One of the things that pretty much everyone has done, and many people still do issue one, or a very small number of passwords for everything. This is because it’s much easier to remember one password, even if it is complex and long, rather than remembering a dozen or more passwords and what service they are used for.
The downside of this approach, however, is that if someone knows or guesses the one password you use, they can use it to access every account and device you have. It may seem relatively easy to keep your password private, you can just not tell anyone, however, you need to configure your accounts on websites to use it, and that’s where potential issues lie.
No one’s cybersecurity is perfect, this, unfortunately, means that websites are not as secure as they could be. In the worst-case scenarios, this vulnerability allows hackers to download the website’s database, which will include every user’s account details. Account details are a big interest point for hackers specifically because so many people reuse passwords. If they’ve got a list of email addresses and associated passwords, they can try to use them on other websites where it may be easier to make or steal money.
Ideally, websites should be cryptographically hashing passwords before saving them in the database. A hash is a one-way function that always creates the same output if you give it the same input and will provide a different output for different inputs. The “one-way” part is also important, this means you can’t take the output of the hash function and transform it back to the original password. This means that the website can check if you’ve provided the right password by hashing it and comparing the output to the one saved in the database, all while not knowing the original password. This also means that to work out a password, hackers must guess passwords until they find the one where the output matches.
If you have an account on a website that is hacked, it’s a very good idea to consider that password publicly known. This means you need to change your password everywhere where you use the same one. If you reuse the same password for everything, this can be a massive pain. Despite how annoying it can be to change your password one every service, most people will do so, if they know their password has been leaked and their account could be accessed. The problem is knowing if your data has been in any data breaches.
Check if you’ve been affected by a breach
The website “Have I Been Pwned” (pronounced like “owned” but with a “p” at the start) is a free service run by security expert Troy Hunt that catalogs known data breaches. If you enter your email address, you can see if it shows up in any of the breaches. If it does, you know that your password for that account has been compromised and can then change it on that website and any other that uses the same password. If you’re lucky your password won’t be in any breaches, but it’s a good idea to check, as you may not necessarily know.
Tip: Have I Been Pwned doesn’t save any of the passwords included in the data breaches, it only allows you to search to see if a specific email address has been included. This approach means the service is perfectly safe to use, you are not at risk of giving away any data.