sheridan
IT Services
Information Security

The Risks of Using One Password for Everything

image showing computer user accessing several online sites[Oct. 10, 2018] While most of us wouldn't dare assume the risk of carrying around a single master key that would grant the holder instant access to our home, office, car, cottage, boat, community mail box, etc., many of us don't think twice about utilizing the same password to access online services such as email, shopping, banking, social media, and more. A 2006 Microsoft Research study of half a million computer users monitored over a three-month period found that each user had, on average, 25 accounts, but only 6.5 passwords.

Easy for You, Easy for Hackers

While using a single password across multiple sites is convenient and saves you the hassle of remembering dozens of passwords it also makes it easy for any hacker who gets a hold of your credentials to access your data, bank accounts and other sensitive information.

In 2016 alone, more than 500 million passwords were leaked in the Linkedin, Twitter and Myspace hacks—oh, and not to mention those 3 billion Yahoo accounts that were compromised. Once a hacker has a password for one of your accounts, it makes it easy for them to try using it on any number of online services. Chances are high that they'll come across one that you use.

A Practical, Distributed Approach

Ideally, you would use a unique username and password for every website and online service you use. However, if you insist on reusing passwords consider using a practical, distributed approach.

Convenience and Security: Password Management Tools

Utilizing a password management app will give you the best of both worlds: convenience and security. Password management apps let you set unique passwords for all of your website logins and online services. These apps keep track of all your passwords and keeps them safe and secure behind a single master password known only by you. There are several products to choose from, including: LastPass, 1Password, iCloud Keychain, Dashlane, KeePass, to name a few*.

* the links provided above do not constitute endorsements of any of the products listed and are provided for informational purposes only.

Have Your Credentials Been Compromised?

The website have i been pwned?  is a free resource for anyone to quickly and easily find out if an online account of theirs has been compromised or "pwned" in a data breach.  If your email address has been compromised in a data breach, it’s a smart move to change your login password for your email address, for any service that was affected by the breach, and for any account where you've reused the compromised password or a similar password. When changing your password, be sure to select a password that is very different from the one that was compromised.

Sheridan Data/Systems Put at Risk Due to an Account Breach

If you find that an account you use has been compromised, and you use those same credentials to access any of Sheridan's corporate systems (e.g. email, PeopleSoft systems, shared drives, Access Sheridan, etc.) or even a departmental system that is not tied to your main Sheridan account, you must report a privacy breach via the Office of General Counsel.

Using Your Sheridan Email Address on External Websites/Services

Using Your Email Address as a Log-in Name

You should exercise caution when using your Sheridan email address as a log-in username on external systems. This is an easy cue for hackers to show that you have a direct affiliation with Sheridan and provides them with opportunity to target our systems using your credentials should they become compromised. Only use your Sheridan email address for accounts associated with your work at Sheridan.

Using Your Email Address for Account Management Purposes

Some websites/systems ask that you provide an alternate email address that can be used to restore passwords and/or verify account information. If you are providing your Sheridan email address in these situations, the information above also rings true. Again, provide your Sheridan email address only for accounts associated with your work at Sheridan

Added Password Security: Two-Factor Authentication

Providing more robust security than a simple username and password, two-factor authentication is becoming more popular and is a method of confirming a user's identity after they have successfully presented two or more authentication factors. These factors usually comprise of:

Two-factor means the system is using two of these options. For example, after entering your password into a website, an additional authentication factor can be sent to you in the form of a code sent to your phone via text message. If any of the services you use offer two-factor authentication, it's a good idea to take advantage of this added security.

You can learn more by reading the PC Magazine article, Two-Factor Authentication: Who Has It and How to Set It Up.

Questions or Concerns?

If you have questions or concerns regarding the reuse of passwords or password security in general, send email to itsecurity@sheridancollege.ca.