0

Assume I have two Github accounts, one for regular use and one for testing purposes. Or two PGP keys, one for pass and the other for encrypted email communication, and my backup scheme is exactly the same for both keys.

Now assume I use a single password for my two Github accounts and another single password for my two PGP keys.

To what extent is my overall security diminished by this practice?

This answer to a related question states that

you should never use the same password in different places, unless that password protects the same data or gives you the same privileges

In my hypothetical case, a single password would protect different data, but the threat model would be very similar.

e18r
  • 153
  • 7

2 Answers2

2

The purposes of those accounts are different, and so is the data protected by those passwords. If only one password gets stolen, the attacker will be able to access both the services / data / accounts / etc. So to reduce the impact of a possible attack or at least to slow down the attacker, those passwords should be different. Even if the threat model makes you suppose that both passwords will be stolen anyway, there might be some cases where you will be able to detect the attack before both accounts are compromised, so having different passwords will help.

That said, in theory you shouldn't even be asking this question. Why? Because you probably already have tons of accounts with tons of passwords that should all be different, and to manage all this data you will probably have a password manager (or write them down somewhere, etc.). So it should not be a problem for you to use different passwords in this case as well.

reed
  • 15,398
  • 6
  • 43
  • 64
  • Your second paragraph brings up a very good point. In truth, this question arose precisely because my password manager's browser plugin doesn't handle multiple accounts in a single domain very well, nor does it handle gpg passwords very well. But your answer makes me realize this is more of a password manager UX issue than anything else. – e18r Jun 21 '19 at 17:34
1

With github, the site is the same, so password reuse is not much problem. With offline reuse for encryption, there is also not much of a problem.

The greatest threat of password reuse is for example, that if you use the same password for facebook and github, facebook has your github password and vice versa. It is even worse with smaller disreputable companies.

In your case, the threat is password interception, whether if they see you type it or keylogger, but this is not big risk difference and it is up to you whether it is worth it to limit the extent.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28