The hacks of several online services brought this issue to light once again.
I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account.
And yes, you must devise a way to manage them all.
Let me run down an example scenario that’s a cause of all this emphasis on different passwords.
Become a Patron of Ask Leo! and go ad-free!
In addition to the risks of exposing your password to malware on your own machine, using the same password everywhere puts you at the mercy of the service with the worst security. Hackers take passwords, email addresses, and user names they discover and try them to sign in to other online services, which works surprisingly often. Different passwords for everything prevents it.
The all-too-common scenario
The scenario I’m about to describe is very common. While the specifics won’t apply to you exactly, conceptually it will illustrate what can happen.
Let’s say you have an account at some online service, Service A. In addition, you have a Yahoo! account, because you used it years ago; a Google account, because you now use Gmail and a number of other Google services; a Microsoft account, because you have Windows 10; and we’ll throw in a Dropbox account, because you’ve been listening to me recommend it. You probably have other accounts I haven’t listed here, but you get the idea. You have lots of accounts at a number of online services.
You have a wonderfully strong password that you’ve memorized: 16 completely random characters. Maybe something like 24rZFPI69u$c%*jr.
And you use that same wonderfully strong password for all those accounts.
Here’s how it can go horribly, horribly wrong.
Anatomy of a hack
Service A has the best of intentions, but honestly, they don’t “get” security. Of all the accounts you use, they have the weakest.
Perhaps they store passwords in their database in plain text, allowing anyone with access to see them. They do that because it’s easy, fast, and solves their problem quickly. They make the assumption that the database containing your password will be impenetrable.
Hackers love it when site designers make that assumption, because, of course, the assumption is wrong.
One day, a hacker breaches service A’s security and steals a copy of the user database. The hacker walks away with a database containing the following information for every user:
- Their login ID
- The email address associated with the account
- The password (or enough information from which the password can be determined)1
- Password hints/security questions
They can log in to your account on Service A. That may or may not be a big deal, depending on exactly what Service A is and how you use it.
But it opens a very dangerous door.
It doesn’t have to be a hack
It’s important to understand that while this example centers around what we hear about in the news most often — the hack of an online service and theft of their user database — it’s certainly not limited to that.
Essentially, anything that could compromise your password at service A brings you to this point. That includes:
- Sharing it with the wrong person.
- Keyloggers and other malware sniffing your password as you type it in.
- Improper use of an open Wi-Fi hotspot.
And so on.
Anything putting your single password into the hands of a malicious individual puts you at greater risk than you might assume.
Password skeet shooting
They have your email address and a password you use, stolen from Service A. Now the hackers go hunting.
As most people have accounts on one or more of the major services I mentioned, the hackers start trying the information from Service A as if it were the correct information for Gmail, Microsoft, Yahoo, Facebook, Twitter, Dropbox, and more.
They try your login ID and password (or that email address and password) on as many other services as they can.
Very often, it works. The hackers gain access to some other account of yours that was completely unrelated to the initial security breach.
Unrelated, of course, except you used the same password at both.
If you use the same password everywhere, a single leak of that password anywhere puts all your accounts at risk. Hackers will be able to log in to your other online accounts as well.
OK, maybe not all; maybe only a few. But a few is all it takes.
The weakest link
Note this has absolutely nothing to do with the security expertise of the sites where your account is eventually compromised. Gmail, Outlook.com, Yahoo, and others have excellent security, but it doesn’t factor into this scenario at all.
Service A was the weak link. Their security wasn’t up to the task. Their database was breached. Their information was leaked. Your account information and password — the password you use everywhere — was exposed.
Service A was at fault. You were at the mercy of the service that had the poorest security.
But the real problem is your use of that single password everywhere.
It shouldn’t be this way
I’ll happily admit things like this shouldn’t happen.
But they do.
And most services are better at security than our fictional Service A.
But it’s also not a black-or-white equation. Even large corporations, which either don’t know any better or simply make a mistake, can put your information at risk. For example, a hack at Adobe a couple of years ago potentially exposed the passwords of 130 million Adobe account holders. I hate to say you can’t trust anyone, but ultimately, you shouldn’t trust anyone not to accidentally expose your password.
And, as I mentioned above, it doesn’t have to be a big service breach for there to be a problem.
Using a different password on each site limits your exposure if any site is compromised.
Managing lots of passwords
So it comes down to how to manage a lot of different, long, and complex passwords.
I still recommend LastPass, and use it myself.
Doesn’t that put all my eggs in one basket?
Yes, it does. But it’s a very good basket. And I’ve taken additional steps to ensure that it stays that way.
I talk about LastPass in more depth in LastPass – Securely Keep Track of Multiple Passwords on Multiple Devices, but I’ll highlight two important reasons I consider LastPass secure:
- The people at LastPass don’t know your master password. They couldn’t tell you what it is if they wanted to. They cannot access your data at all; all they can see is the encrypted data. Even if a hacker were to somehow gain access to their databases, which has never happened, the hacker would also be unable to decrypt and view your information, because LastPass does encryption right. Decryption happens locally on your machine, so the only thing ever transmitted between your computer and LastPass is the encrypted data.
- Of course I use a strong password. But LastPass also supports two-factor authentication, and I’ve enabled it on my account. If you somehow got my master password, you’d still need my second factor in your possession to be able to unlock my LastPass vault.
Ultimately, it’s up to you. There are several password managers out there, but LastPass is the one I trust.
The very short bottom line
My recommendation remains:
- Use long, strong passwords. Twelve characters minimally, ideally more, and randomly generated (there are several random-generator tools available, including one in LastPass). Alternately, and if allowed, use a passphrase at least four words long, ideally with spaces.
- Use a different password for every login account you have. Every single one.
- Use a password manager like LastPass to keep track of them all for you.
- Use a strong password or passphrase on LastPass itself.
- Enable two-factor authentication on LastPass for additional security of that very important basket of information.