Hi

The Webmaster on my company website is trying to tell me (and my bosses) that I have compromised the site by using the same email password on the company site as I do on others - ie my bank etc . I know I should have different ones but I can't remember them all!
Is it right that I have compromised the company website? How did the website know it was the same password? And, wouldn't it compromise MY accounts more than the company one as we all know that hackers know we use the same password and therefore would use it to scam banks etc to find me?
I do appreciate any answers.

Gina

1. Do use different passwords for important sites, inc work.(!)
You may want to investigate a password safe like keepassx; just use a really good master passwd to get in.

2. Ask how webmaster knows; it doesn't make sense unless he/she knows more than they should about your passwds.
Maybe you mentioned it???

1 members found this post helpful.

Your employer is generally entitled to obtain passwords (through direct or indirect means) for their systems. It is foolish for you to utilize passwords between your personal and professional accounts - even if never hacked, the employer can/will know a password that can personally affect you.

"I know I should have different ones but I can't remember them all!"

You admit that you are too lazy to make the effort to protect yourself. Accept the consequences of that lack of effort.

@GinaC, One strategy is to pick a few different passwords which satisfy the common rules of

• 8 characters minimum

• At least one capital letter

• At least one number

and then rearrange how which letter you replace with a number or which letter you capitalize, or rotate the word around as you change passwords.

Example only!

Chosen word: woodwork
As passwords: w8odWork, w11dWORK,
Rotating: 8odWorkw, 11dWORKw, odWordw8, 1dWORKw1

And then choose more than one key word to use for passwords, say 3 or so of them so that you can have "work" and "personal" password options, but generally remember them. Or at least be able to get them eventually.

It's best to have really strong passwords and never use them for more than one account or site. And the only way to do that, IMO, is to use truly random passwords and a password manager to keep track of them.

A password manager like Keepassx that chrism01 mentioned can generate random passwords for you. Its password generation tool allows you to specify custom parameters to match it to the password policy of any particular site (e.g., maximum number of characters, the set of allowed characters and required characters). You won't be able to memorize the generated passwords, most likely, but you really don't need to. You only need to remember your master password for Keepassx. There are other similar password managers too, like Lastpass.

If you can't remember your passwords (best case, your single password manager master password), there's nothing wrong with writing them down and keeping them in a safe place until you do remember them, like in your wallet or your purse. Treat them like you would your credit cards, driver's license, and important personal and financial data.

These articles are worth reading, especially if you think that simple passwords you make up, or passwords based on patterns and common words, are adequate to protect your passwords from cracking.


Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

The secret to online safety: Lies, random characters, and a password manager

1 members found this post helpful.

@GinaC

I think your webmaster is right. you have compromised the security of the company website. Why would webmaster be concerned about the safety your bank account? He is appointed to take care of the company website, not your personal accounts. You are the one using same password that is used for website. What if your bank account password is compromised, and the hacker also damages the company website, what you gonna argue with the company - that you are the one at loss here?

You know, being in IT field, sooner or later you HAVE to figure out a password strategy for maintaining multiple passwords for different website/accounts. The sooner you do that, the better off you will be.

Pain of remembering multiple passwords is something everybody comes across, so there are some best strategies. one is suggested by 'rtmistler'. just google “password management strategy”. You will get tons of answers.

I suggest you keep every passwords different.

Cheers!!!

@ GinaC

I'll suggest changing passwords ASAP including your bank account.

I keep a list of my passwords on an encrypted usb stick. All you need to remember is one password.

Having strong passwords and a system to manage them is important ESPECIALLY if you're in the IT industry. Employers pay good money and put their trust on your knowledge.

Think of it this way: Whenever you create an account on a web site, you're giving them your username and password. Which is no big deal if that particular username/password combination is only used on that particular website, but otherwise... well, this XKCD comic explains it well.
No, you can't, and I disagree with those suggesting that you're lazy for pointing out a very obvious problem of conflicting goals:

• We should all use different passwords for every service we use,
• we should use strong non-guessable passwords and change them regularly,
• we should never re-use old passwords,
• we should never write them down anywhere,
• and we should never forget them.

If the number of accounts is less than 10, then sure, it might be doable. But that's just not the case for most people; 20+ different accounts are the norm rather than the exception.

But a solution exists: Use long sentences or nonsensical (preferably funny) combinations of regular words (XKCD to the rescue again), and you've created an unguessable, easy-to-remember password you'll never have to change.

PS: You definitely should ask your webmaster how he was able to figure out your password. He may have used a dictionary attack, or a brute force attack if your password was really short. In that case he should also have told you to use a stronger password.

Or he may actually be storing passwords in plain text, in which case he should be given a severe reprimand.

Did you tell them you used the same password on your company website as you use elsewhere? If so, just deal with it. If not, I would wonder how they got that info. Keeping different passwords on an encrypted flash drive sound like a good idea, only need to remember one.

Employers in the US can legally install keyloggers on company-owned PCs used by employees, and otherwise monitor their activities. If Gina didn't tell someone that she uses the same password everywhere, I would suspect a keylogger.

There has been some really good input in this thread. In particular, the recommendation to use a password manager is particularly good (and convenient).

Many browsers have some kind of password manager built in, which is a plausible route, if the problem is the number of websites for which you have to remember passwords.

I'm currently experimenting with/transitioning to Keepass. After reading one of those Ars Technical articles that Z038 mentioned, I came to the conclusion than something better than bolting together fragments of words, some particularly random commands and some memorable numbers was required, because while the passwords may have been tolerably strong when seen on their own, if one leaked out, that would degrade the security of others, because there are some common themes that a person could see.

One disadvantage of the 'password manager built in to the browser' approach is that some sites on the 'net that you log in to change the URL of the log in page, and that 'breaks' the log in ability, and there is then nothing that you can do to associate the old log in with the new page address. This is inconvenient, unless you have another record of the password (which kind of defeats the point, unless you are very careful) and then, the more manual approach with a separate password manager may be more convenient.

Also, with eg keepass/keepassX, you can (should be able to) copy/move the (encrypted) db between systems. It also runs on Linux & MSWin (possibly others).