Why you should never reuse passwords

December 4, 2018

Using one password for everything is convenient, but it’s also dangerously insecure. We examine the case of Mark, a young designer.

Mark is a regular guy. He has e-mail, Facebook, Instagram, Amazon, eBay, Steam, and Battle.net accounts, not to mention ones for another dozen online stores and a forum dedicated to his favorite video game. The accounts are all linked to his e-mail.

One day, the customer database of one of the online stores Mark has an account at suffers a leak (apparently it was kept unencrypted on an open-access server). No credit card information is stolen, but e-mail addresses, names, and passwords are. At first glance, there seems no particular reason to worry. Such leaks happen, and this is just a small online store — can you blame a humble shopkeeper for not being a cybersecurity expert?

But the cybercriminals who ransacked the database decide to try their luck — maybe someone on the list uses the same password for their e-mail account? They strike gold: Mark uses the same password everywhere, handing the cybercriminals access to his e-mail on a platter. There, they find not only photos that Mark sent to Lucy, but messages from Amazon, eBay, and other companies. Surely Mark doesn’t use the same password for these accounts too? They try logging in to his Amazon account, and presto: same password again.

Finding a credit card already linked to the Amazon account, the cybercriminals quickly snag a couple of iPhone Xs. Next up is Facebook, where the attackers ask Mark’s friends for money: “Guys, I really need to borrow some cash. I get paid tomorrow, so I’ll pay you right back, promise.” Some of the people who get the message really are Mark’s friends, and send money — to the cybercriminals’ account, of course.

But they haven’t finished yet. The intruders now change the passwords for every account they can access, which in Mark’s case means all of them.

One of the Facebook friends smells a rat and decides to phone Mark to check if it’s really him asking for a loan. Horrified, Mark rushes to his computer to change his Facebook password. But it’s already been changed by the cybercriminals, and Mark is locked out. He tries to recover the password and asks Facebook to send him a password reset link by e-mail — but he can’t access that either, for the same reason.

Mark realizes that he’s been well and truly hacked. He calls his bank, freezes credit cards, tries desperately to change the passwords for the few services that haven’t been snatched yet, and phones his friends to explain that it’s not him asking for money. He apologizes to those who have already transferred funds to the scammers, and vows to pay it all back.

And finally, Mark solemnly swears that he shall never use the same password for different services ever again for as long as he lives, and he’ll enable two-factor authentication wherever possible.