72

I always read that using the same password on multiple sites is a risk. I'm wondering what is the real reason for this?

In my case, I use the same password on multiple sites everywhere. My password is, however, very strong and complicated and long that I saved in a text file and then copy for each connection on sites to which I subscribe. Does this method protect me from the risk because my password is too complicated and long?

chocolate
  • 837
  • 1
  • 6
  • 5
  • 81
    Using the same password on multiple websites is a Very Bad Thing. If one of these websites stores passwords in plaintext and the password database is compromised, it won't make any difference whether your password is ultra-strong. – dr_ Sep 29 '15 at 09:09
  • 32
    Text file? Really? Use a password wallet service like LastPass (there are many others, just an example), use a different, very complex password on every site, and protect the wallet with a complex, unique password that you don't use for anything else. – JPhi1618 Sep 29 '15 at 13:30
  • 11
    @JPhi1618 Because nothing is so secure as storing all your passwords in a service from a third-party. Sounds like moving the problem instead of fixing it. – Mast Sep 30 '15 at 14:06
  • 11
    @Mast some password wallets allow you to store the files locally in an encrypted file. You can use an online service if you want your passwords available on multiple or mobile devices, but there are solutions for all levels of paranoia. – JPhi1618 Sep 30 '15 at 14:23
  • 11
    @mast lastpass lets you store all your passwords locally and syncs them across devices, without hitting a server. it's as secure as it can be. if you're not using a password manager, you're doing life wrong. – user428517 Sep 30 '15 at 19:10
  • 3
    There are many password managers/databases available today, there is no good reason to reuse the same password everywhere, no matter how secure you *think* that password is. [KeePass](http://keepass.info/) is free (and I think it might be open source), while [1Password](https://agilebits.com/onepassword/) is a popular proprietary manager for both Windows and OS X (also iPhones). – 40XUserNotFound Oct 02 '15 at 02:42
  • I suppose one could create a bunch of low economic value accounts with the same high entropy password at a number of high profile sites: google, stackoverflow, yahoo, ashley madison, etc. Then systematically monitor each account. If you detect an unauthorized login, then it suggest that one of those guys was storing your password in plaintext. Other than that, I can not think of any good reason to reuse a password. – emory Oct 02 '15 at 10:28
  • 2
    It's worth mentioning [Plain Text Offenders](http://plaintextoffenders.com/) as practical evidence that lots of websites you might use do store your passwords, improperly, in plain text. If you use such a site and it is breached, your complex password is still lost. – E.P. Oct 04 '15 at 19:50
  • What do you mean by strong? If your password is "very strong" then no you don't have a problem. The more people who have your password (the more you reuse it) the weaker it gets. You cannot have a "very strong, often reused" password!! – corsiKa Oct 05 '15 at 05:24
  • The best way is to use single signon (if it's available) I log onto this site via Google, I don't have to have a password. Having multiple passwords is so yesterday. – Jodi Supporter Oct 01 '15 at 08:26
  • Password reuse is always a bad idea, it gets you used to doing something that will bite you down the road. GoToMyPC, Carbonite, LogMeIn, et.al. in the past week are showing why as one example that can be extended elsewhere. – Fiasco Labs Jun 22 '16 at 04:34

9 Answers9

174

Password reuse is a security bad practice because of of a simple attack scenario like this one:

enter image description here
Source: XKCD

With reusing a long and complicated password, you are still facing the same threats as highlighted in the above schema.

In addition to this, saving a password in a text file is an unsafe practice in that the privacy of your password depends also on the safety of your computer (think of malicious browser plugins you may install, drive-by download attacks installing spyware on your machine ...) and that of your network. You may also consider other scenarios like with phishing attacks on which the strength of your password does not play a role.

