“Hi, my name is jik, and I’m a password reuser.”
“Hi, jik!”
If there isn’t a “Password Reusers Anonymous”, there probably should be.
By “password reuse,” I mean using the same password over and over on multiple Web sites. It’s a really bad idea, and I should know that better than most, since I’ve worked on and off in the field of computer security for over two decades.
- Operators of a bad Web site could use users’ passwords to log on to other sites where the users have accounts. If you think this would never happen, take a look at how many credit-card skimming operations are perpetrated by store owners, waiters, etc. (including this one, which I personally got snared in through the use of my corporate AmEx card).
- An operator of the site could sell its database of email addresses and passwords to hackers, who could then use them to make large-scale attempts to break into accounts on other sites.
- Even without the cooperation of the Web site’s operators, a hacker could break into the site, steal the account database, and use it as described above.
- Many of these Web sites will email your password to your email account if you tell the site that you’ve forgotten it. If someone breaks into your email account, they can look at old messages to see what sites you have accounts at, tell one of those sites to email your password, and then use that password to log into the other sites you’ve used.
- If you are the kind of person who has to worry about keeping things private from family members, the problem above is even worse, since they can look in your browser history, not just old messages in your mailbox, to find out what sites you’ve visited and may have accounts at.
But the biggest problem by far, which dwarfs all the problems listed above, is: If your password is somehow compromised, then you need to change it on every Web site on which you’ve used it.
If using the same password on multiple Web sites is such a bad idea, then why do so many people do it? Simply put, because it’s easier to remember one password than it is to create and remember hundreds of them. And if you can’t remember them, then you need to write them all down on a list somewhere, and find a way to both keep the list secure and make it accessible whenever and wherever you need it. There are some available tools to make this easier, but the best ones cost money, and not many people are savvy enough to go looking for tools to handle this sort of thing.
I fell into the password reuse trap years ago, when data breach incidents were few and far between and tools for managing passwords didn’t exist. Old habits die hard, and I never broke this one. And so, since last week, when the password I’ve been using as my standard third-party Web site password for well over a decade was compromised (I will post later about how it was compromised), I’ve had to spend every available moment changing my password on over 300 Web sites. Believe me, it took a while.
![[Digg]](http://blog.kamens.us/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](http://blog.kamens.us/wp-content/plugins/bookmarkify/facebook.png)
![[Email]](http://blog.kamens.us/wp-content/plugins/bookmarkify/email.png)
