Is It OK to Reuse Passwords on “Unimportant” Sites?

No, but we all do it.

by

Reusing passwords on sites you don’t care about might feel harmless, but it still can open the door to bigger problems. I’ll look at why even “unimportant” accounts matter more than you think, the risks of cutting corners, and simple ways to stay safe.
Chalkboard on which is written "Password: password123"
(Image: canva.com)
Question: Does this/my attitude below expose me in ways I’m not aware of? I’d NEVER reuse a password for financial, shopping, insurance, social media, email, or government sites! BUT I reuse a few easily memorable ones for subscriptions to Web media comment sections. I do this only because sites annoyingly request re-entering a password periodically, and I don’t want to interrupt my flow to look them up. On those sites, I don’t care if someone hacks in—and no one would even bother!

I will question some of your assumptions, but I’ll also admit that yeah, I do it too. And it’s not great.

We all have gazillions (technical term, that) of accounts we need to manage. It can be a pain to manage all the associated passwords.

It might be OK, in some situations… but even then, it comes with risks.

TL;DR:

Reusing passwords

Reusing passwords on “unimportant” sites might feel harmless, but it’s risky. Hackers reuse leaked passwords everywhere, and even so-called “unimportant” sites may reveal too much information about you. A password manager helps you stay safe by enabling you to use unique, strong passwords everywhere, even for the stuff you don’t think matters.

Pro: Reusing passwords (or using less secure ones)

There are several arguments in favor of reusing passwords or using weak passwords.

  • It’s less hassle.
  • It makes account creation and login faster.
  • Passwords you use often almost become muscle memory.
  • It reduces or avoids the mental fatigue associated with frequent stronger security measures.

The justification, as you point out, is that not all accounts are equal in importance. Some are so unimportant that we don’t care if that account gets hacked.

Some sites just don’t matter.

Or do they?

Ask Leo! is temporarily Ad-Free!
Help make it permanent by becoming a Patron.

Related


Another Reason NOT to Reuse Passwords

 Reusing passwords -- even strong ones -- is risky. If one site gets hacked, attackers try that same password elsewhere. Worse, once exposed, it’s saved bv hackers and reused in future attacks. I’ll discuss why it matters, how to check if your password’s out there, and what to do instead.
#151962

Con: Risks of reusing or weakening passwords

Once a password is discovered in a breach, hackers try it everywhere. They do “bother”, to use your terminology.

If a password is revealed somehow (Pwned Passwords will tell you if yours is known to be “in the wild”), they absolutely will try that password across a wide variety of sites and services to see if it works. It’s all automated, so it’s trivial for the hackers to do.

If that password is used for another account that is or has become even marginally “important” to you, you risk losing it.

Of greater concern, and easier to overlook, I think, is the fact that even “unimportant” sites have information hackers can use. Your name, birthdate, email, links to your social sites, and more are all things they can harvest and use for targeted phishing emails or even identity theft. So even if account A has none of that information, if it gets hacked and exposes your password, hackers may use that to access account B (or C, or D, etc.), where more sensitive information might be present.

Even if that doesn’t happen, any account that is compromised can be used to post spam or promote scams under your name. Ultimately, it can affect your reputation and trustworthiness.

Even if it’s “just a forum.”

Middle ground

While I’m vocal about password hygiene and security, I realize that no matter what security experts suggest, people will continue to reuse passwords and set weak ones. As I said, I’m guilty of it myself at times.

So, here are some suggestions to make life a little easier.

Use a password manager. You knew this was coming. It’s one of the most important things you can do; it makes it easy to use long, strong passwords that are unique for every site. It makes proper security easier.

Have tiers of importance. You’re already kind of doing this (important versus unimportant sites), but I want you to rethink it. It’s too easy for an account we consider “unimportant” when we set it up to become more important than we thought. Even then, don’t reuse passwords. At worst, maybe dial back the complexity.

Use email aliases. One additional level of security is to use a different email address for some accounts. You might use a throwaway Hotmail account for less important things or use a unique email address for every important account. The key here is that by varying the email address, you’re making it harder for hackers to discover the correct email address/password combination for any specific account. It’s not completely effective, but it makes it more difficult to hack, even if a password is weak or reused.

Dangerous reuse

Never reuse passwords, and always use a strong password, for:

  • Your primary email account.
  • An email account you use for account recovery on any other online account.
  • An email account whose email address is the user ID for any other online account.
  • An account that has information such as your birthday, answers to security questions, phone numbers, and the like.
  • An account that includes the history of your activity with that account.
  • An account you use to publish or post information that can affect your reputation.

When in doubt, use a strong, unique password.

And use a password manager to keep track of it all.

Do this

Think before you reuse a password. If you do, be aware of and realistic about the risks you are taking.

Like I said, I get it. I really do. But online safety is worth the effort. Assuming the worst and doing the right thing for every site, regardless of how “unimportant” you think it is, is by far the safest approach.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Download (right-click, Save-As) (Duration: 7:33 — 7.0MB)

Subscribe: RSS

Related Video

1 thought on “Is It OK to Reuse Passwords on “Unimportant” Sites?”

  1. As a rule, if something makes your life more convenient, then it is less secure. You tolerate the inconvenience of a lock or two or three on the front door of your home for the added security. More hassle is more secure. Less hassle is less secure.

    As to the specifics of the question, let me suggest a simple password formula.

    If the un-important websites are robin, blackbird and sparrow and your favorite password that you have been re-using is “table”, then consider using tablerobin, tableblackbird and tablesparrow as the passwords for your un-important accounts.

    Its a very small increase in hassle, yet an increase in security that defeats the password stuffing attack described in the article.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at https://askleo.com/creative-commons-license/.