Why can’t I just use the same password everywhere?

aka “I don’t know my own passwords”

I’m sure for most of my readers, this is a bit of a “well, DUH” post. Good. But I’ve been in a couple of conversations recently where the weakness of using just one or two passwords everywhere clearly hasn’t been understood, so I resorted to the key analogy (no, no, not any kind of digital key!). And since I had to go to all the trouble of laying it out in small words, I thought I might as well turn it into a blog post.

If the key to your car is stolen, you might lose your car. If that same key is used to access your house, safe, motorcycle, gym locker, safety-deposit box, office, postbox, garage and garden shed, you could lose just about everything you own. Think about it. You could lose it all.

Now think about this: that key gets copied by the mechanic who services your car. Somebody that you just hand it over to, somebody who needs it (and unfortunately happens to be the bad guy in this imaginary scenario). There’s no avoiding giving him the key. So why give him the key to your entire life? You wouldn’t do that, right? Just give him the car key!

It’s exactly the same with passwords. NEVER use the same password in more than one place, there is always a chance that somebody peeks at it, and tries it (along with the same email address you registered with) on various other common sites. Or just one site out of the dozens or hundreds you use isn’t careful about protecting passwords, and it gets leaked. Before you know it, your online accounts have been hijacked. All of them. At least, all of them that use the same login credentials.

Just don’t do it! Rather use utilities like this to generate unique strong passwords for each site or service.

You retain the keys that can unlock the passwords, they see only what they need. Nobody ever gets your password for another site. Doing it this way allows you to not know your own passwords (and honestly, how would you ever remember that one above, right?), but gives you the ability to re-generate them on demand. Coupled with a good password vault service, it’s a solid solution.

“My company insists I create new passwords every sixty days”

Hate it when that happens. But there are good reasons for it.

In this case, add a date-token onto the end of your Secret Word or Secret Number. So your if your Word is “fabulously”, make it “fabulously-Mar-2021” or something. This doesn’t weaken the encryption used at all.

If you have any tips for staying safe on the web, I’m all ears!

Grumpy

grumpyoldfart.org

I'm a grumpy old fart. I know a lot about leadership, culture & agility, and a little about woodworking.

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.