The hacks of several online services have brought this issue to light once again.
I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account – at least, every important site.
And yes, you must devise a way to manage them all.
Let me run down an example scenario that’s causing all of this emphasis on multiple different passwords.
Become a Patron of Ask Leo! and go ad-free!
The all-too-common scenario
The scenario I’m about to describe is very common. While the specifics won’t apply to you exactly, it’ll conceptually illustrate what can happen.
Let’s say you have an account at some online service – I’ll call it Service A. In addition, you have a Yahoo! account because you use Flickr, a Google account because you use Gmail and a number of other Google services, a Microsoft account because you have Windows, and we’ll throw in a Dropbox account because you’ve been listening to me recommend it. You probably have other accounts I haven’t listed here, but you get the idea. You have lots of accounts to a number of online services.
You have a wonderfully strong password: 14 completely random characters that you’ve memorized.
And you use that same wonderfully strong password everywhere.
Here’s how it can go horribly, horribly wrong.
Anatomy of a hack
Service A has the best of intentions, but honestly, they don’t “get” security. Perhaps they store passwords in their database in plain text, allowing anyone with access to see them. They do that because it’s easy, it’s fast, and it allows them to solve the problem quickly. They make the assumption that the database containing your password will be impenetrable.
Hackers love it when site designers make assumptions like that because, of course, the assumption is false.
One day, a hacker breaches site security and steals a copy of the customer/user database. The hacker walks away with a database that contains the following information for every user:
- Their log-in ID
- The email address associated with the account
- The password (or enough information from which the password can be determined)1
- Password hints
They can log in to your account on Service A. That may or may not be a big deal, depending on exactly what Service A is and how you use it.
But it opens a very dangerous door.
It doesn’t have to be a hack
It’s important to understand that while this example centers around what we hear about in the news most often – the hack of an online service and the theft of their user database – it’s certainly not limited to that.
Essentially, anything that could compromise your password brings you to this point. That includes:
- Sharing it with the wrong person.
- Keyloggers and other malware sniffing your password as you type it in.
- Improper use of an open Wi-Fi hotspot.
And so on.
Anything that puts your single password into the hands of a malicious individual puts you at greater risk than you might assume.
Password skeet shooting
Once they have your password, the hackers go hunting.
As most people have accounts on one or more of the major services I mentioned, the hackers start trying the information from Service A as if it were the correct information for Gmail, Outlook.com, Yahoo, Facebook, Twitter, Dropbox, and more.
They try your email address and password to log in to the email service that you’re using.
They try your log-in ID and password (or that email address and password) on as many other services as they can.
And very often, it works. The hackers gain access to another account of yours that was completely unrelated to the initial security breach.
Unrelated, of course, except that you used the same password at both.
If you use the same password everywhere, a single leak of that password puts all your accounts at risk. Hackers will be able to log in to your other online accounts as well. Maybe not all; maybe only a few…
…but a few is all it takes.
The weakest link
Note that this has absolutely nothing to do with the security expertise of the sites where your account is eventually compromised. That Gmail, Outlook.com, Yahoo, and others have excellent security didn’t factor into this at all.
Service A was the weakest link. Their security wasn’t up to the task. Their database was breached. Their information was leaked. Your account information and password – the password you use everywhere – was exposed.
Service A was at fault.
But the real problem is your use of that single password everywhere.
It shouldn’t be this way
I’ll happily admit that things like this shouldn’t happen.
But they do. Not terribly often, but often enough.
And most services are better at security than our fictional Service A.
But it’s also not a black-or-white equation. Even large corporations that either should know better, or simply miss things, can put your information at risk. For example, a hack at Adobe a couple of years ago had the potential to expose the passwords of 130 million Adobe account holders. It’s not as obviously stupid as storing passwords in plain text, but to security experts, it comes surprisingly close.
I hate to say you can’t trust anyone, but ultimately … you shouldn’t trust anyone not to accidentally expose your password.
And, as I mentioned above, it doesn’t have to be a big service breach for there to be a problem.
Using a different password on each site limits your exposure if any of those sites are compromised.
Managing lots of passwords
So it comes down to how to manage a lot of different (and long and complex) passwords.
I still recommend LastPass and use it myself.
Doesn’t that put all my eggs in one basket?
Yes, it does. But it’s a very good basket. And I’ve taken additional steps to ensure that it stays that way.
I talk about LastPass in more depth in LastPass – Securely keep track of multiple passwords on multiple devices, but I’ll highlight two important reasons I consider LastPass secure:
- The people at LastPass don’t know your master password. They couldn’t tell you what it is if they wanted to. They cannot access your data at all; all they can see is the encrypted data. Even if a hacker were to somehow gain access to their databases, which has never, ever happened, the hacker would also be unable to decrypt and view your information, because LastPass does encryption right. Decryption happens locally on your machine, so the only thing ever transmitted between your computer and LastPass is the encrypted data.
- In addition to using a strong password (of course), LastPass supports two-factor authentication, and I’ve enabled it on my account. If you somehow get my master password, you’d still need my second factor in your possession to be able to unlock my LastPass vault.
Ultimately, it’s up to you. There are several password managers out there, but LastPass is the one I trust.
The very short bottom line
My recommendation remains:
- Use long, strong passwords. 12 characters minimum, randomly generated (there are several tools available, including one in LastPass). Alternately, and if allowed, use a pass phrase at least 4 words long, ideally with spaces.
- Use a different password for every log-in account you have. Every one.
- Use a password manager like LastPass to keep track of them all for you.
- Use a strong password or pass phrase on LastPass itself.
- Consider enabling two-factor authentication on LastPass for additional security of that very important basket of information.