Passwords
 | This page is a draft. It may be missing essential content covering basic aspects of the topic. Do not rely upon it without input from more complete resources. |
If you're familiar with this topic, please consider contributing. |
I think the best advice here is to shift you thinking from passwords to passphrases.
— Edward Snowden, via Last Week Tonight with John Oliver
If you've been on the internet for any meaningful amount of time, then it is very likely that passwords are a bane of your existence. It seems that every website and service wants you to register an account, even for most inane things, and a large reason for that is the ability to log your activity against your account, to make the service more attractive for advertisers.
Unless you've thought about this before, you likely have one or two decentish passwords that you reuse across all the websites and services. At most, you might have a system that you follow which allows you to slightly modify the passwords per site (for example, appending the first three letters of the website's domain to the end of the password). You probably find yourself clocking 'Forgotten password?' link all the time for almost every account you don't log into daily.
Surely there must be a better way...
There is, but it will involve a change to some of your habits.
Why password reuse is a problem
You might be wondering why is reusing passwords such a problem. Surely, there is no problem since you keep the password secret, and it's not like the websites you use can tell the passwords are being reused.
Well, the crux of the issue is that the websites and services have varying degrees of attention to security and commitment to your privacy, and sooner or later, one of the accounts will get hacked and it's login data will be leaked publicly. If you're reusing passwords, that means that login details for all your accounts are now public. Criminals, of course, know that people reuse passwords, so they will try the same combination on your email provider's site or your bank (this is known as credential stuffing). This is how an irrelevant website you used once 10 years ago getting hacked can lead to your email being hacked, and since for most people email is their identity anchor.
The solution to this is to use a unique password for every website you use. In that case, a criminal attempting to perform credential stuffing will get nowhere since they only know the password to the account that was hacked.