months ago they used anything as a security question anyway.

    Since websites love to send you info to your email like username and password after you first register, the security questions are an easy attack target as well.
    Email sites would do well to abolish the security question aspect of recovery as they have alternative emails and cell phone numbers now for recovery. If you can’t remember your password you use, you sure aren’t going to remember a good security question answer you never use.
    @Dom You can’t really try thousands of possible answers for security questions. Unlike passwords a system will lock you out much quicker after just a few failed attempts at the security question.
    Also once you get the question correct, it just asks you what you want to change the password to. Then you log in with that.

    I just use a password formula system. Some of it’s benefits are that it’s free, I can use it on any system, (not just websites), I don’t have to carry around any physical medium to log in from a different computer. It also won’t stop working for any reason like when a website starts to use a new format to allow users to login that the current program you use doesn’t understand.
    Some downsides are that it takes longer to type in, and it won’t be as cryptographically strong as a more random password can be. This is offset by the fact that one would need to break into multiple servers and try to single you out to crack the formula, an unlikely probability. However if anyone is able to break into multiple servers to get to you, I don’t think any system you come up with really matters.

    @Norman Ransom A single individual that breaks into a house shouldn’t give you much confidence in a complex system’s strength. These people are not MIT grad students. A substitution cypher would likely be too strong for them to crack.

  21. I ‘have’ read the artcle and also agree withe the concept. However I also tried to use last pass, and it was so frustrating and hard to get the account set up and working properly I finally gave up and ditched the whole thing. Sorry users, I won’t be trying any time soon.

  22. Use Truecrypt. You can make a small “container” (encrypetd file) to safeguard your data. It is even portable to use on Mac os’s and linux. There are also sone third party apps that will run your container on Android. Hence you are bombproof as you are not relying on a third party to host any data.

  23. Ridiculous FUD, as is the recommendation to change your password often. Also the correct term is “crackers”, not “hackers”. I expected more from Leo as he’s usually spot on with his articles.

    As a (computer) system builder and repairer I’ve never seen a password compromised unless there was a key logger on the system. Key loggers are quite rare and must be downloaded and installed. If you get one on your system, all your various passwords, encryption, and password storage systems become useless. Every key that you type is seen on some criminal’s monitor. The more complex a password is, the more it stands out as a password.

    Crackers “used to” obtain passwords with cracker tools, which is no longer possible. A program would manually enter a character until it got a positive result, and move on to the next character. Browsers, security, and websites have come a long ways since then. Now you usually get 3-5 tries before you’re locked out.

    Ask any expert, identity theft is now obtained by phishing scams. I challenge anyone to give an example of identity theft in the last 10 years which was obtained by cracking a password. 1000s of systems repaired from malware, I’ve never seen it nor heard of it happening.

    I use one password for all forums, Facebook, websites, etc., and a different password for online banking – so I have to remember the same 2 passwords that I’ve been using for over 20 years.
    If they get my (everything) password I couldn’t care less.

    If they get my online banking password my bank would catch the first transactions not made by me, alert me, and cancel the transactions. It’s part of banking services now for any bank worth having.

    I ran a chat room server for over a decade and was constantly under attack. Not once did anyone crack my password. Not once.

    On the other hand my credit cards have been compromised a half dozen times over the last decade – which had nothing to do with password protection and everything to do with dodgy retail websites. The fix was to open another bank account which is used only for online transactions, and keeping only enough in it to cover my transactions. It’s the same password for both of my bank accounts.

    Users’ time and money is much better spent on Malwarebytes Pro and Avast (Free Edition) – to stop the malware before it gets on your machine. Remember that anti-malware without active protection (such as Malwarebytes Free Edition) is only useful for finding malware after you’re infected.

    • Needless to say we disagree.

      I don’t consider this FUD or scare-mongering, as another commenter put it, at all. The fact that you’ve safely used the same passwords for 20 years is, pretty much, irrelevant in my opinion. While they’ve always been possible, to a certain degree, the majority of the issues that are forcing many security experts to more strongly recommend different passwords for all sites have become more prevalent in recent years. This is in part because so many more people are doing so much more online than 20 years ago, and in part because some of the targets that are getting hacked are themselves becoming enormous and thus enormously tantalizing for those interested in hacking in.

      The most recent attack that actually caused me to finally write this article was the Adobe compromise a few weeks ago. Not only were millions of accounts compromised, but apparently Adobe’s password storage was also less than stellar and could potentially be compromised. As a result the scenario I outline in the article is very real – those attackers can potentially steal email accounts just by trying the same usernames and passwords that they found in the Adobe database at popular email service providers. Once email accounts are compromised, then all matter of maliciousness can follow.

      Naturally it’s up to you if you believe this is a real threat or so much noise. But with the number of security experts, as well as compromised services, reacting with this “use a different password everywhere” recommendation I wanted people to understand why they – and I – take that position.

      PS: One things we do agree on, though, is the “change your password periodically” nonsense. I write more about that here: Is a periodic password change a good thing?

      • We can agree to disagree on this one.

        My opinion is based upon facts over 20+ years of repairing other systems. I’ve never seen anyone’s password compromised unless they were using bad habits or unknowingly gave it to the wrong person/program.

        Amazing how many people still don’t use any anti-malware protection. I hear almost daily “I’ve never had a problem and don’t need it”, right before I point out thousands of instances of malware on their systems. People assume that because their PC doesn’t lock up that they’re not infected. Yet, many are zombie machines used to infect or inflict attacks upon others.

        Email is a good point. I use Hotmail accounts for forums and software. Not a problem if they’re compromised as I have nothing valuable on them.

        Your article about changing passwords was a good read. :)

        • I need an “Edit” button. Other than that I really like the new web site. Computer eyes suffer much less in this format and font. :)

          I’m not questioning that Adobe was compromised nor their “less than stellar” practices leading to users’ passwords being discovered. Surely the intent of the criminals in this instance was money, as it would be an elaborate and ridiculous scheme to simply impersonate people on forums. I suspect that the goal was not passwords at all, but credit card and payment records.

          What I question is the impact of such.
          Has there been a single incident, which you’re aware of, where that password discovery has led to financial problems or any other problems for Adobe users?

