Why is this a bad thing?
Using the same password everywhere makes everyone’s life easier. It means you can log into your bank, your online shopping, your mailbox and social media without having to remember dozens of passwords.
However, using the same password on multiple online services is like using the same key to unlock your front door, your car, your suitcase and your safety deposit box.
If someone sees your key and makes a copy of it, they can now unlock everything. They can not only steal whatever you’re protecting with that key (money, personal information etc), but they can also impersonate you to steal your friends and family’s money and personal information buy abusing their trust in you.
My password is secret, so no-one will ever know it
You might think your password is secure because you’ve not told anyone about it.
You might be guilty of writing it down somewhere, but you’ve kept that private too. So there’s no problem right?
Wrong.
Every time you use a password, it gets sent over the internet. If it’s correct, you get logged in.
In order for an online service to validate your login, it has to know your password – or at least enough about it to ensure what you’ve provided is a match.
If an online service contains security vulnerabilities, it won’t be long before all the usernames and passwords of all its customers will be stolen and end end up online for all to see. Hackers do this for fun and commercial gain.
Can I find out if my credentials have been leaked?
Yes you can. Check out the website of Troy Hunt: https://haveibeenpwned.com
Troy is a reputable and professional Information Security advisor. He’s been collecting published usernames and password lists over the last few years and has built a free service where anyone can check to see if their email address or username has been leaked.
At time of writing, Troy’s database has over four billion unique username and passwords.
His site also allows you to check whether your password has been publicised. It doesn’t give anything away other than saying that it’s known and that it should never be changed immediately.
What should I do?
The first step is to make a conscious decision to never ever use the same password for any online service ever again. This means having a unique password for every one.
You can do this by enlisting the help of a Password Manager and being tidy and disciplined.
Set up and use a Password Manager
Here’s my guide for setting up and using a Password Manager.
Be tidy
Your password manager is the only place you should store your passwords.
To avoid storing (potentially different) passwords in different places, you should:
- Stop your browser from remembering passwords – you will be using your Password Manager for this. Here’s how.
- When you’ve got everything in your password manager, clear down all passwords stored in your browser. Here’s how.
Be disciplined
- Always use your password manager and never store your passwords in a browser on any device.
- Whenever you sign up for an online service, use your password manager to generate and store a unique password.
- If you can’t use the password generation feature of your password manager, for example on your Smart TV, never use a weak password. Here’s a guide.
Add an extra layer of security
More and more online services also give you the option to add an extra layer of security called Two Factor Authentication (2FA) – sometimes called Multi Factor Authentication (MFA).
It sounds complicated, but is actually very straightforward and relatively friction-free.
Here’s my guide to setting up and using Multi Factor Authentication (MFA)