Summary: With so many sites requiring a password it's very tempting to use only a single password everywhere. That's dangerous, and there are alternatives.
Can you use the same password for everything you need one for? Having a lot of different ones is really hard to remember, to the point that I have had to write each one down.
•
Yes, you can use the same password everywhere, but I really don't recommend it. It simply increases the risk of your accounts being compromised.
There are several approaches to password management that don't require using one password everywhere, and also don't require that you remember dozens, if not hundreds, of different passwords.
•
The risk of using only on password is simply that if that password if compromised then everything you login to is accessible to the person who now has your password. And by using that one password in many different places, there are that many more opportunities for a hacker to get your one password.
In an ideal world you would use a different password for every login, but as you say - that's practically impossible to remember. Particularly if, on top of that, we throw in rules that say "passwords should simply be strings of random characters and never words that are easily remembered."
So passwords should be hard to remember and guess on purpose, and yet you need to remember them.
Yikes.
I have three alternatives for you.
•
Let the computer remember for you. Now, I don't mean let your browser remember, I mean invest in a tool like RoboForm that will automatically remember your passwords for you. In fact, if you set things up properly, you may never need to actually know any of your passwords. The fact that your email password is "bFDiA2W6" and your bank account's is "JhcNTa7Y" is something you might never actually need to know yourself. Roboform simply keeps track and remembers it for you. (It can also generate great random passwords for you as well - those two password examples came from Roboform's generate function.)
All you need to do it remember one password: the password to unlock Roboform itself.
The problem, of course, is if you ever find yourself without Roboform you may not have your passwords available. I can't tell you my GMail password, for example, and that was an inconvenience the other day as I used a computer that didn't have my Roboform data on it.
•
Use an algorithm. By "algorithm" I mean choose a set of rules that you use yourself each time you create a password that you can then use later to remember all your passwords. For example you might say that passwords are:
-
the first two letters of the site URL that's asking for a password
-
the first three characters of your first pet spelled backwards
-
your age on your birthday in the year 2010
-
two characters that indicate what the site is about - perhaps "ba" for bank, "em" for email, and so on - with the first letter capitalized.
So according to those rules my GMail password might be "goons53Em". Nothing that anyone will guess, but something that I can re-create by the rules without remembering the actual password.
That's just an example. You would create your own set of rules using things that you can fairly easily remember and some personal information you're not likely to forget. You can even jot down the algorithm without seriously compromising the passwords themselves.
•
Use a tiered approach. Could you remember three passwords? Then distribute them accordingly:
-
One for a few, but extremely important sites. Make this a very secure password that you change relatively frequently.
-
One for a few more but less important sites. This should be secure, of course, but you might make it a tad easier to remember.
-
One for everything else. Perhaps you don't change this very often, perhaps you only use this for sites where you really don't care but are required to give a password anyway.
This isn't an ideal solution, but it's certainly better than having only one password everywhere.
•
A couple of additional notes.
I'm transitioning, and it's a long transition. For years I used the last alternative. I had four passwords that range from extremely important to not so much. I'm in the process of slowly transitioning to the Roboform generated password approach I mentioned first, as it's much more secure. It's also occasionally painful when I find myself at a computer without my Roboform data.
It's important that you change passwords regularly. The more different accounts you have the more of a pain this is. But particularly if you're using passwords you can remember, they're likely easier to guess and thus should be changed more frequently that the truly random machine generated passwords.
If you do choose your own passwords, make sure they're good passwords. Some frighteningly high number of account hacks are simply due to password guessing. People who know just a little bit about you are often able to simply make guesses at your password and they'll be right a frightening amount of time.
Never write your passwords down. That's exactly where password thieves know to look. Do something that you can remember, or something that your computer can securely remember for you.
And finally, I've only touched on a couple of possible password scheme options. I'm certain that readers will also provide interesting approaches in the comments to this article as well. What's your approach?
Related:
-
What's a good password? Good passwords are hard to crack and hard to remember. As a result, many people don't use really good passwords, even though they should. We'll look at what makes a good password, and some ways to make them easier to remember.
-
Recommendation: RoboForm Password Manager and more With lots of accounts on the web, good security says their passwords should all be unique. Your computer can remember them for you with RoboForm.
-
How can I keep data on my laptop secure? Laptops are portable, convenient and easily lost. When lost all the data could easily be available to the finder. Encryption is the answer.
Article C3511 - September 24, 2008
An excellent alternative RoboForm is the free KeePass Password Safe. It runs on many platforms including most smartphones, which means you can always have passwords securely with you.
Posted by: Ray at September 24, 2008 12:44 PMI just text message my passwords to my phone and keep my phone with me (Kidding! Really!)
The best investment I ever made was in Roboform. I'm looking now at the ThumbDrive version of Roboform. On a computer without Roboform? Plug in the thumbdrive and run it off of there. You lose browser integration, but if you have a U3 device and run firefox off of it, it should integrate just fine.
That might be overcomplicating it a bit though.
Posted by: Ziggie at September 25, 2008 5:47 AMI use Roboform and Roboform for Palm (its a readonly version thats maintained via a
Posted by: Fuzzy at September 30, 2008 11:27 AMconduit & hotsync). When i need the passwords,
I unlock the palm database and look it up there.
One I've found particularly useful is PasswordMaker (http://passwordmaker.org). It's a plugin for your browser that uses an algorithm to calculate your password based on the URL and various other options. There's also an online webpage that can calculate them for you in case you're not at a computer with your plugin.
Posted by: Dave at September 30, 2008 2:52 PMYou repeat the mantra, "It's important that you change passwords regularly." Why? If I have a good password for, say, my bank account and I access this account frequently, I will know very soon if the password has been compromised. If no one has been able to figure out my password in the last three months, why are they any more likely to figure it out in the next three months than a new password?
29-Sep-2008
I use Roboform on a thumb drive. The Roboform part of the drive has the program and all my passwords. The program itself is password protected and I can use Roboform on any machine.
Posted by: Bobi at September 30, 2008 7:34 PMOne main reason for not using the one password is some sites may store your password as plain text readable by system administrators. They shouldn’t but it makes life easier for them. It's obviously open to abuse if they do.
Posted by: Gordon Ellis at October 1, 2008 5:05 AMPlease translate - "That's exactly where the next level of password their knows to look."
02-Oct-2008
You're example password algorithm is interesting, Leo. So NOW we know that you're 51 (same as me), and that you're first pet's name was...eh... let's see, Snowie?? A great site, Leo, one of my favourites.
Posted by: Des Buckley at October 1, 2008 8:24 AM