Using different passwords on different sites is now commonly accepted as not only good practice, but it's actually necessary to keep your accounts safe. I'll review why and how to handle a plethora of passwords.


I keep hearing that I’m supposed to use a different password on every internet site where I have an account. What a pain! I can’t remember all of those passwords. Yeah, I know. You want me to use a password manager thing, but that seems like putting a bunch of really important things into a single basket. What if that basket gets hacked? I use a strong password, why isn’t that enough?
The hacks of several online services have brought this issue to light once again.

I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account – at least, every important site.

And yes, then you must devise a way to manage them all.

Let me run down an example scenario that’s causing all of this emphasis on multiple different passwords.
The all-too-common scenario
The scenario that I’m about to describe is very common. While the specifics won’t apply exactly, it’s the concept of what could happen when you have things set up in ways that are similar to what I describe.

Let’s say you have an account at some online service that I’ll call service A. In addition, you have a Yahoo! account because you use Flickr, a Google account because you use Gmail and a number of other Google services, a Microsoft account because you have Windows, and we’ll throw in a Dropbox account because you’ve been listening to me recommend its use. You probably have other accounts that I haven’t listed here, but you get the idea. You have lots of accounts to a number of online services.

In most cases, you login with an email address and a password. Even in cases where you login with a user name, you’ll also have to set up a recovery email address that is stored or associated with the account.

You have a wonderfully strong password: 14 completely random characters that you’ve memorized.

And you use that same wonderfully strong password everywhere.

Here’s how it can go horribly, horribly wrong.
Anatomy of a hack
Service A has the best of intentions, but honestly, they don’t “get” security. Perhaps they store passwords in their database in plain text so anyone with access can see them. They do that because it’s easy, it’s fast, and it allows them to solve the problem quickly. They move on as they’re frantically trying to get their system up against some kind of deadline. They make the assumption that the database containing your password will be impenetrable.

Hackers love it when site designers make assumptions like that because, of course, the assumption is false.

One day, for any number of reasons, a hacker breaches site security and steals a copy of the customer/user database. The hacker walks away with a database that contains the following information for every user:

The login ID
The email address associated with the account
The password
Password hints
They can login to your account on Service A. That may or may not be a big deal, depending on exactly what Service A is and how you use it.

But it opens a very dangerous door.
Password skeet shooting
The hackers then go hunting.

As most people have accounts on one or more of the major services that I mentioned, the hackers start trying the information from Service A as if it were the correct information for Gmail, Outlook.com, Yahoo, and even other services like Facebook, Twitter, Dropbox, and more.

They try your email address and password to login to the email service that you’re using.

They try your login ID and password (or that email address and password) on as many other services as they can.

And very often, it works. And the hackers have gained access to another account of yours that was completely unrelated to the security breach.

Unrelated, of course, except in that it used the same password.

If you use the same password everywhere, then a single leak of that password means that all your accounts are at risk. Hackers will be able to login to your other online accounts as well. Maybe not all. Maybe only a few.

But a few is all it takes.
The weakest link
Note here that this has absolutely nothing to do with the security expertise of the sites where your account is eventually compromised. That Gmail, Outlook.com, Yahoo, and others have excellent security didn’t factor into this at all.
Service A was the weakest link. Their security wasn’t up to the task. Their database was breached. Their information was leaked. And with it your account information and password – the password you use everywhere – was exposed.

Service A was at fault.

But, honestly, so were you for using the same password everywhere.
It shouldn’t be this way
I’ll happily admit that things like this shouldn’t happen.

But they do. Not terribly often, but often enough.

And most services are better at security than our fictional Service A.

But it’s also not a back-or-white equation. Even large corporations that either should know better, or simply miss things, can put your information at risk. For example, a recent Adobe hack now appears to have the potential to expose the passwords of 130 million Adobe account holders. It’s not as obviously stupid as storing passwords in plain text, but to security experts it comes surprisingly close.

I hate to say you can’t trust anyone, but ultimately … you shouldn’t trust anyone not to accidentally expose your password.

Using a different password on each site limits your exposure if any of those sites are compromised.
Managing lots of passwords
So it comes down to how best to manage a lot of different (and long and complex) passwords.

I still recommend LastPass and use it myself.

Doesn’t that put all my eggs in one basket?

Yes, it does. But it’s a very good basket. And I’ve taken additional steps to ensure that it stays that way.

I talk about LastPass in more depth in LastPass – Securely keep track of multiple passwords on multiple devices, but I’ll highlight two important reasons I consider LastPass secure:

The people at LastPass don’t know your master password. They couldn’t tell you what it is if they wanted to. The result is that they cannot access your data at all. All they can see is the encrypted data. And even if a hacker were to somehow gain access to their databases, which has never, ever happened, the hacker would also be unable to decrypt and view your information – LastPass does encryption right. Decryption happens locally on your machine – that means that the only thing ever transmitted between your computer and LastPass is the encrypted data.
In addition to using a strong password (of course), LastPass supports two-factor authentication, and I’ve enabled it on my account. If you somehow get my master password, you’d still need my second factor in your possession to be able to unlock my LastPass vault.
Ultimately, it’s up to you. There are several password managers out there, but LastPass is the one I trust.
The very short bottom line
My recommendation remains:

Use long, strong passwords. 12 characters minimum, randomly generated (there are several tools available, including one in LastPass).
Use a different password for every login account you have. Every one.
Use a password manager like LastPass to keep track of them all for you.
Use a strong password or pass phrase on LastPass itself.
Consider enabling two-factor authentication on LastPass for additional security of that very important basket of information.