          I’d change my mind in a heartbeat if it was known to have creating problems. I’ve not heard of any problems to date.

          And thanks for my favorite quote of the week:
          “My experience here is that too many are overly fearful when they need not be, and not fearful enough when they should.”
          I have use for that statement with customers every day.

          • The recent theft of about 81 million dollars owned by the central bank of Bangladesh and held in an account at a New York federal reserve bank would seem to have required some passwords to accomplish.

  24. Rubbish. Overkill and pure scare mongering.

    Sure, if some has loads accounts and is stupid enough to leave really info on all 50 or so with one 4 letter password that’s rather careless.

    The bottom line is that the vast majority of internet users use perhaps one password for most forums etc, and because there is no choice, enhanced security measures for online banking and other sensitive sites.

    If the internet was as dangerous as this ridiculous exaggeratted article suggesested, 90% of us would be waiting in the food line, or living in homeless shelters.

    Common sense is nesessary in all facets of life, and care does need to be taken with online info and security, but this article is just way over the top.

    Good way to sell software to grandpa and grandma though.

  25. Just wanted to add, DavidW’s message above is pretty much spot on.

    I’ve subscribed and have enjoyed the majority of articles from this site for several years now, but have never read such utter scare mongering rubbish. Get with it. Or try to book a ticket to Mars, but no doubt you’d expect the on board computer to turn to Hal, so would be afraid of that too.

    • In time Leo or I may change to the “dark” side. Both of us have proven to be capable of changing our minds when evidence supports doing so.

      I’ve been a huge Steve Gibson fan since I got on a computer. But I’m just not one to jump on the bandwagon of the experts – simply because they’re experts.

      If customers begin to show up with problems of stolen passwords resulting in problems with other things that use the same password, I’ll change my tune quickly. I haven’t seen it yet, but I’m not foolish enough to believe that it can’t happen eventually.

      And leo makes a very good point about email being compromised leading to many other problems. Never use your primary email account for forums and software registration, in my opinion.

  26. Great article. This is exactly why I use RoboForm to manage my passwords and login credentials. RoboForm generates unique, statistically secure passwords for each website I visit, then stores and replays these passwords for me so I am not tasked with remembering the plethora of different passwords I use, just a single RoboForm “Master Password” to encrypt and protect everything. I highly recommend RoboForm to anyone concerned with security on the web.

  27. I have never understood why a long, complex pw is good until the last minute of last day of the fifth month, at 23:59. But a minute later at six months, it’s no longer safe and must be changed.

    Makes no sense…

  28. After reading the posts here again, I realize I did get rather carried away and was needlessly sarcastic.
    What I do in practice is to use a very long password, with my real email for serious stuff, meaning internet banking.
    Any other sites that require “real” personal info such as Amazon for instance I do the same (but with a different pw of course)

    However for forums, or any site where I use web based email, (throw away accounts with false info) I don’t see the need to use a different pw for each one.

    So Leo does make a good points, as usual, and its a timely reminder too.
    I have never been compromised as far as I know (and certainly not on important sites where sensitive information exists – for such sites I agree with the article and should have stated that in my previous posts.

    However, if I ever find toolbars, or anything I didn’t install myself on any of my PCs – or worse. I will certainly change my tune!

    I have read and enjoyed many of Leo’s posts, and this was in fact the first time I have disagreed.
    I apologize for the unpleasant and bad tone of my previous two posts.

  29. “Alternately, and if allowed, use a pass phrase at least 4 words long, ideally with spaces.” – Yeah:

    “Use a different password for every log-in account you have. Every one.” – I don’t think that *every* account needs to be protected by a strong and unique password (see link below), however, as password managers make it so easy to create strong passwords on a per-site basis, there’s really no reason not to.

  30. There is something that one should be aware of concerning cloudy password managers like LastPass. The tool may be safe, and if you trust that the binary is indeed only sending well-encrypted stuff, then on the technical side these tools are probably safe.
    But there is a weak spot in them, which is a phishing attack:

    Personally, I use the Firefox password vault with a master password. Now it is true that I don’t have the problem of maintaining 150 passwords on machines that change every day, so I have no use for the cloudy thing. But one does need to understand that if a single phising attack succeeds on your lastpass account, you’ve compromised ALL of your stuff, everywhere. This is why I would be reluctant to trust things like a password manager to the cloud. Not that the cloud itself is “dangerous” if you trust the encryption (with binary only code, that’s always a matter of blind trust), but because the access is very phishable. And you won’t even notice it if it is well done.

    • “There is something that one should be aware of concerning cloudy password managers like LastPass.” – Non-cloudy password managers are not necessarily immune from attack either:

      Passwords mainly get compromised in one of three ways:

      1. Credential database theft;
      2. Phishing.
      3. Guessed or otherwise discovered by a dishonest friend/family member/co-worker.

      A strong password provides absolutely zero protection against #1 or #2, but does, to a point, provide protection against #3 – however, so would a basic style passphrase like xkcd’s CorrectHorseBatteryStaple (see link above), so long as it’s random enough not to be guessed by that dishonest friend/family member/co-worker.

      Given the current threat landscape, strong passwords really aren’t as important as many people believe them to be. That said, the threat landscape can change markedly and suddenly – a practice that may not be particularly risky today, could be exceptionally risky tomorrow – and, consequently, it does make sense to use a unique strong/complex password to protect each important account.

      Should you use a password manager to remember those strong passwords? I don’t think it’s a clear yes or no answer. While the most secure option is to rely on your memory rather than a password manager, it’s also much less convenient. In fact, if it weren’t for the convenience that password managers provide, there would probably be even more people who use “password” as their password.

      My strategy is to use a standard passphrase that I customize slightly on a per-site basis – CorrectHorseBatteryStapleBank or CorrectHorseBatteryStapleCreditCard, say – for each of my half dozen or so important accounts, and these are stored only in memory (my memory, that is – not my computer’s!). Passwords for other accounts are stored in a password manager and are also strong and unique – not because they need to be strong and unique, but simply because the password manager makes it easy to do.

