If You Use The Same Password For Different Websites, We Have Some Bad News For You

Everyone knows that they shouldn’t use the same password for every website, but how many of us actually follow that rule?

Not many, according to a Forbes report, which found that more than 70% of people use the same password for multiple logins.

It’s certainly tempting to use the same password again and again — who really has the capacity to remember different passwords for all of the sites and apps you use? But while it’s certainly easier in the short-term to use the same passwords all the time, it poses some serious security risks in long run.

Here’s why experts say you really shouldn’t reuse passwords:

According to Alex Hamerstone, the advisory solutions director for TrustedSec, an ethical hacking company, if he were to set up a website that required people to create usernames and passwords to log in, he’d then be able to see each user’s username and password.

“You may think, ‘well, OK, Alex has my password, he can get into that site,’ [but] the problem is, most users reuse passwords. So I can take all those usernames and passwords that I gather … and then use a program to try those same usernames and passwords on every website out there,” he said.

This means banking sites, airline frequent flyer sites, email accounts, social media pages and more. Additionally, if a website or app is breached, hackers can collect username and password info and then try those username and password combos on other sites.

“And you will get into tons of them, because people … use the same password across multiple sites,” Hamerstone said.

Raise your hand if you’ve ever just added a number or exclamation point to the end of your go-to password to make your log-in just a little different. (I know it’s not just me.)

While this may mean your password isn’t technically the same as passwords for other sites, it’s still too close, said Vahid Behzadan, an assistant professor of cybersecurity and networks at the University of New Haven in Connecticut.

“There’s a predictable pattern in [those] passwords, which, unfortunately, doesn’t provide a significant advantage over unique passwords,” Behzadan said.

“Patterns, such as numbers at the end of the password or predictable sequences of characters, can be easily discovered through automated means,” he continued. “An attacker that is in the business of stealing credentials already has the tools that automatically checks for those patterns.”

One option for maximum password security is using a multi-factor authentication tool.

You probably have it turned on for some apps already, like for banking apps and email logins. Multi-factor authentication is, essentially, secondary verification via a text message or authenticator app, Behzadan explained. It can also be a fingerprint or a facial recognition, according to Hamerstone.

“This is slightly more cumbersome because it requires an additional step in authentication, but it’s generally highly effective,” Behzadan said.

Both experts also said password managers are a great way to bolster your cybersecurity.

These “are software solutions that can automatically generate unique, random-looking passwords for new accounts that you are creating or your older accounts,” Behzadan said. “They store those passwords securely so that whenever you need to log in, you can retrieve them directly from the password manager software without even having to know what the password is. This is one of the more effective solutions to the problem of password management.”

If you’re concerned about someone hacking into your password manager, you’re not alone. That’s a common fear, but Hamerstone said it’s very rare for password manager breaches to occur.

“In general, it’s a much better alternative than trying to remember a ton of passwords,” said Hamerstone.

There are lots of password managers out there, but NordPass, 1Password and RoboForm are three popular ones.

You should use strong, complex passwords for all sites and apps (or for your password manager, if you use one).

According to Hamerstone, a few things go into making a good password. First, it should be long ― think around 20 or so characters. To create a long password you’ll actually remember, he recommends using phrases instead of a single word and characters, like song lyrics, for example. He also recommends that you create your own rules, like putting a period between every word or using ”@” instead of the letter “a.”

Hamerstone added that he knows not everyone will use complicated, unique passwords for every site and app, but he stressed that it’s important to do so at least for the most important accounts like email and banking, as well as for your password manager.

You should be able to use the same passwords and usernames for all of the websites and apps you use. That fact that hackers make it their mission to break into your personal accounts isn’t your fault.

Hamerstone said he frequently sees mean comments on articles about hacking that blame the victim, and those comments really aren’t fair.

“Scammers are professionals. This is what they do, and they’re extremely good at what they do,” Hamerstone said. “If you fall victim to a scam, make sure you report it. A lot of people don’t report these things out of embarrassment, but you should absolutely report it. … You’re the victim of a crime and you shouldn’t be embarrassed.”

It’s also important to know that nothing is 100% secure. “There’s always ways around things,” Hamerstone said. “The longer something’s around, the more likely that malicious people will find some way to break it.”

You can take all of the steps above to protect your accounts and still get hacked — but the tips above will make it much less likely.