Community
  • 1
  • 40
    The privacy of your password *always* depends on the safety of your computer. It is, after all, what you're typing your password into. – timuzhti Sep 29 '15 at 07:46
  • 2
    have to disagree @Alpha3031 it doesnt always depend but it is a factor, virus, keylogs, trogens blah blah... all on the users system, but the comment from Begueradj is closer to the point. using a password over and over waters down its use. a key that opens any lock is a dangerous key to lose and the more you use it the more chance you have or losing it to someone. – TheHidden Sep 29 '15 at 09:30
  • 1
    I understand that password reuse is an issue, regardless of the password's strength, but how does it apply to the comic when the password isn't something that a hacker would just blindly guess? – Panzercrisis Sep 29 '15 at 13:06
  • 3
    Who cares what Confucius say... it's all about what XKCD say. – WernerCD Sep 29 '15 at 13:14
  • 16
    @Panzercrisis What do you mean? Nowhere in that comic is Black Hat blindly guessing at user's passwords. – Ajedi32 Sep 29 '15 at 13:27
  • @Ajedi32 I thought it meant that he compiled lists of "normal" e-mail addresses, usernames, and passwords and would use bots to just sort of permutate through them. – Panzercrisis Sep 29 '15 at 13:52
  • 24
    @Panzercrisis He compiled a list of emails, usernames, and passwords by asking users to enter that information when they sign up for his "free" service. No need to guess anything there, except what other services the users might be using that username and password combination on. – Ajedi32 Sep 29 '15 at 13:58
  • 22
    A security threat isn't a security threat until Randall does a comic about it. – corsiKa Sep 29 '15 at 14:57
  • 34
    A malicious site like the above is just one way in which your password might be compromised. More common would be a site that doesn't properly store the password, out of ignorance, incompetence, laziness, or all of the above. For example, any site that responds to a forgot password request by emailing you your password, is by definition storing it improperly. – stannius Sep 29 '15 at 15:38
  • 1
    @Ajedi32 Oh, I see now. Thx. – Panzercrisis Sep 29 '15 at 17:53
  • 3
    @stannius It's astounding how many services still store passwords with insecure hashes, or even PLAIN TEXT (!?) (Examples include 000webhost, perhaps the most popular free hosting provider, Neopets, at least in the past, etc.) – Brandon Anzaldi Sep 30 '15 at 21:10
  • 1
    @Brandon Anzaldi astounding, not to mention terrifying – Robin Kanters Oct 01 '15 at 06:48
  • 5
    @RobinKanters But unfortunately apparently still not illegal. I think there should be laws against this. – Stijn de Witt Oct 01 '15 at 19:38
  • 1
    @StijndeWitt Are you really expecting a government to actually enforce something that would make setting-up massive surveillance tools harder ? – ereOn Oct 01 '15 at 20:37
  • 8
    You'd arguably be safer with a different *less-secure* password for each site than a single *strong* password for all sites. No cross-pollution. – Rick Chatham Oct 01 '15 at 21:35
38

Every time you register and let an external system store your password, you are depending on the new system to ensure that your password is secured properly. This implies that if one of the external system is not securing your password (e.g. they store the password in plain text and have a SQL injection vulnerability) properly, regardless of your password security habit (e.g. using very large password, storing it in password manager), your shared password will be exposed if that external system is compromised. Once compromised, others can use the password to try to login to other potential sites and they will be successful if you are sharing the same password.

jhash
  • 641
  • 4
  • 7
31

Having a strong password does not protect you from vulnerabilities relating to password reuse.

So you've come up with a strong password that you use to sign up to most internet services you use. Great! You are now probably safe from people who are trying to log into your specific account by guessing every possible password you could have and hoping that one of them is correct (a "brute force" attack).

Let's say you come across my brand new website, that offers you some wonderful newsletter you're really interested in. You make the decision to sign up to this site. You enter your email address, and your usual strong password.

Unfortunately for you, I haven't been exactly honest, and while I will set up a newsletter subscription for you, I'm also sending the email address and password you just typed in to my personal email. Once that arrives in my inbox, I can try the combination on facebook, gmail, yahoo mail, twitter, etc etc. Sooner or later I'm going to get into one of your accounts.

Alternatively, suppose I was honest and wasn't out to steal your account, but I was just really bad at security. Maybe I was storing your password in a database in plain text, and didn't have anything in place to stop an attacker from getting into it. So, one day along comes a nasty person who finds a way to copy the contents of the database, and suddenly he has your email and password too! Oops.

