The Irony of Random Passwords For Each Service

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, April 05, 2015

Follow me on Twitter as @mattiasgeniar

It’s still better than the same password for every service, of course. But there’s a catch.

Shifting Trust

Here’s what most websites look like for their users.

+------------+ +                                          
|  facebook  | |                                          
+------------+ |           +-----------------------------+
+------------+ |           |                             |
|  twitter   | +----------->     gmail / hotmail / ...   |
+------------+ |           |                             |
+------------+ |           +-----------------------------+
|  instagram | |                                          
+------------+ +

Nearly every service you sign up to, you use the same e-mail account. Because it’s impractical to have a different account for each service.

So you’re shifting the Single Point of Failure. It’s no longer the same password you use on every website, it’s the same e-mail address you use for every website. Password reset mails are all sent to that account.

Sure, a Gmail or Hotmail account is a lot safer if you enable 2-factor authentication. It’s especially safer than the next hot startup that’s using accounts on their service.

By all means, keep using random passwords for every service you sign up to. But be aware of the implications of using your same e-mail account on every service. Do whatever is possible to protect your e-mail account, as it’s a goldmine.

Trusting The Untrustables

Last few years however, another shift has emerged. One that has the exact same consequences – possibly even more dangerous ones – than the one show above.

+------------+ +                                          
|  spotify   | |                                          
+------------+ |           +-----------------------------+
+------------+ |           |                             |
| meetup.com | | +--------->   facebook / twitter auth   |
+------------+ |           |                             |
+------------+ |           +-----------------------------+
|  ...       | |                                          
+------------+ +

More and more services are using signups with oAuth’s, placing the trust of account management and security into the hands of others. Mostly Facebook and Twitter, with Github on the rise in the coding and open source community.

No more random passwords for each service. That’s a good thing, right?

Now you’re placing all your trust into a master password set in your Facebook or Twitter account. If that account is compromised, everything is compromised.

The Future

There’s no good solution for this problem. If you’re paranoid, make a new email account for every service. Give that new email account a random password. Save it in your memory/brain. Don’t trust Password Managers. Don’t trust post-its. Don’t trust social media oAuth logins.

It’s absolutely impractical. There is no proper solution. There’s only the least bad one, which is probably to still use a random password for each service.

Oh well.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.