Reusing Passwords Is The Worst, But It’s Easy To Fix

Last year, my father got hacked out of $2,000 when hackers accessed his Coinbase account and stole his Bitcoin. His computer had not been compromised and Coinbase hadn’t either, so he didn’t understand how hackers were able to know his password.

I asked him: do you use the same password on other websites? Yes, he answered.

Reusing passwords is the single most harmful habit for your online security. Hackers regularly breach into websites to steal user credentials and there is nothing you can do to prevent it. They use the same email/password combinations on other websites, thus accessing your most precious accounts. Your only defense is to use strong and —more importantly— unique passwords for each website. And to achieve that, you need a secure place to store passwords out of your mind.

A Google survey found in 2019 that 69% of people gives themselves a A or B when it comes to protecting their online accounts. Yet 65% also reuse the same password for multiple or all accounts. The result of this naive self-confidence? In 2021, compromised passwords are responsible for about 80% of hacking related breaches.

In this article we look at the dangers of password reuse and the methods available to store unique passwords securely.

How Password Reuse Makes It Easy To Hack You

It’s very tempting to use the same password for different accounts — it’s faster and easier to remember. What’s the big deal about reusing passwords, you may be wondering?

Most people make the mistake of thinking that as long as their password is hard to guess, it’s very unlikely that someone will be able to find it. Unfortunately that’s completely wrong — hackers don’t find passwords by guessing them.

Hackers steal your passwords without interacting with you

Have you ever heard of companies being victim of a data breach? It happens all the time. It means that some hacker was able to access a company’s internal system and steal a bunch of data. And what data are hackers most interested in? User data — meaning information about you, including your login credentials.

You may think a data breach is a problem for the company, and indeed it’s bad publicity. But when hackers steal user data, you and I are the target.

User data includes any personal information you have given to that company. It often includes:

• Name
• Username
• Email address
• Password
• Phone number
• Date of birth
• Etc.

If you have an account with that company, the hackers now have your information including your password.

It’s easy to underestimate the risk. It’s all virtual and you don’t see any of it, so it’s easy to pretend that nothing happened. Common rationalizations are “I don’t care about that account, I never used it anyway, there is nothing to steal”, or if it’s a more sensitive account, “The hackers who stole that data can’t possibly go after everyone, the odds are slim that I will be targeted.”

While these thoughts may reassure you, you’re likely in denial or you misunderstand the risks, or both. You doing nothing about it is the best thing hackers can hope for, you’re making it much easier for them.

A reused password allows hackers to access all your online accounts

Even if you don’t care about the specific account that was breached, hackers still have your information from that account. Now the million dollar question is did you use the same email address and the same password for other accounts?

If yes, then you are in trouble. Hackers know very well that most people reuse their passwords. They count on it. They will try that same email address & password combination on other websites — more sensitive websites, such as your social media accounts, your email accounts, your bank accounts, etc.

That’s why reusing passwords is such a liability. Even if you are careful online, there is nothing you can do about companies getting hacked and your information being stolen. The only way to protect yourself is to make sure that whatever information gets stolen cannot be used to gain even more access to your personal information.

The best way to limit the damage is to use a unique password for every website. That way even if this website gets breached, hackers won’t be able to use the stolen information to get into other accounts of yours.

If you want to know whether your data was leaked as the result of a data breach, enter your email in this very special search engine: https://haveibeenpwned.com

What are the odds that hackers target YOU?

In the short term it’s probably very low. But in the long term it’s very likely you will be targeted.

Most people assume that if one hacker got access to their user data, only that hacker can use it. That’s a gross misunderstanding of how the hacking world works. 95% of the time, hackers who steal user data don’t use it themselves; they sell that data on the dark web to anyone willing to pay for it.

Eventually, one of the buyers will simply publish the data for free semi-publicly. The result is that thousands and thousands of hackers have access to your data, and the more time passes, the more hackers get access to it.

The hacking world is very well organized and specialized. Some hackers specialize in data theft and sell it to others who specialize in data exploitation. It’s a vast underground market where your data gets sold and exchanged many times. Once it’s leaked, you have to assume that anyone can access it.

