Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How to Use Just a Single Password for Everything

It’s possible; just not the way you think.

It's very tempting to use only a single password everywhere. That's dangerous, and there are better alternatives.
The Best of Ask Leo!

Password

Question: Can you use just one password for everything you need one for? Having a lot of different ones is really hard to remember, to the point that I have had to write each one down.

There are two approaches to using just one password everywhere: the really, really bad approach, and the really, really good approach.

I’ll discuss both, and why you really want that really, really good one.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Using just one password

Using the same password for all your accounts is extremely risky. Poor security at one service can compromise them all. A better approach is to use a password manager to remember and generate strong passwords. The only password you need to remember is the master password to your vault.

The same password everywhere

What most people think of as “just one password” is using the exact same password for all their online accounts. This is a really, really bad idea.

Using the same password everywhere puts you at the mercy of whichever service has the worst security. Even if services A, B, and C all have perfect security1, if you use the same password at all of them and for service “D”, which has poor security, your single password for everything stands a very good chance of being discovered.

The real risk, of course, is that if your single password is discovered, all the accounts are vulnerable. If a hacker gets your password for any of the accounts, they can now run around and try that password on all your accounts. And to be very clear: they are known to do exactly this.

Not knowing where your accounts are doesn’t stop them, either. Once they know they have an actual password, they can and do try it on dozens, if not hundreds, of online services. Chances are extremely high they’ll hit one you use.

The ideal world

In an ideal world, you would use a different password for every login.

In an ideal world, your passwords would all be long and complex.

Passwords should be unique, long, complex, and hard to guess — yet you need to remember them all.

Yikes.

I have a couple of alternatives for you.

One password, once

Invest in a tool like 1Password,2 which automatically remembers your passwords for you. This is the “really, really good” approach I alluded to above. It’s an app called a password vault.

The fact that your email password is “6MQFhUEwjiqyeiEdnsck” and your bank account’s is “xu4v9KzoQLRRNhY9nseK” is something you might never actually need to know yourself. 1Password simply keeps track and remembers it all for you.

It can also generate random passwords for you — those two password examples above came from 1Password’s password generator.

All you need to do is remember just one password: the password to unlock your 1Password vault.

1Password can synchronize your information across machines, across browsers, and even across mobile devices. I use 1Password myself and swear by it.

The problem is, of course, if you ever find yourself without 1Password, you may not have your passwords available. I can’t tell you my Gmail password, for example, and that was an inconvenience the other day when I was using a computer that didn’t have my 1Password data on it.

One algorithm

My other alternative to password management is to use an algorithm. By “algorithm”, I mean a set of rules that you use each time you create a password that you can then use to remember all your passwords.

For example, you might say your passwords are:

  • The first three letters of the site URL for which you are creating a password
  • The first three characters of the name of your first pet spelled backward
  • Your age on your birthday in the year 2010 + a number like 333
  • Three characters indicating what the site is about – perhaps “ban” for bank, “ema” for email, and so on – with the first letter capitalized.
  • If the service requires it, a special character at a standard location. Perhaps a “#” the end.

According to those rules, my Gmail password might be “gooons386Ema#”.

No one would guess that password, but it’s something I can re-create by remembering the rules of my algorithm without remembering the actual password.3

That’s just an example. You would create your own set of rules using things you can fairly easily remember and some personal information you’re not likely to forget. You can even jot down algorithm hints without seriously compromising the passwords themselves.

Additional notes

I use both.

  • I use 1Password-generated secure passwords on everything I possibly can. I could not tell you these passwords if my life depended on it, but 1Password remembers.
  • I have a select few algorithmically generated passwords. These are passwords that are lengthy and complex, but if need be, I can recall. I still store them in 1Password, because it’s easier to let 1Password do the data entry when it offers. Passwords I might have to laboriously “type” into a streaming service on my television could fall into this category.

If you do choose your own passwords, make sure they’re strong ones. A frighteningly high number of account hacks are simply due to password guessing. People who know just a little bit about you can make guesses at your password, and they’ll be right a startling amount of the time.

A word about paper

Don’t write your passwords down.

That’s exactly where thieves know to look if they break into your home or office.  If you must write something, write down a hint to help you remember. But ideally, either use something you can remember on its own or something your computer can securely remember for you using a tool like 1Password.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: No such thing, by the way.

2: I use 1Password as my example because it’s what I recommend and use myself. There are many good alternatives out there as well.

3: For the record, that’s not my password. I do use an algorithm for a couple of key passwords, but it’s quite different than what I’ve described here.

13 comments on “How to Use Just a Single Password for Everything”

  1. If you’re using a computer that doesn’t have your password manager data on it, you’re still not up a creek if that password data is on your smartphone. True, you may have to laboriously copy that long password character by character, but once you do, you are in like Flynn!

    Reply
    • It’s even easier than that. Most password managers let you access your vault on the web from your browser, so you can simply copy and paste them. Juet be careful if you are using a clipboard manager. Delete any passwords stored in them.

      Reply
  2. At work, they make us change passwords (more multiple systems) every 90 days and so it gets confusing. We can’t install any software or use any kind of online password vault. That would be a violation of network policy. So years ago, I came up with the idea of creating a password algorithm that works with the password requirements. IT recommends not changing your password on a Friday before a vacation because you’ll likely forget your new password. But my algorithm works great, and even after a vacation with a fresh password immediately prior, I still know exactly what my password is.

    Reply
  3. I’m still using LastPass in spite of Leo’s recommendation(s) to change my password manager, in part because I’m familiar with it. I’ve tried Bitwarden, but found its user interface to be a bit too much of a bother for me, and I suspect that using any other manager will involve a learning curve/change of habits as well. They (LastPass) have improved their security posture significantly since the breach, and I see evidence that they are continually working to improve it as they see the need, and that they’re watching.

    Following the breach, as they provided me with information on how to improve my vault’s security, I’ve followed their advice. I increased the iteration count to 600,000, increased the length of my Master Password to at least 16 characters as well as that of all my stored passwords. I use 2FA to better secure my vault, and I have updated all my Internet accounts that support 2FA as well. For those sites that did not offer 2FA support, I either changed service providers or closed/deleted those accounts because if they care so little about the security of my data that they don’t provide 2FA support and secure my data with encryption, I don’t want to use them.

    At this point, if any of my passwords should fall into the hands of miscreants, it will do nothing for them because all of my Internet accounts are secured with 2FA (my second factor is needed to gain access), and both of my email accounts use passkeys (even better security). I’m hoping and waiting for the day when all Internet accounts can be secured with passkeys because they offer the best security to date (essentially, 2FA on steroids).

    Ernie (Oldster)

    Reply
  4. I am already using an algorithm as Leo suggests and find it easy to remember the 20 long character password for 1 Password manager. I changed from Last Pass on Leo’s recommendation But I found last Pass was a more user user friendly Program. The graphic display that Last Pass used worked better for me and adding and editing was much simpler.

    Reply
  5. While it’s convenient to have a password management program in the cloud, it’s essential to remember that they can be vulnerable to hacking. For instance, I once used Yahoo Mail for years, but it got hacked, and I lost all my data, and they couldn’t restore my ten years of content. Good luck keeping anything in the cloud.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.