There a couple of interesting pieces of what I would consider to be misinformation implicit in your questions. Let me address those first.
Changing passwords periodically is not helpful
I do not believe that changing passwords regularly adds any level of security if you’ve chosen good passwords from the start.
Good passwords meet the following criteria.
- They’re long – 12 characters at a minimum, but as long as possible is better.
- They’re complex to the extent that they’re not guessable.
- They’re different. You don’t use one password for all of your accounts. You use different ones at different sites.
If you follow these rules, I really don’t see a need to change your password. The only exception might be if there’s a problem that requires you to change a password, such as a service reporting that they’ve been hacked and they’re advising everybody to change their password.
But from your perspective, having good strong passwords to begin with is the single most important thing to do to keep yourself safe.
Required periodic password changes frustrate me. I’ve been in corporate environments where they force you to change your password every so often – and it actually encourages the more technically inclined to find ways around that system so that they can keep using the same password anyway.
Can we be tracked by user name?
You’re not being tracked by the passwords you use, but I can see where you might think that and it does raise an interesting point.
On their own, hackers have to guess at your password if they know you have an account with a specific site and they know or can guess your user name.
In this scenario, you might be worried if you’re like most people and tend to use similar user names across multiple sites. Frankly, that’s not a problem as long as you have good, secure passwords from the start.
So what happens when you hear about sites being hacked and user databases being stolen? Hackers typically get usernames, email addresses, and encrypted passwords.
Because the passwords are encrypted, hackers can’t easily get to them. The encryption prevents hackers from logging into all these different accounts willy nilly. It’s a good idea to change your password if a service you use has been hacked in this manner, of course, since they could eventually crack them.
But they do get your user name. I know it’s getting old, but as long as your passwords are secure, I don’t see that as being a big problem.
Account names and security
On the one hand, I think it’s a fine thing to use the same account name across multiple sites. I know I do. I’ve got a couple of different account names from time to time that are fairly unique to me, but they’re the same with many of the different sites that I use. And, I typically tend to use the same email address with those sites as well.
Now, there is one exception that I do want to point out.
Mat Honan, a senior writer for Wired magazine, was infamously hacked last year. Hackers were able to break into his accounts because they could:
- Guess one of his email addresses (I believe on an Apple service)
- Engineer a password reset on an Amazon account that was somehow associated with that email address
- Weasel their way into all of his other accounts
Mat really didn’t do anything wrong, (if anything, Amazon did), but it did bring up a couple of interesting points about protection.
What you should do about user names and passwords
First, don’t use your regular email address as an account recovery email address when you have that as an option. For example, on Google or Microsoft, you can set up additional email addresses so if you do request a password reset, it goes to a particular email address instead of the regular email address.
The other thing to do (and this is one that I do) is to have slightly different user names for my most frequently used or most sensitive accounts, such as Google or Amazon. Each one of those can be a little more secure by making the user name unique.
But again, I have to emphasize that all of your accounts need to have good, strong passwords. They should have 12 random characters at a minimum and include letters, numbers, and perhaps a few special characters. And if you can make them longer than that, you can start to use words so that you’re not typing in random strings of characters.
And if it’s hard to keep track of those, because you don’t want to have the same password on every site, you probably want to use something like LastPass.
But across all of those different sites? Having the same username isn’t that big of an issue – with the exception of a few key services that might be kind of central to your digital life.
And I see no need to change them periodically.