It’s possible; just not the way you think.
There are two approaches to using just one password everywhere: the really, really bad approach, and the really, really good approach.
I’ll discuss both, and why you really want that really, really good one.
Become a Patron of Ask Leo! and go ad-free!
Using just one password
Using the same password for all your accounts is extremely risky. Poor security at one service can compromise them all. A better approach is to use a password manager to remember and generate strong passwords. The only password you need to remember is the master password to your vault.
The same password everywhere
What most people think of as “just one password” is using the exact same password for all their online accounts. This is a really, really bad idea.
Using the same password everywhere puts you at the mercy of whichever service has the worst security. Even if services A, B, and C all have perfect security1, if you use the same password at all of them and for service “D”, which has poor security, your single password for everything stands a very good chance of being discovered.
The real risk, of course, is that if your single password is discovered, all the accounts are vulnerable. If a hacker gets your password for any of the accounts, they can now run around and try that password on all your accounts. And to be very clear: they are known to do exactly this.
Not knowing where your accounts are doesn’t stop them, either. Once they know they have an actual password, they can and do try it on dozens, if not hundreds, of online services. Chances are extremely high they’ll hit one you use.
Related
How Do I Choose a Good Password?
With occasional security breaches at service providers and rampant email account theft, password security has never been more important. Make sure you choose and use secure passwords.The ideal world
In an ideal world, you would use a different password for every login.
In an ideal world, your passwords would all be long and complex.
Passwords should be unique, long, complex, and hard to guess — yet you need to remember them all.
Yikes.
I have a couple of alternatives for you.
One password, once
Invest in a tool like 1Password,2 which automatically remembers your passwords for you. This is the “really, really good” approach I alluded to above. It’s an app called a password vault.
The fact that your email password is “6MQFhUEwjiqyeiEdnsck” and your bank account’s is “xu4v9KzoQLRRNhY9nseK” is something you might never actually need to know yourself. 1Password simply keeps track and remembers it all for you.
It can also generate random passwords for you — those two password examples above came from 1Password’s password generator.
Related
What’s the Best Password Manager for 2024?
The best password manager is the password manager you'll use (within reason, of course).All you need to do is remember just one password: the password to unlock your 1Password vault.
1Password can synchronize your information across machines, across browsers, and even across mobile devices. I use 1Password myself and swear by it.
The problem is, of course, if you ever find yourself without 1Password, you may not have your passwords available. I can’t tell you my Gmail password, for example, and that was an inconvenience the other day when I was using a computer that didn’t have my 1Password data on it.
One algorithm
My other alternative to password management is to use an algorithm. By “algorithm”, I mean a set of rules that you use each time you create a password that you can then use to remember all your passwords.
For example, you might say your passwords are:
- The first three letters of the site URL for which you are creating a password
- The first three characters of the name of your first pet spelled backward
- Your age on your birthday in the year 2010 + a number like 333
- Three characters indicating what the site is about – perhaps “ban” for bank, “ema” for email, and so on – with the first letter capitalized.
- If the service requires it, a special character at a standard location. Perhaps a “#” the end.
According to those rules, my Gmail password might be “gooons386Ema#”.
No one would guess that password, but it’s something I can re-create by remembering the rules of my algorithm without remembering the actual password.3
That’s just an example. You would create your own set of rules using things you can fairly easily remember and some personal information you’re not likely to forget. You can even jot down algorithm hints without seriously compromising the passwords themselves.
Additional notes
I use both.
Related
No, Don’t Write Down Passwords
The world's largest magazine dispensed some bad tech advice. Here's why I so strongly disagree.- I use 1Password-generated secure passwords on everything I possibly can. I could not tell you these passwords if my life depended on it, but 1Password remembers.
- I have a select few algorithmically generated passwords. These are passwords that are lengthy and complex, but if need be, I can recall. I still store them in 1Password, because it’s easier to let 1Password do the data entry when it offers. Passwords I might have to laboriously “type” into a streaming service on my television could fall into this category.