      • I fully agree that passwords can be stolen. However, the difference between a cloudy manager like LastPass and “local storage” in one way or another (I’ll come to that), is that the number of potential attackers and the number of potentially corruptible victims is way, way bigger with the cloudy thing, than with the “local” thing. This makes it 1) more attractive for an attacker to attempt doing it (more fish in the sea to catch), 2) harder to protect against.

        You are right that if your machine gets compromised, of course your passwords you will in one way or another use on that machine (be it by keyboard or other) will be potentially compromised. But you need a compromised machine for that. You are also right that friends and not-so-friends could compromise your passwords. But all these attack surfaces are much smaller than “visiting a website”. You don’t have so many “friends” that might compromise your passwords as there are would-be hackers in the world. Your machine gets compromised (I may hope) less often than you visit websites.

        The problem with a cloudy password manager is that it is available *everywhere*, and not just on your machines. Even if a Russian hacker would know the master password of your *local* password manager, he still needs the file to do something with it. But if that same Russian hacker knows your cloudy pass phrase, the cloudy service will offer him everything on a platter.

        And the chances of being tricked by a good phishing attempt into typing nicely your cloudy passphrase on a funny website are way and way higher than the chances of your friends guessing/stealing your passwords or your machine getting compromised to the point of sending your passwords, I would think.

        I’m not saying one shouldn’t use them, but one should weight the risk of getting trapped by these phishing attempts versus the comfort/need of having your passwords available everywhere in the world on every machine in the world (which is exactly the danger of these things).
        If you only use a small number of machines (say, less than 10 or so), then it is probably easier to keep them synchronized locally rather than use a cloudy thing. If you need to have your passwords available on hundreds of machines, which change every day, then indeed such a manager can make you help keep your sanity.

        BTW, you can still use the cloud to synchronize local passwords, by sharing an encrypted file (for instance, on Dropbox). You only have to write a new file when you update or add passwords, and you only have to download it when you synchronize your machines. Locally, you transfer the decrypted passwords in the local password manager. Or you use the Firefox syncing tool. In any case, you won’t be confused with a phishing attempt doing so, because only your *local* password manager is used when visiting websites.

        • “BTW, you can still use the cloud to synchronize local passwords, by sharing an encrypted file (for instance, on Dropbox)” – That’s pretty much what LastPass does, except on its own servers instead of DropBox’s general purpose ones. So I’m not really understanding how you can feel safe with one and not the other.

          • The biggest danger is the phishing. If you are used to type your LastPass passphrase when browsing, you might get caught typing it on a phishing site which makes you believe that it is LastPass asking for your passphrase.
            If your passwords are in your *local* password manager, at no point you would type in the passphrase of the encrypted file that is on, say, your Dropbox folder. You would type the passphrase of your local password manager.
            Now, first of all, visually, the asking for the passphrase by the local password manager is much harder to fake by phishing (it is not a web site pop up), but moreover, any cracker can’t do much with that passphrase because he’s not on your local machine. So EVEN if your passphrase of your local password manager gets compromised, as long as your favorite hacker didn’t get your local system in hands, he can’t do much with it.

            The synchronizing with your encrypted file in the cloud is a special operation which you don’t do when you are browsing. You are only going to fetch that file from Dropbox, and decrypt it (locally) if you need to feed your local password manager with new passwords. It is not part of the browsing process. It is the same as taking a pen and paper pad, to get the new passwords. Clumsier, I agree, than something automatic, but *only necessary when you need to use NEW passwords for the first time* on a given machine.
            There are no phishing attempts possible with that passphrase, as you will never use it “on the web”, but only locally when decrypting your specific password file that you got out of Dropbox.

            However, with something like Lastpass, *no matter how good these guys are*, if your credentials are out, then they HAVE ACCESS. That’s the point. And moreover, because you are supposed to give your credentials while surfing on the web, a phishing attempt is very well possible.

            So, with a local password manager:
            1) phising that works is improbable and
            2) even if a hacker got fishing for your local password manager passphrase, he can’t do much with it

            With a cloudy password file:
            1) phishing is totally improbable (you only use it when NOT surfing to decrypt the file locally when you need to sync NEW passwords)
            2) even if a hacker got your passphrase, he’d still need your Dropbox file (not impossible, but he doesn’t have it right away).

            With a cloudy password manager like LastPass:
            1) phishing is very doable and can be done very convincingly (your BROWSER asks for your passphrase WHEN BROWSING)
            2) your passphrase is all a hacker needs to get served on a platter by LastPass, be it in China or in Argentina.

          • To summarize, the difference between an encrypted password file on Dropbox, and Lastpass, is:
            1) The credentials of your password file have nothing to do with those on Dropbox. Dropbox access, and decrypting the file there, are two totally distinct things. On the other hand, accessing Lastpass, and giving your passphrase, are one and the same thing.

            2) The credentials of Dropbox, AND the passphrase of your encrypted file, are not used when browsing normally. So the chances that you get caught by a phishing attempt for both (which are both needed to get your passwords open and visible) are tiny. You use those double credentials normally when NOT browsing, and in fact, *very rarely* (only when updating new passwords). On the other hand, Lastpass needs your credentials all the time, and while browsing. That makes a successful phising attempt very probable.

            3) The credentials of your local password manager are asked for differently than those of Lastpass, so a phising attempt is harder to set up. But moreover, a hacker cannot do anything with that passphrase because it only serves the *local* password manager.

            So it is not the same.

          • “The biggest danger is the phishing.” – I’m not sure I agree. Platform-specific phishing attempts – which, as far as I know, have only been demonstrated as proof of concept – would be as easy to spot/avoid as any other phishing scheme. Additionally, most password managers provide solid protection against phishing attacks – email verification for new devices/locations and two-factor authentication, for example.

            The biggest risk, to my mind, is that the databases will be stolen/compromised. The simple fact is that nothing is 100% secure. For example, while LastPass has never actually exposed (unencrypted) passwords, their systems have been compromised on a couple of occasions with email addresses, cryptographic salts and hashed passwords being stolen. Next time – and there *will* be a next time: these database are the Holy Grain for cybercriminals – it could be much worse.

