We regularly warn you against using the same password for multiple accounts.
But if you choose one really long and complex password, and carefully commit it to memory, isn’t that enough?
Even if a chain is only as strong as its weakest link, surely you’ll be fine as long as that weakest link is strong enough?
How strong is strong enough?
The problem is that “strong enough” isn’t, sadly, determined only by the password that you choose.
At some point – at the very least when you create an online account – you need to share your password with the service you’re connecting to.
Even if the password goes straight from your keyboard into memory on your computer, and is then encrypted and only ever unscrambled in memory at the other end, there’s still a chance for cybercrooks to get hold of it.
If you have re-used that password, no matter how complex, for other accounts, then a crook who gets hold of it ends up with what is effectively a skeleton key to your whole online life.
How password breaches happen
A password breach could happen at your end.
You might have a malware infection, even for a short time, that includes what’s known as a keylogger that tracks your keystrokes.
Keyloggers usually record what you type at interesting moments, such as when you visit specific websites (e.g. the URL of your bank’s login page), or when certain words appear on screen (e.g. “username” and “password”).
You could be lured to a phishing site that presents a believable looking login page and thereby tricks you into sending your password to an imposter.
Or a password breach could happen at the other end.
The recent credit card blunders at Target and Home Depot were caused by malware infections on cash register computers that allowed crooks to steal private data straight out of memory, before the data was encrypted for transmissions and storage.
And Adobe’s giant breach of 2013 saw crooks steal over 100,000,000 passwords that were supposedly stored securely.
Except that Adobe scrambled all the passwords with the same encryption key, and then stored all the password hints with no encryption at all.
So if other people had the same password as you, but just one of them had given a sloppy hint (and some people recklessly used their passwords as their hints!), your password was revealed.
The cost of repetition
But just how prevalent is password re-use?
How many people repeat their passwords between two critical accounts?
A recent bulk password reset by WordPress tells us the story.
Early in September 2014, crooks uploaded nearly 5,000,000 Gmail account names and passwords to a Russian Bitcoin forum.
There hadn’t been a huge security failure at Google, in just the same way that the recent nude celebrity photos stolen from iCloud weren’t down to an iCloud security implosion.
The passwords had been acquired over time, and collected for later misuse, in a variety of unspecified ways.
Keyloggers, incautious transmission of passwords in unencrypted emails, phishing and social engineering (emailing or phoning someone and wheedling secret information out of them): all of these techniques could have been how the crooks came by the passwords.
WordPress found that 700,000 of the Gmail addresses out of the 5M in the leaked list (14%) appeared in the WordPress user database.
Of those 700,000 accounts, 100,000 turned out to have the very same password (14%) as the Gmail list.
14% is still too much
At first blush, “one in seven” doesn’t sound too bad.
It means that six out of seven WordPress users seem to be doing the right thing.
But those one-in-seven users were putting the rest of us at needless risk, not just themselves.
Crooks love “free” WordPress accounts, because it gives them a way to publish their malicious content at someone else’s expense, on someone else’s legitimate-looking website.
If they know your password, they don’t even have to bother hunting for exploits that will let them break in sneakily.
They can walk in through the front door, just like you.
Learn more lessons from the WordPress password reset [starts at 3’22”]
(Audio player above not working? Download the MP3, or listen on Soundcloud.)
The bottom line
Don’t make things easy for cybercriminals:
- Stick to the rule: “one account, one password.”
- If you can only remember one strong password, try a password manager.
- Change your passwords promptly if a crook might have got hold of them.
- Use two-factor authentication (2FA) if you can.
2FA usually means running a special app on your mobile device to generate a single-use login code, or receiving a login code via SMS.
By bringing a second device into the login equation, and by making the 2FA codes valid for a short time (e.g. 30 seconds) and a single use, you make it harder for the crooks to login as you.
If you’re not bothered to do these things for yourself, at least do them for the rest of us!
Learn more about 2FA
(Audio player above not working? Download the MP3, or listen on Soundcloud.)
16 comments on “Is it *really* such a bad idea to use a password twice?”
Anyone with elevated privileges should seriously take to heart your last line. It’s useless for me to double dead-bolt the front door if you have only padlocked the back door.
People forget that their password is not an isolated piece of data; it is part of a tuple – a user name AND a password. There are large databases of compromised user accounts out there – the Adobe one has many people, including me. What the bad guys do when they get hold of a compromised set of user account is to compare it against what is already out there. The user account is usually the email, and even if it isn’t, there is then an email field.
