Question

You probably have accounts on many different websites. It’s a bad habit to use the same password for each of them because if any of those sites has a security breach, the hackers will learn the password to all of your other accounts.

Answer 1

The hacks of several online services have brought this issue to light once again.

I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account – at least, every important site.

And yes, you must devise a way to manage them all.

The all-too-common scenario

The scenario I’m about to describe is very common. While the specifics won’t apply to you exactly, it’ll conceptually illustrate what can happen.

Let’s say you have an account at some online service – I’ll call it Service A. In addition, you have a Yahoo!  account because you use Flickr, a Google account because you use mail and a number of other Google services, a Microsoft account because you have Windows, and we’ll throw in a Dropbox account because you’ve been listening to me recommend it. You probably have other accounts I haven’t listed here, but you get the idea. You have lots of accounts to a number of online services.

You have a wonderfully strong password: 14 completely random characters that you’ve memorized.

And you use that same wonderfully strong password everywhere.

Here’s how it can go horribly, horribly wrong.

Anatomy of a hack

Service A has the best of intentions, but honestly, they don’t “get” security. Perhaps they store passwords in their database in plain text, allowing anyone with access to see them. They do that because it’s easy, it’s fast, and it allows them to solve the problem quickly. They make the assumption that the database containing your password will be impenetrable.

Hackers love it when site designers make assumptions like that because, of course, the assumption is false.

One day, a hacker breaches site security and steals a copy of the customer/user database. The hacker walks away with a database that contains the following information for every user:

• Their log-in ID
• The email address associated with the account
• The password (or enough information
• rom which the password can be determined)1
• Password hints

• They can log in to your account on Service A. That may or may not be a big deal, depending on exactly what Service A is and how you use it.

  But it opens a very dangerous door.

• It doesn’t have to be a hack

  It’s important to understand that while this example centers around what we hear about in the news most often – the hack of an online service and the theft of their user database – it’s certainly not limited to that.

  Essentially, anything that could compromise your password brings you to this point. That includes:

• Sharing it with the wrong person.
• Keyloggers and other malware sniffing your password as you type it in.
• Improper use of an open Wi-Fi hotspot.

• And so on.

  Anything that puts your single password into the hands of a malicious individual puts you at greater risk than you might assume.