No, but we all do it.
I will question some of your assumptions, but I’ll also admit that yeah, I do it too. And it’s not great.
We all have gazillions (technical term, that) of accounts we need to manage. It can be a pain to manage all the associated passwords.
It might be OK, in some situations… but even then, it comes with risks.
Reusing passwords
Reusing passwords on “unimportant” sites might feel harmless, but it’s risky. Hackers reuse leaked passwords everywhere, and even so-called “unimportant” sites may reveal too much information about you. A password manager helps you stay safe by enabling you to use unique, strong passwords everywhere, even for the stuff you don’t think matters.
Pro: Reusing passwords (or using less secure ones)
There are several arguments in favor of reusing passwords or using weak passwords.
- It’s less hassle.
- It makes account creation and login faster.
- Passwords you use often almost become muscle memory.
- It reduces or avoids the mental fatigue associated with frequent stronger security measures.
The justification, as you point out, is that not all accounts are equal in importance. Some are so unimportant that we don’t care if that account gets hacked.
Some sites just don’t matter.
Or do they?
Help make it permanent by becoming a Patron.
Related
Another Reason NOT to Reuse Passwords
Reusing passwords -- even strong ones -- is risky. If one site gets hacked, attackers try that same password elsewhere. Worse, once exposed, it’s saved bv hackers and reused in future attacks. I’ll discuss why it matters, how to check if your password’s out there, and what to do instead.#151962
Con: Risks of reusing or weakening passwords
Once a password is discovered in a breach, hackers try it everywhere. They do “bother”, to use your terminology.
If a password is revealed somehow (Pwned Passwords will tell you if yours is known to be “in the wild”), they absolutely will try that password across a wide variety of sites and services to see if it works. It’s all automated, so it’s trivial for the hackers to do.
If that password is used for another account that is or has become even marginally “important” to you, you risk losing it.
Of greater concern, and easier to overlook, I think, is the fact that even “unimportant” sites have information hackers can use. Your name, birthdate, email, links to your social sites, and more are all things they can harvest and use for targeted phishing emails or even identity theft. So even if account A has none of that information, if it gets hacked and exposes your password, hackers may use that to access account B (or C, or D, etc.), where more sensitive information might be present.
Even if that doesn’t happen, any account that is compromised can be used to post spam or promote scams under your name. Ultimately, it can affect your reputation and trustworthiness.
Even if it’s “just a forum.”
Middle ground
While I’m vocal about password hygiene and security, I realize that no matter what security experts suggest, people will continue to reuse passwords and set weak ones. As I said, I’m guilty of it myself at times.
So, here are some suggestions to make life a little easier.
Use a password manager. You knew this was coming. It’s one of the most important things you can do; it makes it easy to use long, strong passwords that are unique for every site. It makes proper security easier.
Have tiers of importance. You’re already kind of doing this (important versus unimportant sites), but I want you to rethink it. It’s too easy for an account we consider “unimportant” when we set it up to become more important than we thought. Even then, don’t reuse passwords. At worst, maybe dial back the complexity.
Use email aliases. One additional level of security is to use a different email address for some accounts. You might use a throwaway Hotmail account for less important things or use a unique email address for every important account. The key here is that by varying the email address, you’re making it harder for hackers to discover the correct email address/password combination for any specific account. It’s not completely effective, but it makes it more difficult to hack, even if a password is weak or reused.
Dangerous reuse
Never reuse passwords, and always use a strong password, for:
- Your primary email account.
- An email account you use for account recovery on any other online account.
- An email account whose email address is the user ID for any other online account.
- An account that has information such as your birthday, answers to security questions, phone numbers, and the like.
- An account that includes the history of your activity with that account.
- An account you use to publish or post information that can affect your reputation.
When in doubt, use a strong, unique password.
And use a password manager to keep track of it all.
Do this
Think before you reuse a password. If you do, be aware of and realistic about the risks you are taking.
Like I said, I get it. I really do. But online safety is worth the effort. Assuming the worst and doing the right thing for every site, regardless of how “unimportant” you think it is, is by far the safest approach.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
As a rule, if something makes your life more convenient, then it is less secure. You tolerate the inconvenience of a lock or two or three on the front door of your home for the added security. More hassle is more secure. Less hassle is less secure.
