This article is part of my Cybersecurity Hygiene Series - I recommend reading the background information about the series first to understand how these tips are structured. See this post: Cyber Security Hygiene.
Unique Passwords (secrets):
One of the single most important good cybersecurity habits is to use a unique password for every different account. While the concept is simple, the idea of using a unique password for every single account may seem daunting if you have never done it before. Keep reading for more information about why this is so important and how to do it without breaking your brain!
Why?
For many, it's not always clear why having a unique password is so important. To illustrate what happens when you re-use your password, let's look at an example that unfortunately occurs every day (parts of this may even seem very familiar):
Let's assume you have an account at some service. It may be an account like Gmail or Facebook, or it might be a local business like Joe's Muffler Shoppe or the Pizza delivery shop down the street. The account information includes your email address and a password.
The problem starts when this business gets breached, their account information is stolen and your account there is now "compromised"
Let's assume this business has good IT and cyber security support. They recognize the breach quickly and send you a notification email straight away. It will probably say something like "out of abundance of caution we have reset your password". This service is now protected against access using those compromised credentials, which is great.
But...
Let's look at what happens next if you used the same email and password on other sites... sites that were not breached.
The criminals have all this automated, so within hours of that first site being breached, the emails and passwords they collected by breaching the first site are exposed (sometimes for sale, other times just posted for free on the dark-web) The next thing that happens is a series of automated scripts begin trying to login to every other service they can think of using those same credentials.
The problem is, those other services were not breached. They didn't reset your password and have no idea that your account information was compromised over on the first service. This means that if you used the same email (probably) and password (hopefully not) on any of those other services, the bad-guys just got in! (and nobody even knows yet)
So if you use the same email for your local pizza place as you do for gmail... and the pizza place gets breached, the bad-guys now have access to your gmail account (probably within about 10 hours)!
How Do I Fix This?
Use a different password for every account! The problem for most of us these days is that we have hundreds or even thousands of different accounts. So how do we have a different set of credentials for every one of them (Hint: see: Use a password manager) and make them secure?
First, to make them secure - size really does matter. An 8 character password can be brute-force breached offline using a retail graphics card in less than 10 hours (this figure keeps shrinking) - Good practice is to have a password 16 characters or longer (personally I never use less than 20 for those I must manually type in unless the site forces me)
Do not try to memorize a password (ya, seriously!) instead if you must memorize something remember a phrase or how the instructions for how to re-construct a password that includes ingredients like your username and the service it is related to.
Only change your password if you suspect it may have been compromised (note: places that make you change your password every xx days... are living in the past! current best practice is to not force time-based password resets.)
Want to know if your email (and associated password) has ever been breached? Have a look at https://haveibeenpwned.com/ this is a service by a well known and trusted cyber security researcher (Troy Hunt). By entering your email address it will show you all the breaches that email has been include in. Note: if your email is more than a few years old, it's usually been in at least a few. My email from 1994 has been in almost 20. I'm not worried about this because I always use different passwords!
Bonus Tip:
These days, many of us use our phones and other mobile devices a great deal. When you're creating a password or passphrase that you will need to type in using one of these devices, consider the annoying keyboard quirks of those devices and trying to group punctuation, numbers, and letters so you don't need to flip between keyboards too many times.