            This is why I prefer to keep the passwords for critical accounts only in my head: it’s simply the most secure option.

          • Lastpass servers don’t even have the ability to decrypt the password databases (all decryption happens on your local machine, and your passphrase never travels over the wire) so I’m unclear as to what it is you’re concerned about.

          • “I’m unclear as to what it is you’re concerned about.” – I’m concerned about the fact that nothing is 100% secure. Remember the bookmarklet bug that would have enabled a malicious site to extract logins for other sites from LastPass without the users’ knowledge? Or how about the OTP bug which could have had absolutely devastating consequences, had it been exploited in conjunction with the user details extracted during the breach I mentioned in an above comment? And it’s pretty much a given that other bugs will be discovered down the road. How critical will those bugs be? Your guess is as good as mine.

            To my mind, the most secure option by far when it comes to passwords for important/financial sites is to keep the them in memory, not in a password manager.

          • What makes the Phishing the most dangerous is that it pops up a page which looks exactly like the real one which could trick so many people into giving away their login credentials, and they would have no clue they were phished. I wonder if I would forget to check the address bar if I got the message to log on again. Now I’m aware, but what if I hadn’t heard of this phishing attack.

          • Seriously now.
            As Mark described, the problem with a thing like Lastpass (no matter how integer and competent the people from Lastpass are), is that you are supposed to type your credentials in a pop up while surfing. Normally, that popup is from the Lastpass plugin, and not from the website. But ANY website can make a popup that LOOKS exactly like the lastpass popup. Except that if you’re tricked into typing your lastpass credentials in THAT pop-up, then you’re not sending it to the local lastpass plugin, but rather to the remote phishing website. And then, whoever is receiving that, has your lastpass credentials, and if they have that, then they access all your passwords, from anywhere.

          • “What makes the Phishing the most dangerous is that it pops up a page which looks exactly like the real on which could trick so many people into giving away their login credentials.” – Even if your master password were to be phished, new device/location verification/two-factor authentication would mean that the attacker would still be unable to gain access to your password vault.

            As I said, it’s the yet-to-be-discovered vulnerabilities that concern me more than phishing.

        • “The problem with a cloudy password manager is that it is available *everywhere*, and not just on your machines.” – And that, of course, is also the major benefit of a cloudy password manager: cross-platform compatibility means that password and form data can be automatically synced across all your devices (yeah, you can do this with KeePass/Dropbox, but it’s not as easy/seamless). There’s certainly a trade-off between security and convenience.

          As I said, my preference is to keep my most important passwords – banking, email, etc. – only in my head. All the others are managed by an app.

          • You’ve got my point exactly: “there’s certainly a trade-off between security and convenience”.
            This is what I was trying to get at. A tool like LastPass is (only, I would say) meaningful in this trade-off if you are regularly confronted with having to use a lot of different credentials on a lot of different, changing, machines. A system administrator, for instance.

            If you only need to manage (even many) credentials on a relatively small number of machines which don’t change often (the machines), then my point is that you are way safer with a *local* password manager. You can still keep your credentials “on the cloud”, but in an encrypted file. As such, in the rare cases where you DO need to access them and they are not locally available (because you changed them, or you added a few of them or you are exceptionally on a new machine), you can go through the hassle of decrypting the file by hand, and typing in or copy-paste the credentials in the local password manager. This is what most people need. If they have 10 machines to “synchronize” that will be a lot. If they touch a new machine once every few months, that will be a lot. And if they make new accounts on the web, that will not be so very often. Then they can go through the hassle of the independent, encrypted file on Dropbox or so.
            Because that way, you are protected from every phishing attempt for your credentials that lock up ALL of your credentials.

            IF, however, you do need to log regularly onto a lot of machines, you change very often accounts, passwords and so on, then LastPass is probably a tool that fits your needs. But you should then be aware that there is a weak spot: one single passphrase, that could be phished relatively easily, will give out all of your credentials on the other side of the world.

            It is indeed a tradeoff. My idea is that the tradeoff is rather towards the local password manager for most people. They can keep their electronic equivalent of their pen-and-card system on an encrypted cloudy file if they want to.

          • “A tool like LastPass is (only, I would say) meaningful in this trade-off if you are regularly confronted with having to use a lot of different credentials on a lot of different, changing, machines.” – Not at all. No matter how many accounts/devices you have, it’s extremely convenient to have your passwords and form data automatically synced AND to be able to have form fields automatically filled on any device. But, as I said. I wouldn’t trade security for that convenience when It comes to important accounts.

      • “But all these attack surfaces are much smaller than “visiting a website”. ” – This is an excellent point. Reducing/minimizing the attack surface is a key aspect of security – and not putting your most sensitive passwords into a cloud-based password manager certainly reduces your attack surface. The bottom line is that there’s no such thing as invulnerable code: every OS and app contains security vulnerabilities. And LastPass – which I’ll mention simply because it’s the most popular – is no different. The app has had serious bugs which could have resulted in user ‘passwords being compromised. Additionally, the company has been breached more than once and with email addresses, cryptographic salts and hashed passwords being stolen. Given this, it makes absolutely no sense in my opinion to entrust your most sensitive passwords to LastPass or any other cloud-based manager. The best place for ’em is in the wetware.

        As an aside, it’s also worth noting that the use of a password manager could contravene your bank’s terms of service – meaning that, were somebody to gain unauthorized access to your account and misappropriate funds, it’s possible that those funds would not be reimbursed. Check the small print!

        • Ah, well. My “compromisable” passwords are one and the same, exactly because I don’t care too much that they are compromised. For instance, if a website asks me to make an account before sending me a file or so, I use one and the same (rather complicated, to satisfy most requirements) password. I know that one by heart and I wouldn’t mind if hackers found it out. For forum access and so on, it is also the same, because I really don’t care if someone wants to steal my forum accounts. I don’t “live” on fora, I just go there to ask technical questions or so. I’ll make another account if stolen.

