A simple explanation – why you NEVER use the same password twice
We’re all useless at passwords and security. Who hasn’t used one password for multiple logins? We all hear the most used password is a variation on the word password!!! People often think that using a variation of their password in different places is safe.
I am going to describe a quite realistic scenario explaining why using the same password multiple times is a really bad idea.
Unfortunately, this is why you should use different passwords for each website or service you access.
Lets say you have an email account, JoeyBloggs@anywhere.com and your password is a really good one like £4Hu5^knf. Surely you can use this one everywhere? Sorry, but the answer is no! I will explain.
You have an account with the shopping giant TheEmporium.com and they want you to log in. So you enter your email address and your ‘ultra secure’ password that you keep on a post it note under your desk.
Then you open an account with eBay, PayPal and Amazon.
So far so good. You can use your password to get in and out of these accounts with ease.
Then, The Emporium suffers a data breach. If you’re lucky they will tell you and you change your password at TheEmporium.com.
Unfortunately, the data stolen was your password and email address but that’s ok, you changed your password didn’t you?
The damned hackers though, they have a nice big set of data containing all the email addresses and passwords from the Emporium.com what they do is feed them into a robot that starts using the same email address and password on all the major shopping sites, email systems, banks and whatever else they think may be successful.
They leave the robot running overnight and it patiently works its way through the list, testing each email address and password in turn on eBay, PayPal, Amazon, Target, B&Q, The Emporium, anywhere.com. The list could be thousands of websites long.
Oh oh!!! They just found a hit! Your email address and password work and they have logged into the email account JoeyBloggs@anywhere.com.
Now they control your email account. Then another hit! Amazon!!! It’s a good day for the hackers.
Guess what happens next. They go into Amazon. And start ordering stuff to address they have added to the account. You wont see any emails, they are diverting them to a second account they set up just for this purpose. You will still see some emails so you won’t know theres a problem, it’s just nothing will show up from Amazon. If Amazon checks, the hackers can use your email account and can confirm everything is OK and carry on shopping.
Luckily, you catch on. You stop payments or you claim money back after your accounts were hacked and hopefully everything is fine. Except of course, the email and password still work everywhere else you used the same combination.
So you can see from this little example why using the same password in multiple locations is a really bad idea. Of course, there are loads of fraud detection methods in play by Amazon, Ebay, PayPal etc. Examples of that are two factor authentication or geo location logging but the first line of defence is you and your own security. Don’t forget, you may use the same email and password in hundreds of locations over the years so the problem may come back to bite you at any time, not to mention as people we are pretty poor at security so what are the chances you’ll see the post it note and reuse the password again somewhere else?
I have to point out, I am not even touching the implications of using your favourite cats name and your birth year and how social engineering can get that information very quickly indeed.
Don’t forget, that tireless robot might still be plugging away testing the same combinations again and again.
So, what is the answer? Well, its surprisingly simple. There are many password vaults around you can use such as Nordpass or Dashlane but the one I will highlight for this example is Google Chrome browser.
If you create a Google account and then log into Google Chrome browser, the next time you are signing in somewhere new, it will offer to create a password for you. The password will be very random, and secure and on top of that Google will store it for you. You don’t need to remember it, Chrome will do that for you and enter it next time you log into the same website. It will also remember the password on other devices for you if you log in and use Chrome.
It’s very secure as you would expect and you only have to remember one password, the one for your google account. As a bit of a bonus, google will alert you to known successful hacks of any sites for which you have stored passwords and it will prompt you to change the affected passwords.
So in summary; don’t reuse the same password. Don’t use your favourite pet, wife, husband or place of birth or any personal information in your password and finally, DON’T PANIC! Everything will be fine.