Is it *really* such a bad idea to use a password twice?

We regularly warn you against using the same password for multiple accounts.

But if you choose one really long and complex password, and carefully commit it to memory, isn’t that enough?

Even if a chain is only as strong as its weakest link, surely you’ll be fine as long as that weakest link is strong enough?

How strong is strong enough?

The problem is that “strong enough” isn’t, sadly, determined only by the password that you choose.

At some point – at the very least when you create an online account – you need to share your password with the service you’re connecting to.

Even if the password goes straight from your keyboard into memory on your computer, and is then encrypted and only ever unscrambled in memory at the other end, there’s still a chance for cybercrooks to get hold of it.

If you have re-used that password, no matter how complex, for other accounts, then a crook who gets hold of it ends up with what is effectively a skeleton key to your whole online life.

How password breaches happen

A password breach could happen at your end.

You might have a malware infection, even for a short time, that includes what’s known as a keylogger that tracks your keystrokes.

Keyloggers usually record what you type at interesting moments, such as when you visit specific websites (e.g. the URL of your bank’s login page), or when certain words appear on screen (e.g. “username” and “password”).

You could be lured to a phishing site that presents a believable looking login page and thereby tricks you into sending your password to an imposter.

Or a password breach could happen at the other end.

The recent credit card blunders at Target and Home Depot were caused by malware infections on cash register computers that allowed crooks to steal private data straight out of memory, before the data was encrypted for transmissions and storage.

And Adobe’s giant breach of 2013 saw crooks steal over 100,000,000 passwords that were supposedly stored securely.

Except that Adobe scrambled all the passwords with the same encryption key, and then stored all the password hints with no encryption at all.

So if other people had the same password as you, but just one of them had given a sloppy hint (and some people recklessly used their passwords as their hints!), your password was revealed.

The cost of repetition

But just how prevalent is password re-use?

How many people repeat their passwords between two critical accounts?

A recent bulk password reset by WordPress tells us the story.

Early in September 2014, crooks uploaded nearly 5,000,000 Gmail account names and passwords to a Russian Bitcoin forum.

There hadn’t been a huge security failure at Google, in just the same way that the recent nude celebrity photos stolen from iCloud weren’t down to an iCloud security implosion.

The passwords had been acquired over time, and collected for later misuse, in a variety of unspecified ways.

Keyloggers, incautious transmission of passwords in unencrypted emails, phishing and social engineering (emailing or phoning someone and wheedling secret information out of them): all of these techniques could have been how the crooks came by the passwords.

WordPress found that 700,000 of the Gmail addresses out of the 5M in the leaked list (14%) appeared in the WordPress user database.

Of those 700,000 accounts, 100,000 turned out to have the very same password (14%) as the Gmail list.

14% is still too much

At first blush, “one in seven” doesn’t sound too bad.

It means that six out of seven WordPress users seem to be doing the right thing.

But those one-in-seven users were putting the rest of us at needless risk, not just themselves.

Crooks love “free” WordPress accounts, because it gives them a way to publish their malicious content at someone else’s expense, on someone else’s legitimate-looking website.

If they know your password, they don’t even have to bother hunting for exploits that will let them break in sneakily.

They can walk in through the front door, just like you.

Learn more lessons from the WordPress password reset [starts at 3’22”]

(Audio player above not working? Download the MP3, or listen on Soundcloud.)

The bottom line

Don’t make things easy for cybercriminals:

2FA usually means running a special app on your mobile device to generate a single-use login code, or receiving a login code via SMS.

By bringing a second device into the login equation, and by making the 2FA codes valid for a short time (e.g. 30 seconds) and a single use, you make it harder for the crooks to login as you.

If you’re not bothered to do these things for yourself, at least do them for the rest of us!

Learn more about 2FA

(Audio player above not working? Download the MP3, or listen on Soundcloud.)