          And then there are the important passwords. Banks, website management, e-mail, backup, machine login, hidden things. Those are different, but they don’t change so often and I don’t need their access on so many different machines, that I need to take the risks involved of such a cloudy manager versus the very small gain in comfort it would bring me. But I can imagine that there are people needing to have a lot of passwords available on a lot of machines (like system administrators, or traveling experts or the like). Then these tools are useful. But they come with a risk. In fact, my bank access is not just “a password”, so it is not even possible with a password manager. I have to click a code on a moving target, graphically, and then there is 2-factor ID. They made it impossible to use any password manager, and I think that’s a good thing.

          I mean, if the point was in the first place that one needs to have different passwords *because of security*, and that this induces you to use a cloudy manager where you make a compromise with security, then that sounds contradictory. I understand that in the end, *you don’t make that compromise either*. You don’t put your important stuff there. In the end we are in fact talking about only unimportant passwords. It is true that there, such a manager can be fun, but I don’t see the point in having different passwords for accounts you don’t care about in the first place.

          The important thing, I guess, is that there is not something “in between”. There are important accounts, and there are accounts you don’t care about. There shouldn’t be accounts “you care somewhat about”. That’s like cryptography: it is strong, or you don’t use it. You don’t use weak crypto. If you need it, it must be strong, and if you don’t need it, well, you don’t need it.

          • “I don’t see the point in having different passwords for accounts you don’t care about in the first place.” – Nor do I. I use different passwords for these accounts simply because my password manager’s auto-generation feature makes it super-easy to create them – and the only reason I use the password manager is because it saves time typing (passwords and forms) and makes syncing super-simple. Security really doesn’t come into it at all.

  31. I use LastPass too. While it appears to be putting all your hard drives in one safe, not only is it a good safe, but you can export your password list in two ways.

    1. Go to More Options -> Advanced -> Export -> LastPass CSV File/LastPass Encrypted File on your LastPass extension icon.

    2. Download LastPass Pocket and use it to open your LastPass vault. Export it using the File menu. LastPass Pocket can open your exported encrypted file even offline.

  32. Suggestion: a compromise might be to list all your sites and classify them into several categories. So, your bank or credit union and other personal sensitive info sites could have a tough password. Other sites that have no value even if they got hacked would be the easy 6 or 8 digit password. Let’s face it, the chances of getting hacked are pretty slim for the average John Q public! Usually you are out there in the limelight or have done something to stick your name in others eyes! Personally, I can’t get along without my password manager Last Pass. Occasionally I will print out Last Pass and stick it aside in my office, in case things go haywire and I lose data. One is dangerous. One to Six is six times less dangerous. Password Manager is better. I’ve used Last Pass for years and I haven’t seen any signs of it being compromised even after they were bought out recently.

    • “Let’s face it, the chances of getting hacked are pretty slim for the average John Q public!” – On the contrary, there’s a very good chance that John Q’s personal information has already been exposed to hackers.

      • 70 million Target customers’ personal information, plus 40 million credit and debit cards
      • 33 million Adobe user credentials, plus 3.2 million stolen credit and debit cards
      • 4.6 million Snapchat users’ account data
      • 3 million payment cards used at Michaels
      • 1.1 million cards from Neiman Marcus
      • “A significant number” of AOL’s 120 million account holders
      • Potentially all of eBay’s 148 million customers’ credentials

      • Yes, and in all those cases, to my knowledge, this has nothing to do with passwords stolen from people, but rather with databases stolen from the companies listed. You may have strong passwords, different ones, and protect them well, if on the other side, the database is stolen, and less than highly secure, then your password stuff has nothing to do with it.

        In as much as my Adobe password is the same as my ubuntuforums account, I couldn’t care less that those having stolen the Adobe file can now post a silly message on ubuntuforums under my fake name there. They may also access my fake Facebook account I haven’t used in 2 or 3 years (I only needed it to access something).

        And credit cards, that has usually nothing to do with *your* account. Usually, the numbers get stolen somewhere (even from a bank!) and your number happens to be in the list ; or you have been typing your credit card number on a doubtful site. There’s no password management that will protect you from that.

        I recon that things get different if you “live” on the internet, with all that social account stuff. But then, you’re asking for trouble.

        • “This has nothing to do with passwords stolen from people, but rather with databases stolen from the companies listed.” – Indeed. Which goes back to the point I made previously about password strength not being as important as many people think. These days, hackers do not attempt to brute-force individual passwords: there isn’t a pimply-faced miscreant somewhere out there attempting to crack your Facebook password with John the Ripper. That’s simply not how things happen. What does happen these days is that hackers phish or, more commonly, steal the databases that contain account information relating to millions of people – and that information is then sold and traded.

          What this means, of course, is that the strength of John Q’s passwords is not particularly important and will have little bearing on whether or not his accounts get compromised: a strong password is just as easy to steal as a long password.

          To be clear, I’m not suggesting that people shouldn’t use strong passwords for important accounts: they should. A strong password can protect you from a dishonest friend/family member/co-worker and from things like Conficker. It cannot, however, protect you from the threats that are by far the most likely to result in your accounts being compromised” phishing and database theft.

          One other point: in the comments above Leo pooh-poohed on this “change your password periodically nonsense.” It’s not nonsense at all; on the contrary, it’s a sensible. Your credentials, along with millions of others, could have been stolen in a database heist and now be up for sale on the dark web. You’ve got absolutely no way of knowing – until, that is, a criminal buys and uses the database. Periodically changing a password will not prevent the password from being stolen, but it will reduce the timeframe during which it can be used – which, with a bit of luck, could save your bacon. And, of course, people who use a password manager have absolutely no reason to not periodically change passwords as the apps make it exceptionally quick and easy to do.

          • Change your password periodically? Sure. But forced password changes every 90 days? No. That’s overkill. Do you know how many people at work I can easily get their password? A lot. Many of them write their passwords (we have several systems requiring different passwords) down in the back of their day planner because they have several passwords, all which must be changed every 90 days, and they just can’t remember them all, mainly because of the frequency. For the one system that doesn’t force the password change every 90 days, I see very few people writing their password down because they get used to the password.

            I don’t know what the right frequency should be, but 90 days is too short. You just get used to using the password and soon it’s time to change it again.

