Another week, another breech reported, and another round of changing password on a number of website across the internet.
Even though people intuitively understand that they shouldn’t use the same password with their email address on each site, they do so anyway because the complexity of keeping track of all those different website passwords is more of an immediate problem than having to change a password across a number of sites because one of them has become compromised.
What makes it even harder is when you can’t remember which sites you might have signed up to using the password.
Best practice would be to have separate password for each site. Such a strategy would involve having some sort of secure password locker software that allowed you to retrieve the passwords as it became necessary. Of course the reality is that best practice requires a lot of effort. A lot of times when people sign up to a website, it is a one-off and they probably won’t ever return to that site. While it may be best practice to use a unique password for every site, that’s a lot of effort to go to if you are using the site only once.
When thinking about website passwords, think about the importance of the website. Have unique passwords for very important sites. If possible turn on two factor authentication. Your email and social media passwords should be unique.
One off accounts that you’re unlikely to use again don’t necessarily need to be unique – you just need to make sure that they aren’t the same as any of your important accounts.
Generally if an attacker compromises an unimportant account password, they are going to see if it is the same password that you use with an important account. For example, if they manage to compromise the database of the Chewbacca Rollerblading Forum you once posted to and figure out your password, they probably aren’t going to see if the same password works for the Lego Windmill Makers forum that you also once posted a few times at. Instead they’ll see if they can use those credentials to compromise gmail/Hotmail/facebook/twitter.
If your credentials for your important accounts are unique, this isn’t going to be a problem.
The key to website password security is keeping those important accounts with unique strong passwords. If they are unique and strong, you don’t have to worry so much when the account database of another site that you visit inevitably gets compromised.