Ask the Expert: Is Reusing the Same Password Risky?

Q: I know it’s not a good idea to reuse the same password, but it’s simply too hard to keep track of different logins! Plus, I’ve never had any problem up until now. So how risky is it to use the same password for everything?

I think we all can agree: keeping track of all our passwords is annoyingly difficult. Most of us have so many that it’s hard to keep track of them all. And it’s no secret that some of us (all of us?) use the same username/password combinations for most websites we visit.

A recent New York Times article reported that nearly 20% of users of a popular software program for social networking sites use easily guessed passwords, such as “123456,” “abc123,” “iloveyou,” or “password.”

What this means is that hackers could easily break into many accounts by simply trying commonly used passwords. If this describes you, you might as well leave your house key under your doormat.

We know in the back of our minds that using easy-to-guess passwords is a bad practice, but the idea of creating new passwords for every website we visit is too much to handle.

But all is not lost! If you follow a few simple rules, you can have secure, strong passwords and easily keep track of them.

Why Passwords are Important

We take passwords for granted, but they are often the only defense against someone getting their hands on our personal information, including financial information, health data, and private documents.

Passwords are generally used with another form of identification, such as a username or email address. Usernames tend to be some form of your name and are sometimes combined with your birth date. While your username is your public identity, your password is the private key that authenticates that you are who you claim to be.

Since your username is public and can be easily found or guessed, your password is really the only protection you have. To say it another way, your security is only as good as your password.

How Hackers Crack Passwords

It’s easier than you think to crack or break passwords. Password cracking is the process of finding out passwords in order to gain unauthorized entry to an account. Hackers crack passwords in a number of ways.

The simplest way is to use a dictionary program to break the password by comparing lists of words of characters against the password until it finds a match.

Hackers can also crack passwords by learning information about you, such as your name, birthdate, or other easily found information, and then using this information to guess your password. Another way hackers do it is by using sniffers which can read every keystroke from your machine, including passwords.

Five Best Practices

1. Don’t use common words, proper nouns, or foreign words

Password cracking tools are very good at processing large number of letter and number combinations until they find a match, so avoid using conventional words as passwords.

2. Don’t use personal information

We all want passwords that we can easily remember, so most of us have probably used personal information in our passwords at one time or another. But keep in mind that it’s alarmingly easy for hackers to find out personal information about you. So I highly recommend that you do not include any personal information in your passwords, such as your name, nickname, the name of a family member or pet, your birthdate, the year you graduated from high school or college, or your mailing address or telephone number.

3. Use a complex password

Strong passwords are complex. The longer the password, the harder it is to crack. And you shouldn’t limit yourself to just the alphabet. Use numbers and special characters such as “&” or “%”. You should use uppercase letters, lowercase letters, numbers, and special characters (such as $, ?, and &) in every password.

Another helpful tip is to start thinking about passwords in terms of phrases, such as “ImaRunnr%” for “I’m a runner,” or the first letters of a memorable phrase such as “2bon2b*” for “to be or not to be.”

Choose a phrase that has a personal meaning to you so it’s easy to remember, take the initials of that phrase, and add a number or special character.

Jeff Moss, the founder of a popular hacking conference who now sits on the Homeland Security Advisory Council, advises using passwords that are at least twelve characters long.

4. Don’t use the same password for multiple accounts

You should never use the same password on multiple accounts. If you do this, and a hacker is able to figure out your password for one account, he or she will be able to access all of your accounts.

Also, I recommend using a different username for sensitive websites such as your banking and stock trading sites, than the username you use for less-sensitive websites like Facebook.

5. Change your passwords regularly

In order to keep passwords strong, you should change them every three months or so. For online financial accounts, it’s probably good to change them every month or two. Use your own judgment and don’t be lazy. Remember, changing a password is much less painful than dealing with identity theft.

Best Defenses: VPN, Password Manager

Maybe it’s too hard for you to remember all your passwords, and it’s never a good idea to write them down. So what to do? Consider using a password manager, which is software that helps you organize all of your passwords. This software fills in your username and password data automatically, usually via a browser extension.

There are many password managers on the market, including RoboForm, Sticky Password, and Password Manager.

Passwords are just one piece of the puzzle in combating identity theft. The other pieces are strong antivirus software, firewalls, and using a VPN. But when the only method for controlling access to your personal information is a strong password, the best thing we can do is to be aware of the security risks and maintain strong passwords.