Why you should never reuse passwords

How many online accounts do you have? You probably had to stop reading in order to go through the list in your head, right? So you probably have quite a few. Now, how many passwords do you have? It was probably quicker for you to find the answer to that second question. That tells us that you’re likely using the same passwords for multiple services/accounts.

You probably already know that using the same password on multiple accounts is a bad idea. But let me just reiterate that: using the same password on multiple accounts is a bad idea. It’s now confirmed. And the topic of this article is to discuss why that is and what we can do about it.

Why do we tend to reuse the same passwords?

We know why people tend to do it. The reason is exemplified above: with so many accounts, if we were to use a unique password for each one, we’d quickly end up with an unmanageable list of passwords that we could never remember. And so we reuse the same ones.

Worse, because we want to be able to remember our passwords, we tend to use weak passwords, which are the easiest to remember.

So we choose weak and easy-to-remember passwords and then reuse those passwords on multiple accounts. All this because our brains aren’t very good at retaining abstract and complex strings of nonsensical information (as a strong password should be). But we’re great at retaining simple and meaningful (to us) patterns, such as weak passwords like “Snuffles1206” (the name and birth date of your dog, for instance).

What are the risks of reusing the same passwords?

Credential stuffing is the name of an automated attack that takes the compromised credentials from one leak/site and uses them to break into user accounts from other services/sites that use the same username and password. A credential stuffing attack can make hundreds of attempts on dozens of websites in a matter of minutes.

Passwords are typically obtained by cybercriminals through data breaches and phishing.

Say I use the same password to sign up on website A and on website B because it’s easier for me to remember. Then, say a week later, my credentials for website B are compromised. Well, website A isn’t any safer than website B. And if my attacker is smart, they’ll try my credentials on website A and several other sites.

Worse, even if I’m eventually notified from website B that my credentials are compromised (I may never be notified), there’s a good chance I won’t think about website A, or C, or D, etc. even though they’re all compromised.

Real-world examples

  • In November of 2019, Ars Technica reported that a number of user credentials from VPN provider, NordVPN, had leaked online. Shortly after, the breach notification service “Have I Been Pwned” reported upwards of 10 lists of compromised NordVPN user credentials. All of the compromised passwords were very weak. And they were all obtained through credential stuffing. Hackers never had to break into NordVPN’s systems to steal passwords, they just had to guess using login credentials from previous leaks. 
  • Again, in November 2019, just a few days after the launch of Disney’s new streaming service, Disney+, evidence started appearing that it fell victim to a credential stuffing attack. Hundreds of subscribers took to Twitter detailing how they were being logged out of their accounts and having their username and password changed. Just four days after the launch of the service, thousands of Disney+ accounts had already been compromised, according to zdnet.com.
  • In April of 2020, as reported by Forbes, Zoom was hit with a credential stuffing attack that compromised 500,000 user accounts. In this instance, security researchers from intsights.com found that the attackers used old databases of compromised passwords sold on online hacker forums and dark web markets. Some of the databases dated back to 2013.

There’s no shortage of nice folks on the internet who want a piece of your personal information. The fact that we’re quite bad at remembering strong passwords opens up an online attack vector. The endgame is fraud – typically for financial gain.

So what can we do to at least minimize our vulnerability to credential stuffing attacks?

Use strong, unique passwords 

Once any of your credentials are compromised, you’re vulnerable to credential stuffing. And, as I mentioned above, this is true regardless of how your credentials were compromised. Using strong passwords will protect you from some of the tactics used to obtain them.

If you use weak passwords that are tied, in one way or another, to your identity and lifestyle, they could be rather easy to crack with a dictionary attack. A dictionary attack uses specialized software that leverages huge lists of commonly used passwords, and cycles through them in quick succession in an attempt to “guess” your password for a given account or service. Most dictionary attacks today take into account many commonly-used password generation techniques, such as substituting numbers for similar-looking letters. Don’t think you can outsmart the machine. Odds are that if you use a weak password, it can be cracked with a dictionary attack.

A strong password consists of a long string of random characters or a long string of random words – neither of which should have anything to do with you and your lifestyle. So the above example of “Snuffles1206” is a good example of a really bad password. Especially if you have a bunch of photos of the birthday party you had for your beloved pet on your Facebook page (don’t laugh, some do…).

So avoid anything meaningful: names, dates, favorite things (albums, foods, sports teams, etc.). Other good password tips are to use at least 12 characters and employ a mix of both lower and uppercase letter, numbers as well as symbols.

You may find our Password generator tool useful.

OK, so you’re convinced: strong passwords are better than weak ones. But now you’re wondering: if our brains are so bad at retaining abstract, nonsensical strings, how am I going to remember all of these complex passwords?

Good point. But there is a way…

Use a password manager 

Of course, you won’t be able to remember all of those strong, random passwords. That’s why you’ll need to use a password manager.

A password manager is an application that stores, and usually encrypts, your passwords. These apps are typically protected with a master password, which, once entered, unlocks the vault and gives you access to all of the passwords you stored in it.

So with a password manager, you can set up very complex passwords without having to remember them all. The only one you need to keep in memory is the master password. And of course, you should choose a very strong password as your master password. While our brains may not be great at remembering this type of information, with a small amount of effort, remembering one is manageable.

Another good reason to use a password manager is that most of them include a password generator that can generate strong passwords, following the guidelines we discussed above, automatically for you.

There are many different password managers out there. Some are open-source, others are proprietary. Some are cloud-based, others store the passwords locally on your device.

