Abstract: a lot of people use the same password, or a variation of it, for logging into different websites or servers, to avoid having to remember multiple sets of credentials. Unfortunately, this backfires when one of the websites gets hacked and the password data becomes public. This leads to attackers using that same password to gain unauthorized access to every single account the person owns, turning a potentially limited breach into a widespread one.
considerations: many people will designate a reusable password for use
with "low risk" sites, sites that require compulsory registration to
post a comment, sites that store no sensitive data or sites that they
don't particularly care about. While this is a good risk reduction
tactic, it might still result in negative consequences if the details
from multiple "low risk" sites can be combined and used in social
engineering attacks (ie. state of residence from one site, DOB from
another, full name from third, phone number from fourth and so on until
there is enough data to open a credit card in your name). Another likely
risk comes from gradual increase in site's importance to the user over
time (ie. original "low risk" registration done to get a free trial
version of the product, but then credit card details are added at a
later date, with the purchase of the full version of the product).
Alternatively, while no sensitive data may be stolen from you, the
attacker might use the compromised accounts to impersonate you, to
either damage your reputation or attempt to social engineer your friends
and relatives into sending them money.
Alternatives: there are
many alternatives available for storing and accessing passwords for
various websites and services from all of your devices, which would
eliminate the need for remembering multiple passwords, while helping you
avoid reusing the same one on multiple websites. Apps like 1Password
and LastPass let you maintain and access an online repository of all of
your credentials, protected by one master password. If you are
uncomfortable with storing your credentials online, there are multiple
offline options available, such as PasswordSafe for PC, which stores all
your credentials in a local, or network shared, encrypted container and
offers convenient browser integration features. Various mobile devices
will typically have native password management applications for local
password management as well. Of course, with offline solutions, there is
the drawback of having to sync your passwords manually. Another
alternative, which is my personal favorite, is PwdHash - it can run as a
Firefox or Chrome plugin and let you enter the same password when
logging in to all websites, but actually replacing it with a one-way
hash of your password and domain name combination. As a result, what is
stored as a password on the website is different for every site and
cannot be reverted back to your master password even if the "plain text"
password is stolen in a cyber-attack. There are also client applications
for PwdHash password generation available on all major mobile platforms,
and if all else fails - you can always just do it through their website and copy-paste it to login.
Conclusion: reusing the same password for multiple accounts is a very
appealing and convenient option, especially for accounts perceived as low
risk. However, many risks of data theft, identity theft and reputation
loss through impersonation make this an unsafe practice in this day and
age of nearly daily website and service compromises. With many secure
alternatives such as PwdHash, PasswordSafe, LastPass and 1Password,
moving away from reusing passwords is easy and (mostly) free and might save you and your employer a lot of time and hardship in a next multi-million
account service cyber-attack.