    • I agree with you. One should separate the important accounts from the throw-away accounts, and I don’t see why one couldn’t use the same password for the last category. Unless one has professional needs for the management of a lot of passwords (of customers for instance), or one travels a lot and comes often on new machines.

      • “One should separate the important accounts from the throw-away accounts.” – Or, at least, you should think about them separately. Things that make us more secure usually make life more complicated; things that make life less complicated usually make us less secure (and cloud-based password managers absolutely fall into this category). It’s really a sliding scale, with security at one end and convenience at the other. When it comes to things like your Facebook password, it’s probably okay to push the slider in the direction of convenience; but when it comes to your online backing password, you probably want to push it in the opposite direction.

        • “When it comes to things like your Facebook password, it’s probably okay to push the slider in the direction of convenience” That one really depends on how you use your Facebook account. If someone gets into your Facebook account, they can totally destroy your reputation. Some people use Facebook as their primary means of communication over email. I consider my bank accounts, Email accounts and Facebook as some of my most protected resources on the internet. There are others, but I believe for most people Facebook is among the important ones.

          • “If someone gets into your Facebook account, they can totally destroy your reputation.” – Unless you’re a public figure, it’s probably unlikely that anybody would do that. Realistically, if your Facebook account is compromised, the most likely outcome is that it’ll be used to push out some spam links – as seems to happen day in, day out to Twitter accounts.

            But, you’re absolutely right, and not everybody will have the same opinion as to which accounts are the most important. Nor should they: it’ll be different for everybody (I’d consider my Facebook account to be much more important than I presently do if it were to be connected to a business page). The important thing is that people give the issue some consideration and think about things like whether using a password manager may breach their bank’s terms and conditions and whether or not they feel comfortable entrusting their most important passwords to a company that’s been hacked on at least a couple of occasions with email addresses, cryptographic salts and hashed passwords being stolen and whose app has had some pretty serious security bugs – and will undoubtedly be found to have other security bugs down the road.

            To be clear, I’m in no way knocking LastPass – it’s simply the case that there’s no such a thing as invulnerable code. Every app has weaknesses.

          • I have two remarks on this. As Ray said already, it is up to you to determine whether a specific account is important or not. I fully agree with Leo and others that *important* accounts should have different, and in principle good, passwords. The question is whether you want to run the risk of having *all* of those accounts compromised in one single go for the sake of some convenience offered by something like LastPass, or whether you want to keep those credentials local (and eventually safely encrypted in the cloud with rare access needs).
            I would even say that putting in the same LastPass account, your important passwords, and your throw-away accounts, you have vastly increased the security of your throw away accounts, and you have increased the risk of compromising your important accounts *each time you want to access your throw-away accounts*, because each time, you will use your LastPass credentials.

            The second thing I wanted to say is that if your “reputation” depends on the integrity of your Facebook account, you’re pretty much gone already on the level of cyber security :-) If you depend on an external system totally out of your control for your “reputation”, you’ve put yourself already in an extremely vulnerable situation. If you have no way to tell the people where your reputation is important, that the communication they got from a hacked account was simply that, a hacked account, then you are potentially in serious trouble already. There is much more than a password manager you should reconsider at that point.

          • I’m confused. I think you would agree my reputation is an important asset, yes? I’m on Facebook as part of my business ( So if someone compromised my Facebook account, that could damage my reputation, could it not? Is that not important? You seem to be implying that it should not be, or that if it is, I’m a fool?

          • It’s not so much a question of relying on Facebook for your reputation. Many employers and perspective employers and clients check out Facebook accounts to learn about a person. Unless you have your account invisible to all but friends, if someone posts negative or controversial stuff, those who check your account may get a bad impression. Blocking all but friends would work, but why not just take the extra step and use a good password.

          • “The question is whether you want to run the risk of having *all* of those accounts compromised in one single go for the sake of some convenience offered by something like LastPass.” – I think part of the problem is that people hear the same advice so often – that they need to use a long, complex and unique password for every site – that they accept it without question (a bit like the old echo chamber thing). And if you accept the advice, then the only practical way to remember/manager all those long and complex passwords is to use a password manager – and cloud-based password managers certainly provide the most convenience.

            However, when you take a step back and actually think about things – including the ways that accounts get compromised in the real-world – you realize the frequently churned out password advice that people have come to accept doesn’t make much sense. Firstly, there’s no need to use strong passwords for accounts zero-consequence accounts such as web forums – in fact, there’s no reason not to use the same weak password for every account which falls into this category. Secondly, when it comes to more critical accounts, it’s the length of a password that’s important, not its complexity. Consequently, it’s perfectly okay to use easily remembered passphrases like CorrectHorseBatteryStaple in place of hard-to-remember passwords like $@NVZSdVbbwA4+Pp – and it’s even okay to use modified versions of that passphrase for all your logins (CorrectHorseBatteryStapleBank or CorrectHorseBatteryStapleEmail).

            Given this, the majority of people could probably get by perfectly well without a password manager.

          • @Patrick – BTW, I agree with comments about Facebook. If you’re a politician or otherwise a high-profile public figure, it’s certainly possible that material posted via a compromised Facebook account could be embarrassing or even damage your reputation – and it’s also possible that somebody could be motivated to do it. However, for those of us not in the public eye, I think it’s very much a non-issue.

            As I said, for most of us, probably the worst case scenario is that our account would be used to send out spam – and we’d then need to send out a message saying, “Hey, ignore that last post. My account was hacked I’m not really selling discount Viagra!” In any case, it’s certainly not something that would “totally destroy your reputation.”

          • @ Leo.
            Well, for YOU particularly, it might be a slight little bit embarrassing. It wouldn’t destroy your reputation of course, if your Facebook was hacked, and you have now a nice page where you promote Viagra with a free box of blue pills for every 4 subscriptions to your newsletter. Because nobody knowing you would really think it is *you*. The somewhat embarrassing part is when you start talking about how to secure your facebook account if at the same time everybody can see that your account got hacked. It is the fact of having it hacked, and not what the hacker did with it, that is somewhat damaging.

