Why You Should Always Use Different Passphrases
Although inconvenient, you should never use the same passphrase for different accounts, no matter how unimportant you may think any single account. Use a unique passphrase for each and every one of your accounts. Otherwise, the security of all your accounts may only be as good as your weakest passphrase.
Top Tip – We’ll say it again, don’t repeat passphrases. Use a different passphrase for each and every account you have.
Formulas and Patterns are Bad Too
Similar advice is do not use a formula or pattern for generating passphrases. If an attacker discovers that you always use the same formula or pattern to generate otherwise “unique” passphrases, he or she will soon be using it to breach your accounts.
An example of such a pattern or formula would be using the first and second letter of a website's name (with the second capitalized) and then adding 231456 to the end. Using this formula for the website www.example.com would make your password eX231456. While this password might look strong, once the pattern or formula is discovered, it becomes useless and leads to only more account breaches.
Hackers similarly exploit the fact that many people repeat the same passphrase or only alter them slightly each time. Similarly, professional snoops are also trained to crack the easy passwords first because many people use the same or similar passphrases for all of their accounts. In addition, your employer or colleagues may have access to some of your passphrases at work; if you use this same passphrase (or pattern) for your personal accounts, you will be exposing these other accounts too.
The Domino Effect of a Single Bad Passphrase
Such knock-on security risks can also arise when a hacker gains access to a non-sensitive account and then uses the information he or she finds to correctly guess or crack your more sensitive accounts. As already mentioned, once a single one of your accounts is compromised, the hacker may be able to find confirmation emails or other details helping them breach other accounts. For example, if a hacker has obtained access to one of your accounts, he or she may be able to obtain your passphrases for other accounts linked to it by carrying out forgotten password resets.
Even if the breached account doesn't contain password confirmation messages for other accounts, it may still contain plenty of personal information enabling the attacker to answer ‘Forgot your password?’ security questions or to gain access a number of other ways.
In cases where the password reset is protected by additional security questions, the hacker could try answering them using little more information than your birthdate, your mother’s maiden name or the name of your pet. Perhaps the hacker has gleaned this information from the initially hacked account or even posts you or a friend made to social media.
And of course, the first thing a hacker will do after compromising your account is change the password, locking you out. And it is no easy task to reclaim an account once it has been hijacked.
It is because a single account breach can quickly lead to others that you need to follow and take seriously our passphrase guidance here. Despite all the sophisticated hacking methods available, the simple breaching of weak passwords remains by far and away the biggest threat to your security. Just ask the celebrities victimized by the Frappening. The good news is that this risk is easily addressed.