For each website, app, or service you use, you should use a separate password. This post explains why.

When you sign up for an online service or a mobile app you are often asked to register with a username and password. For many services, the username is your email address. Other services ask you for a username, but then also ask for your email address to be used as a recovery mechanism just in case you get locked out of the service.

An attacker may compromise one service by hacking their website. They gain access to the list of usernames and protected passwords. Depending on how the passwords have been protected, if at all, and how long your password is, the attacker may be able to determine your password. The attacker then tries out your email address and password combination on dozens of websites simultaneously. This may lead to the user’s accounts being accessed on multiple websites.

Websites such as facebook.com now take security seriously. User’s who use the same password on multiple sites provide a way for attackers to take over their account that Facebook can’t prevent. If you have used the same password on multiple sites, then you are relying on the security of the weakest, most poorly funded site, to keep all of your accounts on the other websites secure.

What you should do:

  • Have a different password for each website.
  • Use a password manager to store your user name and password details.
  • If offered, use a two factor authentication mechanism (send a code via text message for instance).