The recent publicity over a leak of 771 million (or so) email addresses some of which have associated passwords has spawned a rash of tweets and articles that advise people to ‘change their password’. This suggests that we all have a single password, which is of course nonsense. If we follow the advice to use different passwords for different sites, then the question arises ‘What password(s) should I change?’.
The problem arises because you email address is used by many sites as your unique identifier and, unless you know where the stolen passwords came from, you have no idea what password you should change. For example, if my Google email address was stolen from Google (this has not happened as far as I know), then I should obviously change my Google password. However, I use the same address as an identifier for my electricity supplier account so, if the email address has been stolen from there, then that’s the password that I should change.
It’s also the case that some sites, such as news sites, require you to set up an account for access – but these are ‘don’t care’ sites where there is no significant loss in someone else having access to your account. So if someone has the password I used for these articles, I really don’t care.
We know of well-publicised breaches – TalkTalk, LinkedIn and Adobe – where passwords were stolen and so if you have one of these accounts, you should have changed your password before now. But excepting these, if you don’t reuse passwords apart from ‘don’t care’ sites, it seems to me to be rather pointless to try and second-guess which passwords need changed.
My approach to security is to use a password manager to make it easy to use different passwords for different sites and to turn on two-factor authentication when I can. I also make sure that I don’t use my main email address when signing up to ‘don’t care’ sites. This is no guarantee that my credentials won’t be stolen but this seems to me to be the best compromise between keeping things secure and excessive time spent on account management.