Yesterday I received an email in my inbox from a prominent gaming website, indicating that my account had been disabled due to “suspicious activity” and that I would need to reset my password. They then carefully explained that this was not due to a breach of their site, but instead likely due to my account credentials having been exposed either in a phishing attack or through a compromise of some other website where I used the same password, i.e. password reuse. This is an account I haven’t used in years, but I’m fairly certain it had an old password on it which I know was exposed in a breach a few years back.
Why didn’t I go and change the password on this account when I found out it had been breached, you might ask? Simple: that password was used on many accounts and I’d completely forgotten about this one.
You see back then for lower security sites like gaming websites, I would reuse the same password, as embarrassing as that is to admit now. I figured even if it were compromised, these were sites I didn’t care much about and the damage would be minimal. This means it ended up being used on literally dozens and dozens of different accounts – many of which I haven’t used in years and may have only logged into once. The fact that none of these old accounts are terribly dangerous to me if they get compromised is all well and good, and I’m not too terribly concerned about the long list of sites like this one, but if I had ever reused this password on sites that actually did “matter”, my financial accounts, for instance, I could have had a much bigger problem.
When you first find out that your pet password that you’ve used everywhere has been exposed (and hopefully you find this out before someone tries to exploit it), it’s a sobering moment. You’ll no doubt remember to go change it in the places that matter the most: your email account, bank accounts, credit card accounts, brokerage accounts, etc. But will you remember to change it on your old banking website that you haven’t used in years? What about your health insurance website? That old email account you no longer use, but still has all of your old contacts and sensitive emails in it? Random shopping sites that stored your credit card information? Frequent flyer accounts with thousands of miles on them that can be transferred? Your Dropbox account? The list goes on and on and you’re unlikely to remember them all.
And that’s the biggest problem with using the same password everywhere (and doing so for long periods of time): if it gets exposed, and in this day and age that’s almost a when and not an if, remembering every place you need to go and change it can be a daunting task. It’s kind of like pulling a magician’s handkerchief out of his pocket: it just keeps coming and coming and you’re not quite sure where the end is. Only the consequences of missing an account where you’ve reused that password could be serious.
If you’re using the same password everywhere, we highly recommend that you stop doing this. A good password manager like LastPass can make it much easier to keep track of unique passwords for every site you use and escape the trap of password reuse.