Blog post

Living with password re-use

Created:  24 Aug 2017
Updated:  24 Aug 2017
Author:  Kate R
Recycle

We are often told that re-using passwords is dangerous. The idea is simple; if criminals steal your password from one website, they will try and use it on your other online accounts. This could be a really important account, like your email.

We know we should use a different password for every online service. We also know that most of us re-use passwords, because it's impossible to remember a different password for each service, especially if those passwords also need to be long and random. 

So although it's unrealistic to expect people not to re-use passwords:

  • there are some scenarios where you should never re-use passwords
  • there are some scenarios where the risk of re-using passwords is pretty low
  • there are some good ways to store passwords (which can help you to avoid re-using passwords)

Let's look at these three scenarios in more detail.

 

When should you never re-use passwords?

Never re-use passwords across important accounts. These are the 'high value' accounts that protect things that you really care about and would cause the most harm to you if the passwords to access these accounts were stolen. As well as using a separate password for each of them, you should also set up Two Factor Authentication (also called Two Step Verification) in the security settings for each.

Email is an especially important account, as it can be used to manage all of your other passwords (and to request password resets). It also contains a lot of personal information that a criminal can exploit. Your other important accounts might include:

  • online banking and online payment services

  • password managers

  • work accounts

  • cloud storage

  • platform accounts (like Apple, Microsoft or Google)

  • federated ID (where you log into one account using the credentials from another, usually Facebook or Google)

  • any account that you would be devastated to lose (for example your favourite social media accounts)

 

When is it less risky to re-use passwords?

It's less risky to re-use passwords across accounts where you feel you could easily replace the account, and it wouldn't hurt you (or others) if someone else had access to it. This could be because:

  • the account has very little personal data

  • the account can't be used to spend your money

  • the account doesn't contain any personal information about other people

  • there is no expensive or irreplaceable content (like photos, music, games etc)

Crucially, if criminals steal one of these 'low value' passwords, it would only give them access to other low value accounts that share the same password. Your high value accounts, all of which should have unique passwords, would still be protected.

What about all my other accounts?

You may also have accounts that fall somewhere between the two groups above. This might include social media and shopping websites. The important thing here is to make sure that you don't re-use these passwords with those used to protect your really important accounts. If you're struggling to avoid re-using passwords across these types of account, keep reading....

 

How to avoid re-using passwords

Here are three simple ways to help you avoid re-using passwords.

 

1. Use a password manager

Saving your passwords in an up-to-date browser, or in a dedicated password manager product, will reduce the number of passwords you need to memorise. Some password managers will generate random passwords for you, so you don't need to spend time making up new ones. This allows you to have a unique and random password for every account, with only one (very important) master password to remember.

However, using password managers does not solve all your problems:

  • Password managers are attractive targets in themselves. So all your passwords could get stolen in one go.
  • You can't use them everywhere. We believe that services and workplaces should allow secure storage for your passwords, but not all of them do. For these passwords you should follow your workplace policies or the terms and conditions of the service and not use a password manager.

For these reasons you may decide not to put your most important passwords into a manager. You can read more information about where and when to use password managers on Emma's blog.

 

2. Write your passwords down (and store them securely)

Most cyber criminals will attack from far away and can't access handwritten passwords stored in your home. So you can write down your passwords, provided that:

  • you've checked that your service provider doesn't forbid this
  • you're not worried about the people around you accessing your account (like housemates or children)
  • you store them somewhere safe, out of sight, and (most importantly) away from your device

Writing down your passwords - and storing them securely - allows you to choose passwords that are unique and strong, as you don't need to memorise them. It's less useful for those passwords that you need to use regularly, or that you need to access when you're not at home. 

 

3. Make your accounts less valuable to attackers

Ok - this doesn't help you avoid re-using passwords, but it can help make re-using passwords less dangerous. We know that re-using passwords is more dangerous for valuable accounts. So try making accounts less valuable.

For example, if you need to create an account in order to access an online retailer's website, only enter the minimum details required. Don't save your credit card details (unless you are going to use that site regularly). By doing this, the account remains in your 'low value' category, as it can't be used to spend your money. If you re-use a password from other 'low value' accounts, an attacker with a stolen password can't get any new information (or money) from this new account.