So which one should you choose? That’s a debate that exceeds the scope of this article. But I would recommend using an open-source, local password manager. KeePass comes to mind. It’s open-source and stores the passwords in a local, on-device database. And there are many forks out there being actively developed and maintained.

See also: Best password managers

Use a disposable email address when signing up to services

Many online services, if not most, will ask to use your email address as your username. One benefit of this (or should I say, the only benefit of this) is that it’s easy for you to remember.

But your email address is a valuable piece of information. If I’m up to no good and I end up obtaining your credentials, and that part of those credentials is your email address, my reward is even better.

If I obtain your email address, I can potentially hack into your email account and get even more information about you, your lifestyle, and your entourage. Additionally, email is often used for two-step verification codes and password recovery links. Your email is a gold mine for identity thieves.

A good way to limit at least some of the damage if your credentials are ever compromised is to use a disposable email address when signing up for a service.

Some disposable email address services are standalone. By standalone, I mean that you simply go to the disposable email website, and as soon as the page loads in your browser, your disposable email is listed and you are in its inbox. You can go ahead and use that email address to sign up for whatever service you’re looking to sign up to. And you’ll receive the confirmation email, with verification links or access code or whatever in it, right in the disposable email inbox. Once you’re signed up to whatever service you were looking to sign-up for, you can discard the email address and you’re done.

An example of such a service is 10minutemail.com. The email accounts automatically expire after 10 minutes. But you can extend them for an extra 10 minutes, indefinitely. Another one is Mailinator, which lets you create your own @mailinator disposable address that won’t automatically expire after a set period of time. But all of the mailinator inboxes are public, meaning that anyone with your disposable email address can access its inbox.

This is great for privacy. The only downside is that with this type of service, you can’t send any emails from the disposable address, you can only receive them. So if you need to communicate with the service provider, this may not be the best option for you. 

Other disposable email services are linked to your actual email address and act as an alias for your email. They essentially forward your emails from their disposable email to your actual email address. You’ll receive the emails addressed to the disposable email in your regular inbox. You can also reply to messages, and the recipient will only see the disposable email address.

An example of this type of service would be E4ward.

Using a disposable email address will enhance the security of your accounts and limit the damage if your credentials are ever breached.

Enable two-factor authentication

Another way to protect yourself against credential stuffing is to enable two-factor authentication wherever you can.

Two-factor authentication (2FA) enhances the security of your accounts by requiring more than just a password for access. 2FA requires something you know, such as a password, and also requires something you have, such as a mobile phone or a token generator as well, in order to grant access.

So with 2FA, if you’re looking to log into one of your accounts, you’ll be prompted for your password, as you normally would be. But on top of that, once you’ve entered your password, you’ll be prompted for a token or one-time password (OTP). These are typically obtained via text message, through authenticator apps like Google Authenticator or Authy, or using a token device that’s been set up for the service you’re trying to access. Token devices and authenticator apps are more secure than text messages, but not all platforms support them just yet. So you would likely be receiving your OTP via SMS for the time being, which is still better than via email.

It’s only after you’ve entered the token that you’ll be granted access to your account.

This greatly hinders an attacker’s ability to compromise your credentials because they would need to intercept your token after they’ve obtained your username and password. In many instances, 2FA makes this unfeasible or at least not worth the time and effort it would take. It’s still possible to compromise an account protected with 2FA but it raises the complexity of the attack to the point that most attackers will simply turn to accounts that don’t have 2FA enabled.

Allow user controls over password resets

The main reason that users reuse simple passwords is that there is so much demand for digital systems that creating unique passwords for every application in common usage would require a photographic memory to master. While generated passwords and password lockers are great for a single interface, such as a standard browser, the automatic filling of passwords fails when an application provides a range of access interfaces. Users can’t recall or accurately type in a generated password made up of random characters.

The requirement to contact a Help Desk to get a password reset makes users reluctant to use complicated passwords because they don’t want to establish a reputation of being that idiot who keeps forgetting the password. A self-service system for requesting password resets gives the users the confidence to cooperate with password strength requirements. The risk that hackers could use the on-demand resets to take control of user accounts is reduced by the use of multi-factor authentication that should be governed by an initial setup that can only be performed from a designated device within the business’s premises.

An example of a suite of password management systems that coordinate to support user controls while blocking password cracking attempts is ManageEngine ADSelfService Plus. This system adds in alerts for excessive failed login attempts, which makes a self-service password management system safe to implement when combined with 2FA. The best way to examine this service would be to access the ADSelfService Plus 30-day free trial.

ManageEngine ADSelfService Plus Start 30-day FREE Trial

Wrapping Up

So what do we come away with here?

Reusing the same passwords for multiple accounts is bad practice because it opens you up to credential stuffing attacks, which take leaked credentials from one site/service and use them on other sites/services. 

It’s as if you had multiple houses and used the same lock and key for all of them. If you were to ever lose your keys, all of your houses would be vulnerable.

Tips to avoid password hacking:

  • Use strong passwords that aren’t related to you or your lifestyle and that can’t be easily guessed.
  • Use a unique password for every account.
  • Use an open-source, on-device, password manager to store your complex passwords without having to remember them (except the password to the password manager itself).
  • Use a disposable email address when signing up for online services, in order to limit the damage if your credentials are ever compromised.
  • And enable two-factor authentication on every account that supports it.

None of these tips will grant you immunity to credential stuffing attacks. But if you follow all of these tips, you’ll have reduced the odds of you falling victim to a credential stuffing attack to something slightly more in your favor. And you’ll be able to shop, bank, and learn online with more security and peace of mind (and watch Youtube videos of water-skiing squirrels).