It’s one of the most important things you need to do.
Using different passwords is much safer than using one password everywhere. In fact, it’s critical.
Why?
Because hackers know that most people have more than one account and that most people don’t take the trouble to set different passwords.
Become a Patron of Ask Leo! and go ad-free!
Admit it, you’re lazy
I’ll admit it: I’m lazy. When it comes to managing passwords, I’ll bet money that most people are.
One password everywhere is so much easier. It’s easier than even the easiest password management system.
It simplifies our lives not to have to remember passwords or use any special tools to remember for us.
The problem is, it makes hackers’ lives easier, too.
Hackers know we’re lazy
Hackers know that people find it easier to have one password everywhere.
Hackers know that people generally have more than one account.
Hacking a single account acts as a foot in the door to the others and leads to all sorts of mayhem.
One account leads to more
It’s easy to guess that if a person logs in with username X and password Y on a system like Yahoo! mail, it’s likely they’ll replicate both username X and password Y on other services.
Once they’ve breached one account, hackers get clues that let them access other accounts.
Account confirmations and notifications are frequently sent via email. What that means is that your hacked email account contains many clues as to what other accounts you have.
If you use the same password everywhere, it’s easy sailing for the hacker to quickly try those out and log in as you at multiple services.
For example, your Facebook login is your email address and a password. Well, if they’ve hacked your email account and you use the same password everywhere, they now know how to log in as you on Facebook.
The hack might not be your fault
Hacks happen through no fault of your own. You could be maintaining perfect security and still end up compromised.
Consider all the places you have online accounts. Let’s assume that the one with the poorest security gets hacked, and the contents of their entire username/password database is stolen.
You just got hacked, and it wasn’t your fault.
However: if you’re using one password everywhere, the hackers now know it.
There can’t be only one
The bottom line is that using one password everywhere is a risk you shouldn’t take.
At a minimum, use unique passwords for your important accounts, like banking and other financially-related activities and email.
All of your email accounts are important, particularly if they can be used for password recovery on other accounts. All a hacker needs to do is hack your email account and then run over to some other account and request a password reset to be emailed to the email account they now control.
Managing lots of passwords
Whenever I talk about giving each login a different, strong password, people strongly object. “No way am I going to remember all those passwords, especially if you’re going to insist that they’re complex on top of everything else.”
You don’t have to.
For example, I don’t know my online banking password. Who’s going to remember something like yFK86jk8q45B? (And no, that’s not it. I said something like that.)
Yet I use my account frequently.
Let your computer do the remembering for you.
I’m a big fan of password management programs, in particular 1Password.
It creates a secure database of your login IDs and passwords and stores them so that only you can get at them with your single, master password. (And yes, that password needs to be strong and memorable.)
Password vaults ease the entire process of logging in by filling in the user ID and password for you; you don’t even need to know what they are.
They use strong encryption to keep your password database secure on your machine(s) and support synchronizing or accessing that database across multiple machines and mobile devices.
And they enable you to use different and strong passwords on every single site.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
QUESTION for your experts:
My PWs are in a 2007 Excel file which is encrypted (by Excel) and PW protected. Does this seem sufficient?
(Excel encryption isn’t great but 2007 is better than prior versions.)
Excel’s encryption is probably good now, but I usually use 7Zip Zip encryption to encrypt files and folders.
As an alternative to LastPass, I use KeePass. (I tried both, and I preferred the latter.)
I keep my KeePass database in my Dropbox, so I can access my passwords from pretty much anywhere: desktop, notebook, netbook, tablet, phone, …
@Michael
Excel password protection isn’t very good and is not difficult to crack. If you just have your passwords on your home desktop computer, that might be enough for you. Truecrypt of even an encrypted zip file is much more secure. If you continue to use the Excel file for your passwords, you might want to give it a name which doesn’t give away the fact that it holds your passwords.
Another good password safe is “Password Safe” from http://pwsafe.org/
It is easy to use and free.
What will a hacker see if he somehow figures the password for my Roboform or Lastpass??
I presently follow the rules for creating strong passwords, with something in each that links it in my mind to the specific site being accessed. I occasionally do mess up, but haven’t resorted to password storage yet.
@Tony
If someone gets or figures out your LastPass or RoboForm passwords, they have access to all of your stored passwords. So, use a long, strong password.