            This was my point. People know that things like facebook accounts can get compromised. So if strange things happen to it because it is compromised, that doesn’t mean that people would remain convinced that *you* wrote those strange things. But it might be embarrassing to have to admit that you were silly enough to get your account hacked. Even if it is not your fault, it always leaves some kind of “loser” image.

            @Ray: even for a politician, I don’t think it would be a problem for his reputation apart from the “loser” image that it conveys. A politician has the possibility to turn this into some attention grabbing moment, by urging severe laws for computer criminals.
            I think nobody, but really nobody, would associate whatever hackers did on his facebook account with the politician himself, once it gets known that the account was hacked.

            Look at the Sarah Palin affair. I even haven’t any clue as what the hackers did on her site. The only thing that I know is that her account got hacked. That gives kind of a looser image to her (personally I’d say that she must have the computer intelligence of using her maiden’s name as a password, if it isn’t even “password”, but that’s because of the image I had already of that lady). Whether the hackers put up some child pornography, publicity for illicit goods, racist slogans or a communist manifesto, I don’t think anybody in his right mind would associate that stuff with Sarah Palin. That she was the “silly politician woman who got her account hacked” is the worst that comes out of it.

          • @Patrick – It probably wouldn’t destroy your reputation, but it could certainly damage it – in some peoples’ eyes, anyway. I’d certainly view my social media accounts as being more important if I used them for business purposes.

  33. The biggest problem I have these days in regards to passwords is that every website has their own rules. Why can’t there be a “web standard” for passwords? For example, I came up with a phrase I would easily remember. It is 21 characters long with each word capitalized and I changed a letter to a number. This password became a “formula” for how I would set up my various passwords on various websites. I started implementing the formula, until one website said it was too long (they thought 14 characters was enough). I shortened it to 12. Then another website didn’t like that it didn’t have a non-alphanumeric character. I substituted in a character for another letter. But then another website didn’t like that there was a non-alphanumeric character.

    I get that a password manager would take care of all of this; however, that is beside the point. With all these varying and chaotic rules between different websites, it’s no wonder people get frustrated and just use “password.” I think it’s time we had a web standard for passwords.

    • “I think it’s time we had a web standard for passwords.” – Agreed. This would make perfect sense. Complexity rules simply result in people using l33t-speak passwords (“p@55w0rd”) that are no more secure than non-l33t-speak passwords (“password”) – and that are less secure than longer phrase-based passwords.

      • I laughed. Yesterday I picked up a data file from a client. The data was password protected and the password was “password.”

        • Yeah, it’s really quite bizarre. Some people encrypt data that doesn’t need to be encrypted; some people don’t encrypt data that should be encrypted; and some people encrypt data using a weak password which – whether the data needs to be encrypted or not – entirely defeats the point of encryption.

  34. Dear old boy that I am, I keep dozens of all different passwords on a floppy drive in the PC which is always detached unless I can’t remember any of them, in which case I push the drive in, fetch up the one I want before ejecting the floppy and then copy & paste onto the requested form.

    I keep a back-up on a low-capacity xd photo card.

    For some passwords I use long-defunct telephone exchanges and numbers from my childhood and youth. They say the old find it easier to recall facts from way back!

  35. No matter how many warnings you issue to online users to adopt multiple passwords, You’re going to encounter stiff resistance to the idea from many users who will adamantly insist on a password they can memorize. This is especially true of older online users. Even the most savvy Web user cannot memorize every password he or she uses — especially when those passwords are unintelligible gibberish. And nothing generates more frustration than when you try to log in to a site that rejects your password — and you cannot remember what that password is.

    Password managers such as LastPass and Dashlane are fine — until you try to access a site on a public computer — such as those at public libraries — and you cannot remember your password-manager-generated password is.

    I’ve chosen a middle course: Using my password manager to embed my memorized core password within a larger encrypted password that varies from site to site.

    There has to be a middle way between

    • “.Password managers such as LastPass and Dashlane are fine — until you try to access a site on a public computer.” – Actually, both LastPass and Dashlane enable you to access your passwords from any device – including public computers.

  36. I am 75 and cannot figure out how to use Lastpass. I have almost 300 passwords to remember. I keep a looseleaf binder with them in it but my wife says I should not have a written record. If I don’t use the same password for many sites I can’t remember them all. What can I do.

    ps I have tried to buy PCMatic, but it won’t accept my password so I can’t.

    • In your shoes, I’d split my accounts into two categories: unimportant and important. Financial accounts as well as accounts that could act as a gateway to those financial accounts – like email – should obviously all go into the important category. The unimportant accounts – like web forums – can all be protected by the same easy-to-remember, simple password. The important accounts can be protected by a standard passphrase that you customize slightly on a per-site basis. For example, your standard passphrase could be MyWifeNagsMeAboutPasswordSecurity which then becomes MyWifeNagsMeAboutPasswordSecurityBank (for your bank), MyWifeNagsMeAboutPasswordSecurityCC (for your credit card) and so on.

      Passphrases like this are easy for you to remember, but very hard for computers or other people to guess.

      Writing your passwords down really isn’t a problem, so long as you keep your binder in a place whether other people cannot access it.

      • I have a system like that, but with a (pseudo) random string of letters and numbers I’ve managed. The problem with that is so many website and capital letters and punctuation which messes up the memorizability of the password. I’ve had to alter my base password to accommodate that.

        • Yeah, I’ve incorporated numbers and symbols into my base passphrase too for this very reason. Complexity requirements are actually completely nonsensical as they simply encourage the use of shorter l33t passwords (like p@55w0rd) rather than longer passphrases – and length is more important than complexity. For example, according to DashLane’s tool, p@55w0rd could be cracked in 19 minutes whereas MyWifeNagsMeAboutPasswordSecurity would take 336 undecillion years to crack.

          The good news is that silly complexity requirements are now becoming less common.

  37. Just today I got two emails (one from Cineplex and one from Petro-Canada). Both start out “You may have heard about recent security breaches that affected email providers and social media sites that resulted in digital account information (such as usernames and passwords) being made available.” They both go on to let me know that they were not affected but that it is still in my best interest to update my password periodically and don’t use the same password on multiple sites. Makes me wonder if I missed something in the news.