As to the specifics of the question, let me suggest a simple password formula.
If the un-important websites are robin, blackbird and sparrow and your favorite password that you have been re-using is “table”, then consider using tablerobin, tableblackbird and tablesparrow as the passwords for your un-important accounts.
Its a very small increase in hassle, yet an increase in security that defeats the password stuffing attack described in the article.
Michael, I’m sorry, but using dictionary words for passwords is far from ideal, regardless of the importance of the account.
I’m a bit surprised Leo didn’t mention 2FA in the article. 2FA, in my opinion, provides very strong security which helps mitigate the risks involved with using weak passwords. All users should set up 2FA wherever possible.
It drives me nuts that everywhere now seemingly requires an account, even unimportant sites. Using a password manager is pretty much mandatory these days. I am an old geezer who can barely remember what day it is, let alone dozens of passwords.
Hi Leo.
I am nervous about using a password manager. Looks complicated. Questions:
1. Using a password manager, how does it interact with an application’s online sign-in screen? That is, does the password manager automatically step in and supply the generated password when logging into an application? How does it know to do that – do I need to “register” each application to the password manager?
2. If the password manager creates and hides the password for an application on my PC, how do I log into that same application on my phone or tablet?
Thanks in advance …John
1) Most password managers will auto-fill when you visit a site requiring your password for which they have a saved entry. Sometimes they don’t and you resort to copy/pasting the password from the manager to the password field yourself.
2) Many password managers synchronize across devices, so the information saved in one place is available in all.
The one thing I dislike about many password management systems is that they use employ cloud services; which, while handy for cross-device access, some of these services have been “hacked” (a defensive term for, we got sloppy, and allowed foreign agents into our system), and exposed many people’s credentials to the less scrupulous agents…
So I employ a non-cloud solution, like KeePass.
“Some of these services have been hacked”
a) I know of only one where that phrase could apply
b) EVEN THEN no password information was compromised. No one’s accounts were exposed.
I still claim it’s significantly more secure than the alternatives.
The password manager is a browser extension that can see which Web page you are on and can recognize that there are login fields and fills them. With most password managers, the vault is encrypted on your computer and uploaded to the Internet and synced on all browser with that extension and logged in. All of that is transparent, and all you have to do is install the extension once and the password manager will do all the word of asking if you want to save the login and then automatically fills in the logi information when it detects a lofin.
@ John,
Hi John, I use and can recommend Bitwarden Free password Manager. It is very simple to use, provides browser extensions for all major browsers (so is accessible across multiple devices), and auto-fills login info. The Vault (where all your passwords are saved) is protected by a master password so you just need to make sure that master password is very strong.
What I hate are those well-meaning sites that require you to enter your password manually. Cutting and pasting is disabled. When you have a long password with many types of characters, this can be excruciatingly slow and prone to errors. Why do they do this?
Because they are incompetent.
It’s not incompetence. It’s yet another valiant, but futile, effort at enhancing security. A Greek philosopher once said “As a rule, if something makes your life more convenient, then it is less secure” (actually, it was Michael above).
Getting it wrong fits the definition of incompetence.
I have encountered this before, but luckily, not very often. Most of my passwords are 18 characters of random stuff; letters, numbers, and national characters. And that can be a real pain to type in manually, especially on a mobile, so I end up having to dumb the password down to facilitate a functional entry solution.
Is “national characters” the best collective noun for (!@#$%^&*-_+{}[]\?><) ? It was a term I picked back in the days of antiquity, when I used terms like ABEND, JCL, MVS, DASD, etc. on a regular basis.
Websites that require them call them “special” characters.
They CLAIM it’s more secure. My response is that it forces people to choose less-secure passwords.
There are browser extensions that can disable that restriction.
Is the built-in password manager in Firefox browser secure? It is very convenient.
My thoughts on that in general: Is It Safe to Let Your Browser Remember Passwords?
I have read someone who said he had a remembered password then used the site’s name as a suffix e.g. password123facebook; password123discord.
If one of his passwords is exposed in a hack, the hacker can figure out his other passwords.