Password Recycling

By Deane Barker on July 20, 2004

Why registration-sites suck: Boing Boing links to a story on Wired about registration at news sites. The article is okay, but Boing Boing’s comments ring very, very true:

The point that everyone seems to miss is that no one can possibly keep track of a thousand passwords for a thousand websites, which means that these sites undoubtedly contain recycled passwords […]

The more you recycle a password, the higher the likelihood that you will use it in a sensitive context — a bank site, a message board, an IM client, an auction site — where someone might impersonate you or even commit identity theft crimes against you.

Okay, raise your hands, how many of you have a “standard” password that you use all over the place? Everyone does it. Show me someone that uses a different password for every registration or account and I’ll show you a liar.

I know a friend that has a group of passwords that he uses based on context — one password for throwaway Web site registration, one for email accounts, one for IM, one for sensitive stuff like banking, etc.

What if someone at one of these services decides to take your password and see where else it might work? Yes, I know the passwords should be hashed when stored in their database, but there’s no guarantee that they’re going to do that.

How may of you have a password stored in some service or Web site that you’ve long-since forgotten about that would also work in, say, your bank’s Web site?



  1. Um… at the risk of being called a liar, I actually do use a different password for each site I visit. The only reason I can do this, though, is because I use SplashData’s excellent SplashID. This little password tracker runs on my Mac (or PC) and my Treo, automatically generates passwords for me, synchronizes changes, and is itself protected with a master password. It’s a bit of extra work to log in to a site, but not much, and I can simply copy and paste passwords most of the time.

    That said, the number of different sites for which I have to have a unique login and password is out of control. I’m far less likely today to sign up for a new service if it means I have to add another bloody password to my list. I’ll bet – I hope! – someone is working on the solution to this as we speak.

Comments are closed. If you have something you really want to say, tweet @gadgetopia.