I am surprised by the number of people who tell me they use the same password for nearly everything. Even if the password is a strong password this is still incredibly insecure and most people do not realize why.
If I reuse a password on multiple sites and just one of those sites is compromised, my one password is known by a bad actor. If that password is used for an email account or online storage, all my data could be deleted. If I use the same password for anything that has money attached to it, Amazon, iTunes, bank account, etc., it could be a costly mistake.
I have used the same password on most of my sites for many years, but that password is altered so that each site appears to have a unique password. Let me explain how it works by showing how my password at Yahoo compares with my password at Google.
For this example, let us make my password
Secret1
If I mix my password with the site I am logging into in such a way that I can reproduce the process in the future, I can come up with a unique password for each site I login to. Here is a simple “hash” of the site and my password. Take the first letter of the site followed by the first letter of my password, and continue to alternate letters from site and password until a “hash” is created.
For Yahoo my password would be
YSaehcoroet1
For Google my password would be
GSoeocgrleet1
This is called a hash. A hash is a combination of two pieces of data that always produces the same final string of characters. This example alternates letters from the site and letters of my password.
My example hash is simple and someone who has access to my final password would be able to reverse engineer it to determine the master password component of my hash. Then they would be able to use this hash anywhere I use it.
Fortunately, there are many cryptographically strong hash functions available. A strong cryptographic hash cannot be reverse engineered to come up with the original master password.
Here is an example that can be embedded into a web site.
https://gist.github.com/windows98SE/cc024ffb4cf501358edc
I have embedded this hash algorithm into this page.
https://www.trustyetc.com/password
When I use Yahoo for the Site URL and Secret1 for the Master Password, the resulting hashed password is
6D97cDf17270
Try it yourself. You will get the same hash as I did with this combination. Keep in mind, both the URL and the password are case sensitive. Now compare the hashed password for Yahoo and Google
6D97cDf17270
62C36b6F50f1
Other than the first digit being the same, there is no similarity in the two hashes. Look at this string of password hashes for Yahoo where Secret1, Secret2, Secret3, Secret4 and Secret5 are used respectively.
6D97cDf17270
692BeDc3Af30
65D98a7D9bF3
48F486d92533
70328C6c69Ba
Even though only one letter is changed in my master password, each hash is completely unique. This is a property of a good cryptographic algorithm.
So it is safe to use one password on all your sites, as long as you run that password through a good hash beforehand.
1 Response to I use the same password everywhere