How many passwords?

October 30th, 2007

A question often arises in security discussions: How many passwords should we use?

The “best practices” answer is that we should use a different password for every site that requires one. If one is compromised, the potential damage is limited. However, there are problems with this. Many of us have dozens of sites that we use regularly - trying to remember 20+ name and password combinations is too much for most of us. This makes people either write them down, or choose very weak easily remembered words. The opposite, using a single password everywhere, is even worse. Unfortunately, the single password method is used by far too many people.

One system to consider is using a smaller number of passwords, using each for several sites of the same level of risk. For example, all the discussion forum logins can be the same - if one is discovered, the risk is that someone can edit and delete posts, or impersonate you in a discussion. The key to this method is to make sure that a high security password is never used on a low security site.

As a general rule, any password used on a SSL protected login (https) should never be used on a regular site (http). Any password used to protect financial information, like a bank account or paypal login shouldn’t be reused for any purpose. Any password that has ever been sent via email should be considered already known to others, and not used anywhere at all.

Leave a Reply