A recent survey conducted by Sophos (www.sophos.com/pressoffice/news/articles/2006/04/passwordadvice.html) asked, Do you use the same password for multiple Web sites? Their admittedly unscientific results confirmed what most of us would expect: 41 percent of the respondents said they always use the same password, 45 percent said they have a few different passwords, and 14 percent said they never use the same password on multiple Web sites. My guess is that those 14 percent either don’t have an Internet connection or are “security professionals.”
Clearly, this is bad news. But is it safe to be a monopasswordist at all? Even if you pick a long, randomized, unguessable pass-phrase, commit it to memory and then eat the paper you wrote it down on? Can you rely on the theory that if a password is good enough for your company’s most secure network, then it is obviously more than adequate for the website of the local football league?
The answer is that you most certainly cannot. Different account providers implement their password protection for a range of reasons, using a range of technologies. The very act of using a password renders it liable to being compromised – and this compromise may happen because of the account provider’s behavior, not just your own.
If you have only a single password, then none of your accounts are more secure that the one which treats your password with the least confidentiality. You need to divide your accounts into different categories, based on the security you require and the password confidentiality which the account offers.
At any rate, read the full article to learn more, and to see how to manage passwords securely.