When you sign up for a new online service and need to pick a password, who do you think can see your password? Ideally, the answer is “just you”, but is is wrong to assume this. I’ve seen many instances of passwords stored in clear text for the people providing the service to see! Here are two examples:

  1. In 2011, I was using RCN for cable at home. I couldn’t remember what my password was, so I called customer service to reset. I was expecting them to just verify my identity and send me a link to securely reset my password. Instead, after verifying my identity, the tier 1 support agent read me the password that I picked. Meaning, he could see my password.

  2. Just last week, I was helping someone with their Bluehost website. We had a question for them, so started a chat session. The support rep asked me to verify part of the password in order to proceed!

Screenshot of chat with Bluehost

Both these examples teach an important lesson:

if you set a password with an online service, you should assume the service provider and any of its employees can see the password.

Of course this isn’t always true, but you have to assume it. So what follows is: Do not use the same password on multiple sites. Why? Because if you do, then the employees at company X now know your password for company y.

Consider my above example. If my RCN and Bluehost passwords were the same, that means the RCN tech could log into my bluehost account, and my Bluehost tech could log in to my RCN account (obviously they both know my email address). What if I used the same password on my Amazon account? I trust Amazon to take security seriously enough to NOT let its employees see my password, but the RCN and Bluehost techs now have it. What about the login to my bank account? Does THAT have the same passsword?

Okay, so maybe we can trust those two RCN and Bluehost techs… But what if they get phished. What if the employee gets fired. What if they’re just bad guys. What if they can work remotely and their roommates are bad guys…. There’s a lot of potential for “leakage” here. So this is why you should not use the same password on multiple sites: if your RCN password gets compromised, at least it’s JUST that account, and not everything.

So, what should you do right now?

  • Unique passwords for each account: each account you have should have a completely different password.
  • Use the password generator to generate those completely different passwords. Here’s one you can use, or you could use the password generator that’s built in to your password manager (if you don’t have a password manager, go do that now!)
  • Put 2FA on everything possible.
  • Change your passwords now.
  • If you find out that a company can view its customers’ passwords, publicly shame them on Twitter ;).