Suppose (as an example) in the compromised Adobe database, my account is tony at first.example. It doesn’t matter what my password is because the bad guys assume I have changed it.
Now consider another site – user = tony at second.example and password is “hopeful”. When the bad guys compromise this database, then they only have to look through all the other databases for an account tony at second.example and then try it with the password “hopeful” to see if I have used it anywhere else e.g. is this my new password for Adobe, for example.
It is simply a bad idea. Any data set where there is more than one field per record can be queried with a second data set to come up with more valuable information. That is how much supposedly anonymised data can be de-anonymised.
Like many people, I was caught by the Adobe breach. And because I had that account, and many more for 15 years or so – back to when security was not such an issue, I had reused a few passwords over the years. So after that, I went through every account that I knew of (300 or more) and set any that still existed to a new and unique password – precisely for the reason above. It took me three days, but it did give me peace of mind that I would not get a ripple through my accounts now from a single breach.
Another thing to consider are accounts that you no longer use or need. You should consider having them deactivated and/or deleted if possible. For those services that won’t let you close your account (looking at you, WordPress.com!) I would suggest creating as long and as strong a password as possible for that account, and change the email address to one you don’t use, before walking away from it.
Problem is, how can you close down an email account or a blog without the risk of someone else (say, a stalker or some other malicious individual) assuming it and then sending emails to other people or writing comments in your name?
2FA are great in principle. But I found out about its cons the hard way – these days cellphones hardly last more than 9-10 hrs on a single use. Once the battery died, thats it, you are effectlively locked out of your account, and there is no way you can get back in. If your android cellphone is lost and you are looking to check its “location” on the Google’s device manager online, good luck trying to log in without your cellphone
That’s why google and all the other 2FA-enabled services provide another way to log in which should be kept safe and away.
* Google provides 10 one-time-passwords
* Hotmail provides a key
And you can always mark the computer you log from as trusted.
Some providers (I think facebook) don’t provide an alternative and it’s bad news if you lose your phone and cannot get the same number, as the OTPs are send via SMS.
Last time I checked my Google account, it was possible to download a set of verification codes to use when without a phone.
That mate sounds to me like a comment that Paul Ducklin should weigh in on – That sounds like a major Android problem.
What say you Paul? Worthy of a separate article?
Actually, the “Anonymous” post about “why not just recharge your phone?” was me. (I forgot to log in first, so my remarks ended up not under my name…I wondered where that comment had gone…now I know!)
As someone else pointed out, many online services (apparently including Google) allow you to generate a short list of emergency codes that you can print out and lock away somewhere safe, against the day that you would otherwise be locked out. WordPress actually makes you affirm that you have printed the codes by forcing you to enter the word “printed,” plus it asks for one of the codes, just in case you thought you’d cheat 🙂
When your phone runs out of battery power…
…can’t you just, errrr, connect it to a power source?
For example, one of the USB ports on the computer you’re logging in from?
If you genuinely don’t have power at all, then you’re out of luck altogether as far as going online is concerned, surely?
Who uses a password twice? You’re either committed to “one password, one site,” or you’re using the same password across MANY accounts. I finally started using a password manager after seeing the practice recommended here and on another security site. Now all my passwords are unique and randomly-generated. I only have to remember one—to the password manager.
2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.
Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords. We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.
At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Yup. Password reuse is eassentially saying “I’m too lazy to protect this data, and/or it is not important enough to take the time to use a good single-use password.
Paul is right, but I would have some remarks.
I would never use a password manager, because I will never store my passwords in a software written by someone else. I myself won’t write such a program, because I know that there are no error-free progs, only weakly tested ones 😉
Because one may have even some dozens of password protected accounts, it is not so easy to apply the “one account, one password” rule. Perhaps an ABC analysis can help:
A) Most important accounts (netbank, workplace SSO, email, FB), long enough and unique password for each.
B) Less important accounts (e.g. different newsgroups, portals etc.), long enough with the same structure – the rule of the structure is not too trivial.
C) Not interesting accounts (there are a lot of places where you must register but cannot understand why), the very same password, even ‘passw123ord’.
Keep in mind, that password strength depends on the length, and not on the char types included.
Using the same password is lazy, as well as people that use “remember my password” settings.. if someone gets access to your computer they can find your entire password list with usernames just by looking in browser advanced settings..
There is always something more to learn. I thought I know a lot you guys are indeed 2Steps Ahead.
I will go change all my passwords to different ones, and actually deactivate redundant accounts.