 

Where do I start?

We realise there's a lot of information to take in here. However, you don't need to organise all of your passwords straight away. You can make small steps, and every step will help.

Here is what the NCSC recommend you prioritise:

  • If you have re-used your email password, change this one as soon as possible. And make it a good one. Your other important accounts can be done when you have some time (don't forget!)
  • Make sure you use a lock screen on any device where your passwords are saved.
  • Spend a few free minutes setting up two-factor authentication on an important account. It can be as easy as entering your phone number or installing an app. Again start with your email and do the others when convenient.
  • Sometimes you'll have to reset passwords anyway. Use this as a opportunity to decide if this is an 'important' account, if it needs a unique password and if it can be safely stored.
  • Once you've decided how you want to store your passwords, start moving them out of your brain whenever its convenient (and allowed). For example, password managers and browsers usually offer to save passwords for you. So save passwords whenever you are logging into websites or creating new accounts anyway.
  • Get into the habit of using a different password every time you make a new account (or are forced to reset an old one).
  • If a password is going straight into a manager, you can make it long and random (because you don't have to remember it).

10 comments

Steven Murdoch - 28 Aug 2017
Thanks for this very helpful post. I think the advice is very sensible and I particularly like the recognition that writing down passwords is a good option in certain situations. I did note that the post advises following rules set by employers and service providers in preference to the guidance here. I can certainly understand the reason for this decision, as wilfully failing to comply with workplace or service terms and conditions can result in liability for the individual. However when employer/service rules conflict with getting your job done or leading a normal life (e.g. long passwords, not written down or stored in a password manager), inevitably people will violate them, creating a Catch-22 situation. I'd prefer shifting liability to the party which sets unworkable rules. Perhaps a topic of another blog post?
Kate R - 04 Sep 2017
The average user may have to comply with conflicting security rules (which they cannot influence), set by different organisations, with different levels of maturity. The post above recognises this reality, and suggests techniques to help users make the best of the world as it is. The NCSC agree that unworkable policies should be changed in the interests of better security, as discussed in an earlier blog (https://www.ncsc.gov.uk/blog-post/security-breaches-communication-what-are-your-users-telling-you ). We're encouraging organisations to think about security more holistically, but changes to make this happen take time and resources to implement.
Alice - 29 Aug 2017
It's great to see you pushing pragmatic advice like this. But there are lots of UK gov sources like CyberAware and Get Safe Online saying the opposite advice for citizens. Are you getting them to change?
Kate R - 01 Sep 2017
Hi Alice. Thank you for your comment. As always we continue to work with government departments and our industry partners to ensure their future guidance takes into account the coping strategies that we all use in order to manage the huge number of passwords used on a day-to-day basis. We work closely with CyberAware and our password advice is consistent. CyberAware recommends separate passwords for your most important accounts especially email – just as our blog recommends.
Manase - 12 Sep 2017
I love how practical and realistic this is. Embracing password managers and not using it on non-personal websites/accounts.However I have concerns with writing down passwords, the average person thinks putting a password book under their mattress is a safe place, nonetheless, this is a great piece!
Kate R - 12 Sep 2017
Hi Manase, I’m glad you liked the blog. Whether a book under the mattress is a safe place or not depends on who you are protecting it from. Cyber criminals won’t break into your home to steal passwords when there are much easier ways for them to get them online. Of course, if you are more worried about someone you live with (e.g. your kids using your accounts to buy things online) then a password book may not be a safe place for your passwords. It's important to remember that no method of password protection is guaranteed foolproof - on balance, we thinking having different, long passwords and writing them down (however you do it) is undoubtedly better than using the same password everywhere, or trying to remember too many different ones.
Toby - 19 Sep 2017
[quote] if you are more worried about someone you live with (e.g. your kids using your accounts to buy things online)[/quote] Ah, you always have to be watchful for the insider threat.
Tony Smith - 19 Sep 2017
Great article. Don't forget the dangers of storing passwords on shared devices.
Tom P - 19 Sep 2017
Could you post a list of password managers that are good/safe to use?
Kate R - 19 Sep 2017
Hi Tom. We’re currently working on more detailed password manager guidance – look out for this soon!

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No