The standard security party line is “never reuse passwords”

The logic behind this is simple. When logging in to any site, service or application – in most cases 2 pieces of information are needed. A username and a password. The username is commonly an email or other publicly displayed piece of information. The username is generally not intended to be kept secret – the password however is. Should a site be compromised, and your username and password be leaked, how many other services of yours is an attacker going to be able to gain access to with the same password?

So – don’t reuse passwords. Use a unique password for each service

At the same time, passwords can’t be easily guessable. You can’t be expected to audit or know each service’s password and brute force defences, so we select complex passwords. The advice used to be – pick a non dictionary word. Then the advice was to include mixed case, alphanumeric and special symbols. Now it’s sometimes 10 or 12 characters that are suggested. Additionally, services are increasingly forcing their users to comply with strong password policies.

So – long, non dictionary, mixed case, alphanumeric and special symbols.

Of course – you never write passwords down.

Seriously?

Let’s look at it from a more practical approach.

Option #1 – use ‘KeePass’ or some other password management application. Depending on whether these are online or offline, you have different risks and benefits. Of course there’s now a single point of attack concern here also – if that password management database is compromised – all your credentials are bust. Do you keep your key in one location and risk loss? What about the password complexity on that offline key? Do you spread your key through multiple locations and increase the risk compromise?

At the same time, being tied to password management software, secure keys and backup concerns doesn’t sound very appealing for home user Joe.

Option #2 – Reuse your passwords! But.. be smart about it. Look at the risks to you of each service being compromised and having that password leaked. In my case I use 6 passwords – one for finance/banking (along with two factor authentication), one for my private key, one for Google, one for my email accounts hosted on my own mail server, one for social media services and any reputable online services that I care about, and one for any account I sign up for that I’m not bothered about the compromise of. Am I happy with the risk that if my Twitter password gets compromised, the attacker has my Facebook password? Yes. Can I sleep at night knowing that if an attacker gains access to my multiple passwords for my Mastercard account, he can gain access to my American Express account? Yes.

This is my method of managing my personal passwords. In business, I’m forced to maintain password databases and policies for various Clients servers and services. Password management software and services absolutely have a place, but not in user Joe’s personal life.