When you choose a password for any website or service, it's always best to assume that the password could, at some point, be read by someone.

You just need to make sure that if and when that happens, the information that is compromised does not let anyone into any of your other accounts.

Hecksa
  • 411
  • 3
  • 3
  • 3
    "does not protect you from vulnerabilities" -- well, it protects you from *one* vulnerability relating to password reuse, which is that if a well-hashed-and-salted password file is lost to an attacker, and the password is *weak*, then the attacker gets your password-for-everything. Possibly the questioner has committed the common fallacy of taking a security measure and a single threat model, observing that the measure isn't necessary in nullifying that particular threat, and concluding that the security measure isn't necessary. – Steve Jessop Sep 29 '15 at 18:09
  • @SteveJessop If the password is strong enough, the salt won't matter. And as long as the hash is MD5 or stronger then it is still possible to have security as long as the password is strong enough. The threat is going to be that one site among all of those you use on which the password is stored insecurely. – kasperd Oct 01 '15 at 09:46
  • @kasperd: The salt _does_ matter. If your password requires a billion attempts to guess, and I have a million unsalted passwords, I will make a billion guesses because that gets me _your_ password and every single password of equal strength. If the password is salted, I won't make a billion guesses because these guesses only give me _one_ password. I would need 10^15 guesses to crack your password and every single password of equal strength. – gnasher729 Oct 02 '15 at 08:42
  • Now if the attacker is only after my password and doesn't care about the other million encrypted passwords, then the salt makes no difference. But that is extremely unlikely. And if the attacker is after the password of one of the other million users and cares only about that password, without salt I'm sure they wouldn't throw the other cracked passwords (including yours) away. – gnasher729 Oct 02 '15 at 08:43
  • @gnasher729 I said **If the password is strong enough** and you suggest it can be guessed in 10¹² attempts. If it only takes 10¹² attempts to guess the password, then it wasn't strong enough. I would never call a password very strong if it had less than 128 bits of entropy. With that strength we are talking 10³⁸ attempts. – kasperd Oct 02 '15 at 11:30
10

What password reuse does is increasing the attack surface by giving an attacker the ability to compromise all your accounts through one attack. This can be accomplished through a MITM (which would require a forged certificate for TLS sites), obtaining the password through a database (which requires access, and is also pretty much impossible with a secure hash + salt), or a malicious website, the last option being the easiest.

Your password is now only as secure as the weakest website, and many sites use depreciated security protocols. Your password's entropy won't protect you, because there are far lower entropy methods of obtaining your password.

timuzhti
  • 956
  • 12
  • 19
5

I would encourage everyone to secure their passwords as much as they care about being compromised. You can't know if a sites security is good or not, and thus your password could be compromised. Assume the site security is bad and your password could be known by millions of people tomorrow.

That means:

Only re-use passwords on throwaway sites that force you to register a password that you wouldn't care if someone broke into. A good example would be adobe.com that forces you to register, but is otherwise a useless account.

Never re-use passwords for your primary email account since access to your primary email can be used to reset your password on other sites. Enable two-factor authentication if possible.

Never re-use a password for anything where you could lose money. Banks, paypal, and investment sites are all easy targets to steal from you. Sadly, most of these sites don' offer two-factor authentication, so password re-use could easily cost you money from theft.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • 2
    Well I don't know about your country but in the UK two-factor authentication for online banking is the norm. You also need to enter not only a user-defined password but a bank-defined passcode. Password re-use isn't really an issue for banking accounts. – Lightness Races in Orbit Sep 29 '15 at 23:29
  • 2
    @LightnessRacesinOrbit Most US banks, sadly, don't offer 2FA (most use "security questions" instead) – Machavity Sep 30 '15 at 15:09
  • 3
    @Machavity: Grief :( I'm so sorry. So much for being the "New World", eh? ;) – Lightness Races in Orbit Sep 30 '15 at 15:17
3

Re-using the same password doesn't mean your site logins and the data they protect are all as secure as your (hopefully very secure) password. Instead it means that your logins, and data, are instead as secure as the site with the weakest security on your list of sites.

