I’ve seen a few posts on online forums (fora!) asking about the need for strong passwords on every site. To be clear, it’s not security folks and online administrators promoting the need for strong passwords, it’s people asking why they even need a strong password on sites that “aren’t important.”

sp_why-strong-password-July-21

When you think about it, it’s like your doctor putting you on a life or death diet, but at every meal you say to yourself, “am I really going off my diet if I have just one piece of cake?

Yes, that would be going off your diet and might put your blood sugar level through the roof! And, having even a few weak passwords is just as unhealthy and potentially dangerous to the health of your security.

It’s baffling how anyone who has paid any attention to the hacks and breaches and instances of identity theft can still think about taking shortcuts with their security.

The problem when assigning value to anything is that value is subjective. Value is in the eye of the beholder. What’s valuable to me may not be valuable to you. An online account that isn’t valuable to you may be valuable to a hacker – even if the information he or she gleans from the account is incomplete.

Identity theft is about putting together enough pieces of your ‘life’ to pass oneself off as you.

So, while we are thinking about the value of a piece of information on a supposedly unimportant website (for example, the books you took out of the library, or maybe an old address, or even what college you went to), the bad guys are thinking about completing the puzzle of our entire identities (where we live, our financial records, medical records, credit info, education, children and family members, and on and on) from all the pieces they collect.

And they are very good at what they do!

Here’s a hacker who calls himself “Nixxer” demonstrating how seemingly unconnected bits of a person’s info can be manipulated into a tidy case of identity theft. He makes it look like stealing your identity is easier than putting together a 1,000 piece puzzle.

Switching clichés, but your security is like a chain. Even one or a few weak links make for a weak chain. Encouraging people to make a subjective decision like

[ ] this site deserves a strong password

[ ] this site doesn’t deserve a strong password

in the rush of creating a password is not a good idea. It undermines security, and leads to bad decisions and bad practices:

  • using bad passwords (you may even have good intentions about coming back and changing the password to a better one ‘when you have more time’)
  • password reuse on multiple sites (trying to use the good ol’ standbys is a big attack vector for hackers, and is the method that recently very publicly failed even Mark Zuckerberg)
  • accidentally or mistakenly using a bad password on a site that really does require a strong password (we all make mistakes in the heat of the moment)

When you get down to it, you’re either practicing security or you’re not. So cut it out with the shortcuts and trying to justify bad passwords on unimportant sites. Use a password manager (we recommend Sticky Password) to protect all of your accounts with strong passwords.

No matter how you phrase the question, each and every site should have its own strong password.

Why do I need a strong password for sites like this?

Does every site really deserve a strong password?

Is every account worth a strong password?

Is it worth it to have a strong password for every site?