    Anyway, I logged in to both and changed the password, just to be safe. What I found really funny, was that after just reading an email from Petro-Canada on the importance of password security, that when I went to change my password, I had the option of ticking a box to see what my old password was. While they encourage me to take password security seriously, they obviously don’t, since they must be saving my password in clear text to be able to tell me what my old password is.

    • Apparently, I am mistaken. Apparently this is a browser issue. When you log in to Petro-Canada’s website, you use your email address and password. When you go to the account update page, it allows you to update your email address and password on the same page. The password gets filled in automatically because I am using Firefox’s saved passwords feature.

  38. I switched to LastPass a while ago, and took the premium so that I could set up several family members with access if should die. I’m not sure how secure that is. But the other thing is that LastPass can be set up to run 30 days at a time. So now I can log in with a click without entering any passwords. I suspect a lot of people do that. But anyone who steals my computer can do the same. On my phone, at least I need to authorize LastPass with my fingerprint [unless its running in the background]. Of course, if I copied my password from LastPass with the clipboard and have the clipboard history turned on, someone could salvage the last few passwords I’ve used. So it does still boil down to common sense. No use going to the bother of using a password protector and then being too lazy to use it safely…..

  39. correct me if I am wrong but using a password program only allows you to use the computer the passwords are saved on so if you are out and use a different computer you are out of luck as you have no way of using this program….or getting onto sites which require a password???

    • I have LastPass installed on my mobile as well, so I have a copy of my database with me at all times (secured behind the phone PIN and Lastpass PIN/password/fingerprint). WORST CASE I simply look at the password on the phone and type it into the computer I’m using. Now, to be clear, you shouldn’t be logging in to random computers with sensitive accounts anyway — that’s a scary scenario no matter what or how you keep your password(s).

    • Phil. I have 3 different computers that I use the free version of LastPass.
      If I add a new username and a password for a new site, LastPass will show a popup asking if I want to save this sites login information. If I accept it, LastPass will be able to use the new login information when I go to a different computer and login into the new site. On my wife’s laptop, she uses LastPass. She logins with her username, which is her email address, and then enters her password. If I need to use her laptop, I just log her out of the LastPass account and then login with my username and password. LastPass is a great program to have on your computer. The LastPass plugin should be installed on each computer you use. If you use different browsers, you need to install the plugin for each browser.

      Just remember these 3 things. Once you create your master password:
      1. DO NOT FORGET what the master password is.
      2. DO NOT FORGET what the master password is.
      3. DO NOT FORGET what the master password is.

      I have found that sometimes LastPass does not always work on a banking website, but is seems to be getting rare. Most of the time websites do not have problems using the program.

      I hope this helps you.

  40. Considered moving my 68 passwords (several are repeats) under the umbrella of an app like LastPass. So, does this mean I have to re-invent an entirely new set of passwords? And then go to each site to execute a PW change? Is there an extra day in the week to do this? Sites can be obtuse.
    The MAIN REASON for this message however, is to complain that you have listed these remarks in ascending date order. I had read many remarks before realizing that the OLDEST messages were presented first. Current remarks are way at the bottom. I’m unhappy (and surprised) you wasted so much of my time. Otherwise Leo, thanks for your continuously interesting material.
    /s/ John

    • You can keep the passwords you have while you migrate. Lastpass will just start remembering them for you.

      Sorry you’re so upset about the comment order. Either direction actually has problems, and this (most recent at the bottom) is the most common across the majority of websites that I’ve seen. It also reads more naturally (top to bottom).

  41. Leo,

    as usual, you are right on the mark.

    I am one of the lazy ones who does use, reuse, and re-reuse passwords. So far, so good…but I know I am on borrowed time and I need to make a major change as you suggest.

    I once read an article that suggested that you use a passphrase that includes the name of the site (or product that you want to visit. This would go something like “ImagoodboyFirst National Bank 47868.” the only part that changes for each site is the name of the site: ImagoodboyCostco 47868.

    What’s your opinion of that type of scheme?

    Thanks and keep up the good work.

    • That would be safe only if all of the websites you use it on use good practice in their handling of passwords. Even one changed or added character makes the second password completely different from the first. The problem is if a website is hacked which stores your password as plain text or uses poor encryption, a person looking at the password would be able to figure out the corresponding password on another site by substituting the company or website name to that of website they are trying to hack.For example, someone gets your email address-password combination eddiek{at} ImagoodboyFirst National Bank 47868 from a hack at First National and tries it out on Facebook with that email address and ImagoodboyFacebook 47868, they will probably get in. In other words, not safe.

    • Let’s examine the idea of embedding a site/account name within the password: It’s only a matter of time before someone hacks a program like LastPass and gets the database of passwords. When that happens, they’ll know exactly which password goes with which site. And the idea that “the only part [of the password] that changes for each site is the name of the site” allows the hacker to get just one of your passwords, after which it would be trivially easy to decipher the rest. But one of the reasons for using something like LastPass is so that you don’t have to remember passwords, why would you need the site name embedded within the password and/or use the same pattern?

  42. I have used RoboForm for many years and had no problems with it –except that they have recently asked me for my master password. Panic! I created it a long time ago and have forgotten where I saved that info. Yes, I know they warned me about it, but now I have lost everything except the printout I made just before they locked me out completely, and my trusty Rolodex Cards. I will start populating a new password manager as needed. Even if I carve the master password in a local tree trunk, I will at some time forget where it is. So the new master password will be hidden among my Rolodex cards.
    Stolen or burnt up? The odds are worse than those of being hacked.

    (Should I stop using my real name for an email address? I thought it made things easy for my friends and relatives to remember.)

  43. Scrolling through the comments I thought that I can help put some readers at ease regarding the use of LastPass.
    There is a LastPass for Desktop app in the Microsoft store (not the browser extension). It will allow the user to see the contents of their password vault, whether or not the computer is connected to the internet.
    This link explains how LastPass stores the vault contents and where on the computer it is located.
    Besides exporting the contents to a .csv file, it appears that LastPass meets Leo’s mantra of “If it is only in one place, it’s not backed up”. There is a copy on the computer and on the Lastpass servers.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.