If someone breaks into/steals, I don't know, Adobe's user database, or LinkedIn's or Ashley Madison's (not to suggest you have an account there of course) then they will have the email address/username and password of everyone on that site who uses a system like yours.

Do you really think it's beyond the wit of people smart enough to do that to also be smart enough to write an automated process to try those cracked usernames and passwords against other popular sites?

Rob Moir
  • 399
  • 1
  • 10
  • 1
    Not that I'm disagreeing with your overall point, but the passwords of the sites you mentioned were hashed. Under the OP's premise we are using a "very strong" password, so it can't be recovered from the hash. Of course, it's always possible that a website that doesn't store passwords in hashed form is breached. – Volker Oct 02 '15 at 07:39
  • @volker you're right but I mentioned all 3 sites because password data from those sites was cracked. Hashing is a speed bump (often because it's badly done) not a wall. – Rob Moir Oct 02 '15 at 09:12
  • 2
    Actually your security is weaker than the weakest security on your list of sites. What is to stop a hacker from opening their own site for the sole purpose of collecting passwords. If they can convince you to register on their site (free porn, pictures of cats, etc), they have the keys to all your sites. – emory Oct 02 '15 at 10:19
  • @emory absolutely. I shouldn't be at all surprised to hear this is already going on far more than we suspect. – Rob Moir Oct 02 '15 at 10:21
  • @Volker I somewhat disagree. There are several hash brute forcing solutions out there. Of which some are randomly generated and not just dictionary. If someone wanted to recover a password from a hash, figures out the salt, hash procedure, and is willing to brute force it then the possibility to recover from a hash exists. Where I somewhat agree is with a strong password this could take days, months, years, or decades and likely would not likely happen unless you had a very patient attacker. – Bacon Brad Oct 30 '15 at 23:04
  • @Brad Metcalf: I guess it all depends on what exactly you mean by "very strong password". If the corresponding password space has 2^128 possibilities (>18 ASCII characters), it would on average take 10^18 years to crack an MD5 hash, if you can check a trillion password candidates per second. That's one hundred million times the age of the universe. Does the possibility to recover the password before the sun blows up exist? Yes, but it's negligibly small. – Volker Nov 02 '15 at 08:51
1

The strength of your password comes down to the security of the site you use it on. All it takes is 1 site to not protect it and it exposes all the others. Basics like hashing passwords with a salt should be the minimum for any site that asks for your password. If the store it in plain text then they have exposed every other site you use too. If a site emails you a password if you've forgotten it and not a way to reset then they have stored your password as plain text and you should change all accounts that was using that password.

RyanTCB
  • 111
  • 2
1

If you really want to use the same password for all websites, why not use a password manager? That way, you only have to remember one password (for your password manager) and you also have a unique strong password for each site. If any websites you use are compromised, only that password is compromised and not all of your logins.

JonnyWizz
  • 1,971
  • 1
  • 14
  • 34
-1

I think it’s good to have a strong password that’s as long as possible and avoid words to prevent brute force attacks that use words in the dictionary to guess random passwords like thunderbolt25815.

But some sites prevent that by setting a password limit. Enter the wrong password too many times and it will lock you out or lock your account to prevent all logins from anywhere

But some sites don’t and some sites have bad security. If someone hacks into the database in plain text without encryption, all your website passwords are useless. They will just put the passwords over and over in different sites until they get the right site. In some of the worst cases, they can get access to something which has your credit card like Amazon which could cost you a lot of money. Do you want that? Do you want to sacrifice security for easy to remember passwords? If 'no' then get a long password that’s different for every site and try to get 2 step verification on so no one can get access to one site just by hacking one site. They will need more than just a password.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Tk55891
  • 1
  • 1
    The first section does not answer the question. The second section is not relevant to the question, and the last section repeats whateveryone else has said. Please make sure that your answers use proper sentence structure, are on-topic, and say something unique from the other answers. – schroeder Aug 09 '18 at 16:39