I keep hearing that I’m supposed to use a different passwords for everything — a different one on every internet site where I have an account. What a pain! I can’t remember all of those passwords. Yeah, I know. You want me to use a password manager thing, but that seems like putting a bunch of really important things into a single basket. What if that basket gets hacked? I use a strong password. Why isn’t that enough?
The hacks of several online services have brought this issue to light once again.
I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account.
And yes, you must devise a way to manage them all.
Let me run down an example scenario that’s a cause of all this emphasis on different passwords.
In addition to the risks of exposing your password to malware on your own machine, using the same password everywhere puts you at the mercy of the service with the worst security. Hackers take passwords, email addresses, and user names they discover and try to sign in with them at other online services, which works surprisingly often. Different passwords for everything prevents it.
The all-too-common scenario
The scenario I’m about to describe is very common. While the specifics won’t apply to you exactly, it will conceptually illustrate what can happen.
Let’s say you have an account at some online service, Service A. In addition, you have a Yahoo! account, because you used it years ago; a Google account, because you now use Gmail and a number of other Google services; a Microsoft account, because you have Windows 10; and we’ll throw in a Dropbox account, because you’ve been listening to me recommend it. You probably have other accounts I haven’t listed here, but you get the idea. You have lots of accounts at a number of online services.
You have a wonderfully strong password that you’ve memorized: 16 completely random characters. Maybe something like 24rZFPI69u$c%*jr.
And you use that same wonderfully strong password for all those accounts.
Here’s how it can go horribly, horribly wrong.
Anatomy of a hack
Service A has the best of intentions, but honestly, they don’t “get” security. Of all the accounts you use, they have the weakest.
Perhaps they store passwords in their database in plain text, allowing anyone with access to see them. They do that because it’s easy, fast, and solves their problem quickly. They make the assumption that the database containing your password will be impenetrable.
Hackers love it when site designers make that assumption, because, of course, the assumption is incorrect.
One day, a hacker breaches service A’s security and steals a copy of the user database. The hacker walks away with a database containing the following information for every user:
- Their login ID
- The email address associated with the account
- The password (or enough information from which the password can be determined)
- Password hints/security questions
They can log in to your account on Service A. That may or may not be a big deal, depending on what Service A is and how you use it.
But it opens a very dangerous door.
It doesn’t have to be a hack
It’s important to understand that while this example centers around what we hear about in the news most often — the hack of an online service and theft of their user database — it’s certainly not limited to that.
Essentially, anything that could compromise your password at service A brings you to this point. That includes:
- Sharing it with the wrong person.
- Keyloggers and other malware sniffing your password as you type it in.
- Improper use of an open Wi-Fi hotspot.
And so on.
Anything putting your single password into the hands of a malicious individual puts you at greater risk than you might assume.
Password skeet shooting
They have your email address and a password you use, stolen from Service A. Now the hackers go hunting.
As most people have accounts on one or more of the major services I mentioned, the hackers start trying the information from Service A as if it were the correct information for Gmail, Microsoft, Yahoo, Facebook, Twitter, Dropbox, and more.
They try your login ID and password (or that email address and password) on as many other services as they can.
Very often, it works. The hackers gain access to some other account of yours that was completely unrelated to the initial security breach.
Unrelated, of course, except that you used the same password at both.
If you use the same password everywhere, a single leak of that password anywhere puts all your accounts at risk. Hackers will be able to log in to your other online accounts as well.
OK, maybe not all; maybe only a few. But a few is all it takes.
Note this has absolutely nothing to do with the security expertise of the sites where your account is eventually compromised. Gmail, Outlook.com, Yahoo, and others have excellent security, but that fact doesn’t factor into this scenario at all.
Service A was the weak link. Their security wasn’t up to the task. Their database was breached. Their information was leaked. Your account information and password — the password you use everywhere — was exposed.
Service A was at fault. You were at the mercy of the service that had the poorest security.
But the real problem is your use of that single password everywhere.
It shouldn’t be this way
I’ll happily admit things like this shouldn’t happen.
But they do.
And most services are better at security than our fictional Service A.
But it’s also not a black-or-white equation. Even large corporations, which either don’t know any better or simply make a mistake, can put your information at risk. For example, a hack at Adobe a couple of years ago potentially exposed the passwords of 130 million Adobe account holders. I hate to say you can’t trust anyone, but ultimately, you shouldn’t trust anyone not to accidentally expose your password.
And, as I mentioned above, it doesn’t have to be a big service breach for there to be a problem.
Using a different password on each site limits your exposure if any site is compromised.
Managing lots of passwords
So it comes down to how to manage a lot of different, long, and complex passwords.
I still recommend LastPass and use it myself.
Doesn’t that put all my eggs in one basket?
Yes, it does, but it’s a very good basket. And I’ve taken additional steps to ensure that it stays that way.
I talk about LastPass in more depth in LastPass – Securely Keep Track of Multiple Passwords on Multiple Devices, but I’ll highlight two important reasons I consider LastPass secure:
- The people at LastPass don’t know your master password. They couldn’t tell you what it is if they wanted to. They cannot access your data at all; all they can see is the encrypted data. Even if a hacker were to somehow gain access to their databases, which has never happened, the hacker would also be unable to decrypt and view your information, because LastPass does encryption right. Decryption happens locally on your machine, so the only thing ever transmitted between your computer and LastPass is the encrypted data.
- Of course I use a strong password. But LastPass also supports two-factor authentication, and I’ve enabled it on my account. If you somehow got my master password, you’d still need my second factor in your possession to be able to unlock my LastPass vault.
Ultimately, it’s up to you. There are several password managers out there, but LastPass is the one I trust.
My recommendation remains:
- Use long, strong passwords. Twelve characters minimally, ideally more, and randomly generated (there are several random-generator tools available, including one in LastPass). Alternately, and if allowed, use a passphrase at least four words long, ideally with spaces.
- Use a different password for every login account you have. Every single one.
- Use a password manager like LastPass to keep track of them all for you.
- Use a strong password or passphrase on LastPass itself.
- Enable two-factor authentication on LastPass for additional security of that very important basket of information.
: Thankfully, services rarely store the actual password – though of course they could. (If your service can tell you your actual password, then they’re doing it wrong, and they’ve stored the password itself somewhere). Rather, they store what’s called a “hash” of the password. Depending on several factors – typically, poor decisions made by whoever implemented the authentication mechanism – it is occasionally possible for hackers to indirectly reverse-engineer passwords from hashes.
This post was written by Leo Notenboom and was first posted to AskLeo.com
Do you find this article helpful? Your Friend might too. So, please Share it with them using the Share button above.
Will you like to get notified when I post new updates? Then Follow me on any of my social media handles: Google News, Telegram, WhatsApp, Twitter, Facebook, Pinterest.
You can also drop your email address below if you wish to be notified by mail.