PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

You Have Exactly Three Passwords, Don't You?

Jill Duffy
 & Jill Duffy Contributor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

You have exactly three passwords, don't you? The first is one you use for all the logins that you don't think house anything worth stealing. You use it when you are signing up for a Web site that you might not visit ever again. It's the default password you deploy when you're required to "create a free account" to read an online newspaper or RSVP to an e-invitation.

The second one is medium security. It's probably fewer than eight characters long. It might be alpha-only or alpha-numeric, but does not contain special characters. You probably use this same password for both email and Facebook. And it's possible you don't have a medium security password at all, so let's skip to the third.

The third password is what you use for your bank accounts—all of them. Or worse, you have one password that you use for everything.

Password Reuse is Rampant
Too many of us reuse passwords, and the recent Sony hacks should serve as a call to action to change not only the passwords themselves, but the methods we use to create and remember them.

Software architect and Microsoft MVP Troy Hunt performed an independent data analysis of the leaked passwords from the Sony hacks and compared it with another data set that was made available after Gawker's commenting database was hacked in December 2010.

One of the most shocking things he found (although it's not shocking if you are a password reuser yourself) is that 88 people had both a Gawker and Sony account with the same email address, and 67 percent of them used the same password. It's a small sample size, but an interesting figure nonetheless. And a Security Week study last year reported that 75 percent of people use the same password for Facebook and an email account.

What's more, when Hunt looked through the Sony files, he found that among users who had two Sony accounts (e.g., Sony Playstation and SonyPictures) with the same email address, 92 percent used the same password for both.

People Think Alike
I'm painfully guilty of password reuse, although I made a New Year's resolution to try and fix it after my Hotmail account (which I consider not highly important) got hacked late last year. Luckily, that email account didn't have many actual contacts or private information, as I use it for newsletters and miscellaneous sign-ups, but it was still an eye-opening moment. The problem was that I used the same three-password system described above, and someone, somewhere, got a hold of one of my other username and password combos, probably with a hotmail.com email address attached to it, too. It wouldn't have been hard to guess (or try) logging into Hotmail with the same credentials.

Recommended by Our Editors

Wikipedia Editors Could Strike Following Layoffs
Wikipedia Editors Could Strike Following Layoffs
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Blue Origin’s New Glenn Rocket Explodes Spectacularly During Ground Test
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets
Google Engineer Charged for Using Insider Info to Win $1.2M on Polymarket Bets

Imagine my surprise when I read the same three-password method outlined in a comment to Hunt's blog post. Way too many of us are guilty of using the same system. People think alike and come up with similar plans. It's not just me.

What people don't seem to realize is just how many Web sites and services have your password. Case in point: Another bit of shocking news from the Sony hack was that Sony stored passwords in text files! If a major international corporation doesn't take any precautions to encrypt the passwords, what can we reasonably expect other sites and services to be doing?

Reality of Passwords
The reality is most people have created dozens if not hundreds of usernames and passwords throughout their digital lifetimes. Is it reasonable to have to have a unique password for every single thing? And do I really care if someone hacks my long-abandoned Plurk account? There are conditions under which I'll accept that risk for the sake of being able to remember certain passwords quickly.

Security gurus tout the relevance of password managers, which generate unique passwords for you and store them under one password-protected program, but even they can be cumbersome. LastPass 1.72 Premium is PCMag's Editors' Choice for password managers. It keeps your encrypted password collection online and works across Windows, Mac, and Linux machines.

But how many people, really, will use a password manager? I think it's more likely that a better way of protecting personal data will come along well before password managers become widely adopted. There has got to be a simpler way. Until then, we'll have to invent our own systems for developing passwords that are unique but memorable. I've heard the advice to come up with a complicated base password (say, X*8ippo) and append to it some combination of letters as used in each URL of the site where you're logging in. Given this example, we might have passwords like ueX*8ippoJE for JetBlue and ixX*8ippoNE for Netflix, and so on. It's still crack-able, but it's not an open door.

Either give in and get a password manager (did I mention LastPass is free?) or come up with a new password system that meets other suggested requirements and change all your logins every six months at least.

For more, see Your Worst Passwords, Ever, PCMag's Six Great Password Managers, and How to Create Strong Passwords.

About Our Expert

Jill Duffy

Jill Duffy

Contributor

My Experience

I'm an expert in software and work-related issues, and I have been contributing to PCMag since 2011. I launched the column Get Organized in 2012 and ran it through 2024, offering advice on how to manage all the devices, apps, digital photos, email, and other technology that can make you feel overwhelmed. That column turned into the book Get Organized: How to Clean Up Your Messy Digital Life. I was also the first product reviewer at PCMag to test fitness gadgets, including everything from early Fitbits to smart bras.

Currently, I'm passionate about the meaning of work and work culture, and I enjoy writing about how managers and employees can communicate better, with or without software. My most recent book is The Everything Guide to Remote Work. I also love a good workplace drama. 

In addition to writing about work, I cover online education, focusing on learning for personal enrichment and skills development. I have a soft spot for really good language-learning software. Although I grew up speaking only English, some twists and turns in life led me to learn Spanish, Romanian, and a bit of American Sign Language. I've studied at the university level, as well as at the Foreign Service Institute, where US diplomats and ambassadors learn languages.

My writing has also appeared in WIRED, the BBC, Gloria, Refinery29, and Popular Science, among other publications.

Follow me on Mastodon.

The Technology I Use

Squeezing every last bit of usage out of the devices I already own is the only way I can tolerate my personal consumption. In other words, I do not own the latest cutting-edge technology. I buy things that will last and try to take care of them.

My life is organized by Todoist, and my notes live in Joplin. Where would I be without Dashlane as my password manager? Probably locked out of all my many online accounts—I have more than 1,000 of them.

When I share my contact information, it's an excruciatingly long list of phone numbers, messaging apps, and email addresses, because it's essential to stay flexible while also remaining somewhat mysterious.

Read the latest from Jill Duffy

Read full bio