With the rise of cybercrime, it’s a matter of time before a hacker randomly targets you.

The Best Method To Avoid Reusing Passwords

The only way to use strong unique passwords is to not have to remember them. That means you need some system to store your passwords securely. The best option is typically to use a dedicated Password Manager.

Password Managers may not work for everyone though. The reality is that most people reuse passwords because it’s easy and convenient. There is usually a trade off between security and convenience.

Let’s compare the most common options available for storing passwords.

In my experience, there are only 3 viable options for storing your passwords:

1. For the most tech-averse, a pen & paper approach can work if done right;
2. A better option is to use your Internet browser’s built-in password manager, as long as it’s protected by a strong Master Password;
3. The most secure option is a dedicated Password Manager.

Storing Passwords In A Paper Notebook

Good old paper has the great advantage of not being accessible online. Hackers would have a really hard time to get access to your passwords that way. It’s still possible because you need to enter your passwords on the computer at some point, but it’s very difficult.

This option should be reserved for people who are particularly tech-averse and feel more comfortable with pen and paper, because it has several major flaws:

• Your passwords are only as secure as your notebook. The obvious risk is that it’s physically accessible, so you need to secure it well. But if you live alone and don’t receive guests often, maybe that’s less of a concern to you.
• Writing passwords by hand will encourage you to use weak passwords that are easy to write, read, and spell. You’re more likely to use dictionary words, which are weaker than random characters. You’re also more likely to use shorter passwords, and to reuse the same passwords out of simple laziness. All factors that will make your passwords weaker. The risk is to cut corners, but if you’re disciplined, it can work.
• A notebook is not very flexible. You can’t access your passwords on the go or when traveling, unless you carry your notebook with you. But if you carry it everywhere, it’s only a matter of time before you lose it or it gets stolen… it’s too high of a risk. Forget that option unless you’re a sedentary home body.

I generally wouldn’t recommend writing down your passwords on paper for all these reasons. It requires discipline to keep them secure. But it could be the best option for a segment of the population. I’ve seen tech-averse seniors keep a passwords notebook, and it works for them because they understand how that technology works. And understanding how your security works is a significant advantage.

Storing Passwords In Your Internet Browser (with a Master Password)

Modern browsers like Firefox, Safari, or Chrome, offer the option to save your passwords when you enter them on a website, and to fill them out automatically the next time you visit that website. It’s very convenient, and it’s pretty secure too.

The main advantage here is that the browser will usually suggest a strong random password when you create an online account. They make it easy for you NOT to reuse the same passwords.

It used to be that these passwords were poorly secured in the browser, but if handled correctly, nowadays they can be encrypted with a strong encryption.

The only way your passwords are encrypted and secure in your browser is when they are protected by a password themselves — often called a “Master Password”. That way, you only have one password to memorize in order to access all your other passwords.

Different browsers handle that a bit differently. Firefox allows you to create a unique “Primary Password”. Safari and Chrome rely on MacOS’ and Windows’ security and passwords are encrypted with your computer password. That said, all of them will secure you pretty well from most online attacks.

As secure as your browser may seem, there are some drawbacks of using it to store passwords:

• Chrome and Safari automatically secure your passwords with your computer password. For if you’re using Firefox, make sure you protect your passwords with a master password. If you forget that critical step, your passwords are accessible in clear text (= not encrypted). It’s as bad, if not worse, as storing your passwords in a spreadsheet.
• Browsers are intended to browse the Internet, so they’re very exposed to online threats. Most malware and viruses will target your browser first, and hackers know that people store their passwords there. Let’s just say it’s not the most secure move to store passwords in the most obvious and exposed software on your computer.
• Passwords in the browser are somewhat vulnerable to physical intrusion: anyone with physical access to your computer could potentially access the passwords in your browser.

Overall, if you save your passwords in your browser and they’re secured by another password (master password or computer password), AND you use unique passwords for each website, then you’re already more secure than most people.