Okay. I’m using it now and I’ve discovered it is most safe to log out of Last Pass after logging in to the needed websites. That way any unauthorized person attempting to use the computer can’t access anything else other than what’s already open.
Of course other security comes into play such as locking the computer when moving away from it.
Thanks for another great article, Leo, although I have read it a few times before. The “Best of” is still the best of! Thanks for turning me on to LastPass a couple of years ago, it has come in extremely handy, and the only real problem is taking the time to go through the LP Vault every once in a while and clean out the old stuff I do not need or use anymore!
I have the best solution (as far as I am concerned). I use a different password for everything and so I do not have to remember them, but I use an address book. I write down each place I have a password and do it in pencil so I can still change them when needed. I do this because I JUST DON’T trust the programs that will do it automatically.
Also, written down in case a hard drive fails etc.
One other good byproduct is that In my will, if anything happens, it’s divulged to my family where the passwords are so they can do what’s needed.
Unless you keep that book in a strong safe, anyone who finds that book has all your passwords. A very dangerous situation.
On the same day this article pops up in my email, so does an email from the Canadian Post Office for their ePost service. They’re investigating a report that some customer information may have been compromised but they haven’t found any breach of their systems. They believe that the root of these reports is customers using the same login credentials that they used on other sites. Canada Post is forcing everyone to reset their password and choose a strong password that is different than any other password.
I teach at a large public university so we are a state agency. Our IT department mandates that we use the same password for everything. In fact, the make it impossible to do anything else since you only enter the master password. So, I am forced to use the same password for…
* Logging into my office computer
* Logging into classroom computers
* Logging into email
* Logging into our learning management (online) platform
* Logging into our system to enter grades
* Logging into our payroll system
* Logging into our benefits system
and there are most likely things I have forgotten. They do the same thing to students.
The way I see it is that all of those are really only parts or functions of the same account located on a single central system.
What really happen is that you log into your account from some computer, then, access the e-mail section, or the grading section, of the payroll section, or …
ONE account, multiple functions.
That’s how it works at the University where I teach. One server, one login. Most of the services are accessed through the general site login. A few others like grade entry are on the same server and use the same password but require logging in directly, probably so the students cant get in if a teacher leaves a computer unattended. And our LMS is from a third party so it has a completely independent login.
Our LMS is D2L (Desire2Learn). They run it off of State servers so it uses the same password as everything else.
I was wondering why the service companies that use my e-mail address are constantly asking me for my password and asking me to change it. Can you explain?
Not completely, no. Some have policies that say passwords need to be changed every so often, some have detected breaches so they need everyone to change their passwords, some might notice odd activity on some accounts — without more data there’s no way to know for sure.
I’m using Bitwarden to manage my passwords. I’ve noticed lately that some websites are allowing the use of a non-email based username to log in. Besides a password generator, Bitwarden also has a username generator.
Lately I’ve been checking to see if I can change my username with some of my accounts. If I can change it and it doesn’t require the username to be an email address, I use Bitwarden to generate a random username.
If a data breach does expose a list of usernames and passwords, mine would only work on that particular service and nowhere else. I’m hoping that more websites start moving away from using email addresses as usernames.
Email addresses are used because they are almost as unique as fingerprints. Unless you specifically share your email address, no one else has the same one. You might have to try a few times to get a username that nobody else on that site has, but you might have the same username on another website. Your idea offers an extra layer of security, but generally the confusion caused by creating unique usernames might not be worth it.
Before I start this, I saw an item about LastPass on ZDNet today (02/28/2023):
https://www.zdnet.com/article/lasspass-breach-hackers-put-malware-on-engineers-home-computer-to-steal-their-password/?ftag=TRE-03-10aaa6b&utm_email=ca6fba619af40bc17c734b82ae432e36e739193ecf90932f4be0c0735df2ed33&utm_campaign_id=6285787&utm_email_id=6241a1585
Even though this is a bit off-topic, some readers (including Leo) may find it as interesting as I did.
Since I’m a retiree and probably not very interesting to hackers (I don’t have access to any confidential corporate/business information/data), I’m still using LastPass but because of the hack, I’ve taken a few measures, just in case . . .
