Documentation
Support
In this article
When should you never re-use passwords?When is it less risky to re-use passwords?What about all my other accounts?How to avoid re-using passwordsWhere do I start?
Home
Identity and Access Management
Password Guidance

Living with password re-use

Edited 9 months ago

In a perfect world we'd use unique passwords for every online service. But the world isn't perfect...

We are often told that re-using passwords is dangerous. The idea is simple; if criminals steal your password from one website, they will try and use it on your other online accounts. This could be a really important account, like your email.

We know we should use a different password for every online service. We also know that most of us re-use passwords, because it’s impossible to remember a different password for each service, especially if those passwords also need to be long and random.

So although it’s unrealistic to expect people not to re-use passwords:

  • there are some scenarios where you should never re-use passwords

  • there are some scenarios where the risk of re-using passwords is pretty low

  • there are some good ways to store passwords (which can help you to avoid re-using passwords)

Let’s look at these three scenarios in more detail.

When should you never re-use passwords?

Never re-use passwords across important accounts. These are the ‘high value’ accounts that protect things that you really care about and would cause the most harm to you if the passwords to access these accounts were stolen. As well as using a separate password for each of them, you should also set up Two Factor Authentication (also called Two Step Verification) in the security settings for each.

Email is an especially important account, as it can be used to manage all of your other passwords (and to request password resets). It also contains a lot of personal information that a criminal can exploit. Your other important accounts might include:

  • online banking and online payment services

  • password managers

  • work accounts

  • cloud storage

  • platform accounts (like Apple, Microsoft or Google)

  • federated ID (where you log into one account using the credentials from another, usually Facebook or Google)

  • any account that you would be devastated to lose (for example your favorite social media accounts)

When is it less risky to re-use passwords?

It’s less risky to re-use passwords across accounts where you feel you could easily replace the account, and it wouldn’t hurt you (or others) if someone else had access to it. This could be because:

  • the account has very little personal data

  • the account can’t be used to spend your money

  • the account doesn’t contain any personal information about other people

  • there is no expensive or irreplaceable content (like photos, music, games etc)

Crucially, if criminals steal one of these ‘low value’ passwords, it would only give them access to other low value accounts that share the same password. Your high value accounts, all of which should have unique passwords, would still be protected.

What about all my other accounts?

You may also have accounts that fall somewhere between the two groups above. This might include social media and shopping websites. The important thing here is to make sure that you don’t re-use these passwords with those used to protect your really important accounts. If you’re struggling to avoid re-using passwords across these types of account, keep reading…

How to avoid re-using passwords

Here are three simple ways to help you avoid re-using passwords.

  1. Use a password manager

  2. Write your passwords down (and store them securely)

  3. Make your accounts less valuable to attackers

Where do I start?

We realize there’s a lot of information to take in here. However, you don’t need to organize all of your passwords straight away. You can make small steps, and every step will help.

Here is what the BCSF recommend you prioritize:

  • If you have re-used your email password, change this one as soon as possible. And make it a good one. Your other important accounts can be done when you have some time (don’t forget!)

  • Make sure you use a lock screen on any device where your passwords are saved.

  • Spend a few free minutes setting up two-factor authentication on an important account. It can be as easy as entering your phone number or installing an app. Again start with your email and do the others when convenient.

  • Sometimes you’ll have to reset passwords anyway. Use this as a opportunity to decide if this is an ‘important’ account, if it needs a unique password and if it can be safely stored.

  • Once you’ve decided how you want to store your passwords, start moving them out of your brain whenever its convenient (and allowed). For example, password managers and browsers usually offer to save passwords for you. So save passwords whenever you are logging into websites or creating new accounts anyway.

  • Get into the habit of using a different password every time you make a new account (or are forced to reset an old one).

  • If a password is going straight into a manager, you can make it long and random (because you don’t have to remember it).