Helping people with computers... one answer at a time.

With so many sites requiring a password it's very tempting to use only a single password everywhere. That's dangerous, and there are alternatives.

Can you use the same password for everything you need one for? Having a lot of different ones is really hard to remember, to the point that I have had to write each one down.

Yes, you can use the same password everywhere, but I really don't recommend it. It simply increases the risk of your accounts being compromised.

There are several approaches to password management that don't require using one password everywhere, and also don't require that you remember dozens, if not hundreds, of different passwords.

The risk of using only on password is simply that if that password if compromised then everything you login to is accessible to the person who now has your password. And by using that one password in many different places, there are that many more opportunities for a hacker to get your one password.

In an ideal world you would use a different password for every login, but as you say - that's practically impossible to remember. Particularly if, on top of that, we throw in rules that say "passwords should simply be strings of random characters and never words that are easily remembered."

So passwords should be hard to remember and guess on purpose, and yet you need to remember them.

Yikes.

I have three alternatives for you.

Let the computer remember for you. Now, I don't mean let your browser remember, I mean invest in a tool like RoboForm that will automatically remember your passwords for you. In fact, if you set things up properly, you may never need to actually know any of your passwords. The fact that your email password is "bFDiA2W6" and your bank account's is "JhcNTa7Y" is something you might never actually need to know yourself. Roboform simply keeps track and remembers it for you. (It can also generate great random passwords for you as well - those two password examples came from Roboform's generate function.)

"Some frighteningly high number of account hacks are simply due to password guessing."

All you need to do it remember one password: the password to unlock Roboform itself.

The problem, of course, is if you ever find yourself without Roboform you may not have your passwords available. I can't tell you my GMail password, for example, and that was an inconvenience the other day as I used a computer that didn't have my Roboform data on it.

Use an algorithm. By "algorithm" I mean choose a set of rules that you use yourself each time you create a password that you can then use later to remember all your passwords. For example you might say that passwords are:

  • the first two letters of the site URL that's asking for a password

  • the first three characters of your first pet spelled backwards

  • your age on your birthday in the year 2010

  • two characters that indicate what the site is about - perhaps "ba" for bank, "em" for email, and so on - with the first letter capitalized.

So according to those rules my GMail password might be "goons53Em". Nothing that anyone will guess, but something that I can re-create by the rules without remembering the actual password.

That's just an example. You would create your own set of rules using things that you can fairly easily remember and some personal information you're not likely to forget. You can even jot down the algorithm without seriously compromising the passwords themselves.

Use a tiered approach. Could you remember three passwords? Then distribute them accordingly:

  • One for a few, but extremely important sites. Make this a very secure password that you change relatively frequently.

  • One for a few more but less important sites. This should be secure, of course, but you might make it a tad easier to remember.

  • One for everything else. Perhaps you don't change this very often, perhaps you only use this for sites where you really don't care but are required to give a password anyway.

This isn't an ideal solution, but it's certainly better than having only one password everywhere.

A couple of additional notes.

I'm transitioning, and it's a long transition. For years I used the last alternative. I had four passwords that range from extremely important to not so much. I'm in the process of slowly transitioning to the Roboform generated password approach I mentioned first, as it's much more secure. It's also occasionally painful when I find myself at a computer without my Roboform data.

It's important that you change passwords regularly. The more different accounts you have the more of a pain this is. But particularly if you're using passwords you can remember, they're likely easier to guess and thus should be changed more frequently that the truly random machine generated passwords.

If you do choose your own passwords, make sure they're good passwords. Some frighteningly high number of account hacks are simply due to password guessing. People who know just a little bit about you are often able to simply make guesses at your password and they'll be right a frightening amount of time.

Never write your passwords down. That's exactly where password thieves know to look. Do something that you can remember, or something that your computer can securely remember for you.

And finally, I've only touched on a couple of possible password scheme options. I'm certain that readers will also provide interesting approaches in the comments to this article as well. What's your approach?

Article C3511 - September 24, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

9 Comments
Ray
September 24, 2008 12:44 PM

An excellent alternative RoboForm is the free KeePass Password Safe. It runs on many platforms including most smartphones, which means you can always have passwords securely with you.

Ziggie
September 25, 2008 5:47 AM

I just text message my passwords to my phone and keep my phone with me (Kidding! Really!)

The best investment I ever made was in Roboform. I'm looking now at the ThumbDrive version of Roboform. On a computer without Roboform? Plug in the thumbdrive and run it off of there. You lose browser integration, but if you have a U3 device and run firefox off of it, it should integrate just fine.

That might be overcomplicating it a bit though.

Fuzzy
September 30, 2008 11:27 AM

I use Roboform and Roboform for Palm (its a readonly version thats maintained via a
conduit & hotsync). When i need the passwords,
I unlock the palm database and look it up there.

Dave
September 30, 2008 2:52 PM

One I've found particularly useful is PasswordMaker (http://passwordmaker.org). It's a plugin for your browser that uses an algorithm to calculate your password based on the URL and various other options. There's also an online webpage that can calculate them for you in case you're not at a computer with your plugin.

Robert Campbell
September 30, 2008 5:18 PM

You repeat the mantra, "It's important that you change passwords regularly." Why? If I have a good password for, say, my bank account and I access this account frequently, I will know very soon if the password has been compromised. If no one has been able to figure out my password in the last three months, why are they any more likely to figure it out in the next three months than a new password?

The problem is this assumption: "I will know very soon if the password has been compromised." Turns out that's not always the case. There have have been cases of password theft followed by delays before compromise, specifically to make it more difficult to track the theif.
- Leo
29-Sep-2008

Bobi
September 30, 2008 7:34 PM

I use Roboform on a thumb drive. The Roboform part of the drive has the program and all my passwords. The program itself is password protected and I can use Roboform on any machine.

Gordon Ellis
October 1, 2008 5:05 AM

One main reason for not using the one password is some sites may store your password as plain text readable by system administrators. They shouldn’t but it makes life easier for them. It's obviously open to abuse if they do.

P Van Dusseldorp
October 1, 2008 7:00 AM

Please translate - "That's exactly where the next level of password their knows to look."

Sorry, reworded that. The point is simply that someone looking for your password will know to look for it written down somewhere. The classic case are scraps of paper "hidden" around your desk with your password(s) written on them. They will be found by someone looking for 'em.
- Leo
02-Oct-2008

Des Buckley
October 1, 2008 8:24 AM

You're example password algorithm is interesting, Leo. So NOW we know that you're 51 (same as me), and that you're first pet's name was...eh... let's see, Snowie?? A great site, Leo, one of my favourites.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.