If you do choose your own passwords, make sure they’re strong ones. A frighteningly high number of account hacks are simply due to password guessing. People who know just a little bit about you can make guesses at your password, and they’ll be right a startling amount of the time.
A word about paper
Don’t write your passwords down.
That’s exactly where thieves know to look if they break into your home or office. If you must write something, write down a hint to help you remember. But ideally, either use something you can remember on its own or something your computer can securely remember for you using a tool like 1Password.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Related Video
Footnotes & References
1: No such thing, by the way.
2: I use 1Password as my example because it’s what I recommend and use myself. There are many good alternatives out there as well.
3: For the record, that’s not my password. I do use an algorithm for a couple of key passwords, but it’s quite different than what I’ve described here.
If you’re using a computer that doesn’t have your password manager data on it, you’re still not up a creek if that password data is on your smartphone. True, you may have to laboriously copy that long password character by character, but once you do, you are in like Flynn!
It’s even easier than that. Most password managers let you access your vault on the web from your browser, so you can simply copy and paste them. Juet be careful if you are using a clipboard manager. Delete any passwords stored in them.
And if your password manager database is domiciled on your computer (or smartphone), keep multiple backup copies somewhere safe!
Yes. Leo wrote an article on that, and although he no longer recommends LastPass, the process is similar for other passworrd managers.
https://askleo.com/how-do-i-back-up-lastpass/
At work, they make us change passwords (more multiple systems) every 90 days and so it gets confusing. We can’t install any software or use any kind of online password vault. That would be a violation of network policy. So years ago, I came up with the idea of creating a password algorithm that works with the password requirements. IT recommends not changing your password on a Friday before a vacation because you’ll likely forget your new password. But my algorithm works great, and even after a vacation with a fresh password immediately prior, I still know exactly what my password is.
Most password managers have Web interfaces. There no need to install anything on the computer.
A couple of password managers reflect that in their names. OnePassword and LastPass (the last password you’ll need).
I’m still using LastPass in spite of Leo’s recommendation(s) to change my password manager, in part because I’m familiar with it. I’ve tried Bitwarden, but found its user interface to be a bit too much of a bother for me, and I suspect that using any other manager will involve a learning curve/change of habits as well. They (LastPass) have improved their security posture significantly since the breach, and I see evidence that they are continually working to improve it as they see the need, and that they’re watching.
Following the breach, as they provided me with information on how to improve my vault’s security, I’ve followed their advice. I increased the iteration count to 600,000, increased the length of my Master Password to at least 16 characters as well as that of all my stored passwords. I use 2FA to better secure my vault, and I have updated all my Internet accounts that support 2FA as well. For those sites that did not offer 2FA support, I either changed service providers or closed/deleted those accounts because if they care so little about the security of my data that they don’t provide 2FA support and secure my data with encryption, I don’t want to use them.
At this point, if any of my passwords should fall into the hands of miscreants, it will do nothing for them because all of my Internet accounts are secured with 2FA (my second factor is needed to gain access), and both of my email accounts use passkeys (even better security). I’m hoping and waiting for the day when all Internet accounts can be secured with passkeys because they offer the best security to date (essentially, 2FA on steroids).
Ernie (Oldster)
I am already using an algorithm as Leo suggests and find it easy to remember the 20 long character password for 1 Password manager. I changed from Last Pass on Leo’s recommendation But I found last Pass was a more user user friendly Program. The graphic display that Last Pass used worked better for me and adding and editing was much simpler.
While it’s convenient to have a password management program in the cloud, it’s essential to remember that they can be vulnerable to hacking. For instance, I once used Yahoo Mail for years, but it got hacked, and I lost all my data, and they couldn’t restore my ten years of content. Good luck keeping anything in the cloud.
All email, by definition, is in the cloud at some point. Your scenario is more about proper account security, maintaining recover options, and backing up your email.
Kodgeneratorn (https://kodgeneratorn.se/) is a brilliant site for making readable/writable passwords. It is a Swedish site, but I’m sure you have similar sites in the US. /Peter
I checked out that site using the MS Edge browser and the browser pfferet to translate it to English, so if you use a browser that offers to translate, that sit is easy for any language user.