It’s still better than the same password for every service, of course. But there’s a catch.
Shifting Trust
Here’s what most websites look like for their users.
+------------+ + | facebook | | +------------+ | +-----------------------------+ +------------+ | | | | twitter | +-----------> gmail / hotmail / ... | +------------+ | | | +------------+ | +-----------------------------+ | instagram | | +------------+ +
Nearly every service you sign up to, you use the same e-mail account. Because it’s impractical to have a different account for each service.
So you’re shifting the Single Point of Failure. It’s no longer the same password you use on every website, it’s the same e-mail address you use for every website. Password reset mails are all sent to that account.
Sure, a Gmail or Hotmail account is a lot safer if you enable 2-factor authentication. It’s especially safer than the next hot startup that’s using accounts on their service.
By all means, keep using random passwords for every service you sign up to. But be aware of the implications of using your same e-mail account on every service. Do whatever is possible to protect your e-mail account, as it’s a goldmine.
Trusting The Untrustables
Last few years however, another shift has emerged. One that has the exact same consequences – possibly even more dangerous ones – than the one show above.
+------------+ + | spotify | | +------------+ | +-----------------------------+ +------------+ | | | | meetup.com | | +---------> facebook / twitter auth | +------------+ | | | +------------+ | +-----------------------------+ | ... | | +------------+ +
More and more services are using signups with oAuth’s, placing the trust of account management and security into the hands of others. Mostly Facebook and Twitter, with Github on the rise in the coding and open source community.
No more random passwords for each service. That’s a good thing, right?
Now you’re placing all your trust into a master password set in your Facebook or Twitter account. If that account is compromised, everything is compromised.
The Future
There’s no good solution for this problem. If you’re paranoid, make a new email account for every service. Give that new email account a random password. Save it in your memory/brain. Don’t trust Password Managers. Don’t trust post-its. Don’t trust social media oAuth logins.
It’s absolutely impractical. There is no proper solution. There’s only the least bad one, which is probably to still use a random password for each service.
Oh well.