First, I changed my master password. It is now three characters longer than the old 12-character one I had before. I hope it is now long enough to remain secure for the remainder of my life (I’m in my early 70s).
Next, I changed all my passwords on all the accounts I am currently using (financial and email accounts first) and added 2FA to those that do not have it set up already but support it. Since I use Windows 11, I choose to use the Microsoft Authenticator App. My reasoning is that since Microsoft already has access to everything I do because I use their OS, it is probably more secure/safer to keep as much of my activity information as possible under their roof, so I use their OS (Windows 11 and 10), their web browser (Edge), their security suit (Windows Security/Defender), and their authenticator app (Microsoft Authenticator). You may disagree, but this has worked well for me for many years.
For any account I no longer use, I changed its password, then requested it be deleted. All the affected sites have honored my request, although a few put me through more hoops than the rest, probably a good thing when all is said and done.
Finally, I have added an account review to my bi-annual routines list. It occurred to me that any account I have but no longer use may be another way my personal information could be stolen if the site ever gets hacked (I also check my LastPass dashboard monthly to make sure I have no duplicate passwords).
All in all, the bottom line about passwords is to use a unique password for any site you sign in to. The easiest way to do so is to use a password manager. Which manager you choose is entirely up to you, but please choose one, and use it!
I hope my explanation of what I do helps others,
Ernie
“I’m a retiree and probably not very interesting to hackers”
That is an argument we hear all too often. Do you do online banking? Do you have an email account? If so, you are interesting to hackers. You wouldn’t want to lose your savings, however msmall, or ro lose access to your email. You may not be targeted for a hack, but you can be the victim of a hack on a website you have an account with.
Apparently, you ae doing the right thing in what you describe, so you’re not using that argument as an excuse to be lax in your security. It’s just that arguments like ” I’m probably not very interesting to hackers” are dangerous assumptions.
Mark J. – If a website allows a Username other than an email address AND you use a password manager, I think it would be very wise to NOT use your email address as a Username. If your email account gets hacked and the hacker changes the email password, you’re in big trouble for any website where your Username is your email address. All a hacker has to do is enter your email address on hundreds of websites and click on forgot password (Luckily a few websites will first ask a few challenge questions before sending a password reset). On the other hand, if you use something other than your email address as your Username, maybe JiLp7yY8tFe3, and the hacker clicks on forgot password, the hacker will probably get “No such Username”.
I’m not saying your method doesn’t add a small extra layer of security. I’m saying why most websites use only email addresses as login names. Your method is probably too complicated for the average user, and adding 2 more characters to existing passwords and not reusing passwords will add much more security.
Mark Jacobs (Team Leo),
Perhaps I should have explained myself more clearly. My intent with that expression was not to present an excuse for lax security. It was to explain why I decided to remain with LastPass. If I’m being entirely truthful, I don’t like change, at least I don’t like changes I can safely avoid (such as learning to use another password manager when I can take steps to improve the security of the manager I use now). Besides, I like how LastPass works.
As it turns out (today), that decision may have been somewhat vindicated. I received notification of a post on the LastPass blog (dated today – March 1, 2023) that explains how the two breaches were caried out, what they have done so far (as well as what they are still doing going forward) in response to the breaches, and what I can do to better secure my vault. I have followed their advice for any steps I had not yet completed because I believe it is sound, and I suggest that anyone else who is still using LastPass do as I have done, both regarding the steps I took (listed in my earlier post above) and those listed in the LastPass blog post (linked below).
If you (or anyone else) are interested, here is the link:
https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/
I hope what I have had to say helps others,
Ernie
I wasn’t implying that you are lax with your security. Many people look at these comments and a statement saying you’re not interesting to hackers is just plain dangerous.
LastPass may be safe now. Leo isn’t saying it’s necessary to switch. It’s just that LastPass has lost his confidence as a recommendation after withholding information about the hack for so long.
You say that having different and strong passwords keeps you safe.
You then point out that if your email account is hacked, all of your passwords can be changed by emailing ‘forgot password’, receiving a password change email. A bit of contradiction, don’t you think?
Not at all. Please … where is the contradiction?
Remember, there’s no such thing as “safe” in any absolute sense. Only “safer”. Different and strong passwords are key to keeping those accounts from getting hacked directly.