We are often told that re-using passwords is dangerous. The idea is simple; if criminals steal your password from one website, they will try and use it on your other online accounts. This could be a really important account, like your email.
We know we should use a different password for every online service. We also know that most of us re-use passwords, because it's impossible to remember a different password for each service, especially if those passwords also need to be long and random.
So although it's unrealistic to expect people not to re-use passwords:
- there are some scenarios where you should never re-use passwords
- there are some scenarios where the risk of re-using passwords is pretty low
- there are some good ways to store passwords (which can help you to avoid re-using passwords)
Let's look at these three scenarios in more detail.
When should you never re-use passwords?
Never re-use passwords across important accounts. These are the 'high value' accounts that protect things that you really care about and would cause the most harm to you if the passwords to access these accounts were stolen. As well as using a separate password for each of them, you should also set up Two Factor Authentication (also called Two Step Verification) in the security settings for each.
Email is an especially important account, as it can be used to manage all of your other passwords (and to request password resets). It also contains a lot of personal information that a criminal can exploit. Your other important accounts might include:
online banking and online payment services
platform accounts (like Apple, Microsoft or Google)
federated ID (where you log into one account using the credentials from another, usually Facebook or Google)
any account that you would be devastated to lose (for example your favourite social media accounts)
When is it less risky to re-use passwords?
It's less risky to re-use passwords across accounts where you feel you could easily replace the account, and it wouldn't hurt you (or others) if someone else had access to it. This could be because:
the account has very little personal data
the account can't be used to spend your money
the account doesn't contain any personal information about other people
there is no expensive or irreplaceable content (like photos, music, games etc)
Crucially, if criminals steal one of these 'low value' passwords, it would only give them access to other low value accounts that share the same password. Your high value accounts, all of which should have unique passwords, would still be protected.
What about all my other accounts?
You may also have accounts that fall somewhere between the two groups above. This might include social media and shopping websites. The important thing here is to make sure that you don't re-use these passwords with those used to protect your really important accounts. If you're struggling to avoid re-using passwords across these types of account, keep reading....
How to avoid re-using passwords
Here are three simple ways to help you avoid re-using passwords.
1. Use a password manager
Saving your passwords in an up-to-date browser, or in a dedicated password manager product, will reduce the number of passwords you need to memorise. Some password managers will generate random passwords for you, so you don't need to spend time making up new ones. This allows you to have a unique and random password for every account, with only one (very important) master password to remember.
However, using password managers does not solve all your problems:
- Password managers are attractive targets in themselves. So all your passwords could get stolen in one go.
- You can't use them everywhere. We believe that services and workplaces should allow secure storage for your passwords, but not all of them do. For these passwords you should follow your workplace policies or the terms and conditions of the service and not use a password manager.
For these reasons you may decide not to put your most important passwords into a manager. You can read more information about where and when to use password managers on Emma's blog.
2. Write your passwords down (and store them securely)
Most cyber criminals will attack from far away and can't access handwritten passwords stored in your home. So you can write down your passwords, provided that:
- you've checked that your service provider doesn't forbid this
- you're not worried about the people around you accessing your account (like housemates or children)
- you store them somewhere safe, out of sight, and (most importantly) away from your device
Writing down your passwords - and storing them securely - allows you to choose passwords that are unique and strong, as you don't need to memorise them. It's less useful for those passwords that you need to use regularly, or that you need to access when you're not at home.
3. Make your accounts less valuable to attackers
Ok - this doesn't help you avoid re-using passwords, but it can help make re-using passwords less dangerous. We know that re-using passwords is more dangerous for valuable accounts. So try making accounts less valuable.
For example, if you need to create an account in order to access an online retailer's website, only enter the minimum details required. Don't save your credit card details (unless you are going to use that site regularly). By doing this, the account remains in your 'low value' category, as it can't be used to spend your money. If you re-use a password from other 'low value' accounts, an attacker with a stolen password can't get any new information (or money) from this new account.
Where do I start?
We realise there's a lot of information to take in here. However, you don't need to organise all of your passwords straight away. You can make small steps, and every step will help.
Here is what the NCSC recommend you prioritise:
- If you have re-used your email password, change this one as soon as possible. And make it a good one. Your other important accounts can be done when you have some time (don't forget!)
- Make sure you use a lock screen on any device where your passwords are saved.
- Spend a few free minutes setting up two-factor authentication on an important account. It can be as easy as entering your phone number or installing an app. Again start with your email and do the others when convenient.
- Sometimes you'll have to reset passwords anyway. Use this as a opportunity to decide if this is an 'important' account, if it needs a unique password and if it can be safely stored.
- Once you've decided how you want to store your passwords, start moving them out of your brain whenever its convenient (and allowed). For example, password managers and browsers usually offer to save passwords for you. So save passwords whenever you are logging into websites or creating new accounts anyway.
- Get into the habit of using a different password every time you make a new account (or are forced to reset an old one).
- If a password is going straight into a manager, you can make it long and random (because you don't have to remember it).