Because browsers have decent security and —more importantly— make it easy for you to generate random passwords for each account, I consider them a secure option.

Storing Passwords In A Dedicated Password Manager

The most secure option to store your passwords is a dedicated Password Manager. They function similarly to the built-in password manager in your browser, but they’re a separate application dedicated to that job.

They require you to set up a “master password”, which becomes the only password you need to remember. It secures and encrypts all your other passwords.

Most Password Managers work in the clouds so you can access your passwords from anywhere. And if your computer burns in a fire, you can still access them. Most of them offer a browser extension that offers to save your passwords and fill them out automatically. Most also have a phone app that integrates with your phone keypad and offers to fill out passwords even within other apps.

Last but not least, they also generate strong random passwords for you, which makes it easy to use unique passwords on each website. Once you’re set up with a Password Manager, it’s very secure and very flexible. That’s why they’re the best option long term.

There must be drawbacks to Password Managers too, you ask? Well, yes:

• Most Password Managers offer a free plan, but additional features are paid. It’s the only option on this list that isn’t completely free. That said, the free plans are enough for most people.
• The technical setup is more complicated than the other options on this list. You need to create an account, you need to install the application, the browser extension, the phone app… It’s a one time thing, but it’s a thing, especially if you’re tech-averse.
• You need to input your passwords in the Password Manager before it becomes useful—obviously. The browser extension will try to recognize when you login to a new website and will offer to save the login credentials, but occasionally it fails to recognize it’s a login, forcing you to save it manually. Not a huge deal, but it’s one more thing to think about. More generally, as a third party app, the Password Manager tries to integrate as much as possible with your browser and with your phone, but it’s not 100% smooth.

These inconveniences may be enough to scare you off if you’re tech-averse and tech-impatient. If you’re comfortable enough with technology, these minor bumps on the road won’t be a problem and the extra security is well worth it. Dedicated Password Managers are the way to go.

Just like any other product, there are different companies offering Password Managers. Don’t let the multiple options paralyze you into inaction. I’m not going to do a comparative of all the Password Managers in this article, but here are few great options. Even if your tech-savvy friend might disagree, any of these options will be MUCH BETTER than none.

Should you pay for a Password Manager?

If you had never heard of a Password Manager before and are now considering using one, it’s probably not an expense you had planned for. So it’s up to you, but here is how I think about it.

Your login credentials are one of the most sensitive personal information you need to secure. Personally, I’m happy to pay a few dollars a month to get the security and the features I need in that area. I know the online criminal world enough to know that I’m not out of reach of hackers, and I value my security. So I’m willing to pay half the cost of a monthly Starbucks latte for it.

If you’re a broke teenager, or if you’re just not convinced that a Password Manager is for you and you want to try it first, you may not be willing to pay extra. If that’s the case, a free Password Manager is tremendously more secure than none. So either way, I recommend one.

The Main Take Away

We store more and more sensitive information online, and hacking is becoming easier as the hacking scene matures. Anyone not taking some measures to secure their login credentials is at the mercy of criminals, whether they know it or not.

In the physical world we take measures to lock our valuables, we need to do the same online. You may live in a nice neighborhood in real life and not be too worried about robbers. But on the Internet anyone can access anyone — everywhere is a bad neighborhood, and there are no cop patrols.

If you had to do only one thing to protect yourself online, it’s to never reuse a password. It’s the single most important habit you can build, it will protect you from most common attacks.

You can’t memorize more than a few unique passwords, so in order to avoid reusing them you need some place to store them. Whether you go old school with a paper notebook, you rely on your internet browser to store them or get a dedicated Password Manager, that’s up to you. The only option you cannot afford is to do nothing.

Once you’ve decided on an approach to store your passwords, you need to transition them to that new system. If you need help, here is my recommended approach.

When all your online accounts are protected by unique passwords, you can add a final layer of security that will protect you from 99% of hackers trying to steal your credentials. It’s commonly called “2FA” for “Two Factor Authentication.” Here is how to set up two factor authentication.