The Layperson’s Guide to Passwords

Cole Lyall
Nov 6 · 6 min read

Let’s be honest, password management is a tedious activity that everyone wants to avoid (tech people included!). While there is not one single, prescribed method to password security, there are several tools and tricks that reduce the risk of information compromise.

Centralized Password Storage

We live in 2019, and passwords no longer need to be written on a piece of paper or Google Doc. Several companies offer services with the sole purpose of storing all of your passwords in one place. Some of these include LastPass, Keeper, 1Password, and even Google Chrome. When using these services, all of your passwords will be stored in their software, and some will even auto-populate on the websites you have accounts on! Now, you can store all of your passwords in one place and not worry about memorizing (and also forgetting) your passwords. Yet, some of you may be wondering: what happens if my Keeper or Google Chrome account is compromised? Do these services make it easier for hackers to obtain my passwords, since I store them all in one place?

The short answer is: there is no such thing as absolute password security (unless you decide to memorize everything…). Whether you write down your passwords on a piece of paper, store them in a Google Doc, or email them to yourself, your data is always vulnerable to leaking. With this in mind, I believe that centralized password storage provides the highest convenience without sacrificing too much security. The best you can do is to make the password for your central password provider as secure and difficult as possible to guess. I refer to this as the keys to the kingdom. This is the only password that should be memorized, as leaking of this password results in a complete and total compromise of your online life.

Photo by CMDR Shane on Unsplash

Trusting Your Password to a Website

When you sign up to create an account on a website, you are typically asked for two things: an email and a password. Once you provide this, your data is stored on their servers to reference in the future when you login to their service. However, some of these websites choose not to store your password securely, making them vulnerable to hacks and data leaks.

Imagine that a website’s server is a house, and inside of this house they put all their customers’ data. Company A decides to record all emails / passwords on a piece of paper, and nicely tuck them away in filing cabinets filled throughout their house. On the other hand, Company B invests in lock safes and stores all their written customer data inside these safes. Now, let’s say a malicious actor decides to break into this company’s house, hoping to find some data that they can sell to other bad actors that can profit off such information. When Company A’s house is broken into, voila! All the data is neatly organized and handily available in their file storage cabinets. The intruder immediately thinks, profit! But, when Company B has their house broken into, the thief quickly realizes a much larger obstacle lies in front of them, in the form of a secure safe. As a result, there is no breach of data, and your password is safe!

The lesson here is, most websites cannot be trusted to provide basic security for information storage. This will lead to scenarios like Company A, where a hacker gets into their server, sells your password, and leaves any account using the same email and password to be vulnerable to breach. Even larger companies like Sony and Target have had their systems hacked, resulting in millions of customers having their data leaked.

So, if basic data security practices are being ignored by various websites small and large, how do you know who can be trusted with your information? This is where frequent password changes come into play. Changing your passwords in frequent intervals negates data breaches; your leaked password is no longer being used, and your information continues to be safe. Plus, if you use centralized password storage, changing passwords can be easy and avoids the need to memorize more passwords.

Single Sign On

Now that we have established centralized password storage and the lack of guaranteed security of password storage, we can present an alternative form of password security: Single Sign On!

In practice, Single Sign On (SSO) involves a single username / password combination that can be used to sign into several different applications at once. You are probably familiar with websites offering services like, “Sign in with Google” or “Login with Facebook”. Both of these are forms of SSO: you can log into Google, and then magically have an account created for you on a website! While the technical details of SSO are not important to this discussion, there is one aspect to highlight regarding passwords.

For example, let’s say you are trying to create an account on your local newspaper’s website. You opt to ‘Login with Google’, sign into your Google account, and an account is created for you on the newspaper website! When you choose to login with one of these websites, you bypass the need to trust your password to your local newspaper’s servers. You simply login to Google, and your newspaper’s website only knows you by your account name. For the most part, this is the only data stored on their servers. By doing so, you minimize the spread of your information and ensure you don’t have to trust yet another company to store your data securely

Password Diversity

So, we have arrived at everyone’s least favorite topic: having different passwords and changing them frequently. We all probably have heard that we should change our passwords every few months, and to never reuse an old password. However, let’s revisit and justify this concept with our new knowledge in mind.

First off, if you utilize the concept of Single Sign On, most website accounts you have don’t require a password change. If you choose to sign in and create accounts through Google, for example, the only password you ever need to know and change is your Google password.

Next, now that we know how data leaks and hacks can occur, it should be fairly apparent as to why password changes are important. If a hacker obtains your information from a company’s server, what good will that password be if you no longer use it? Changing passwords often and avoiding reuse completely counteracts these types of data leaks, and will protect you in the long run.

Lastly, we can address the tradeoffs if you choose not to change any of your passwords, and reuse your old passwords. If your password is compromised, malicious hackers can obtain your credentials and start entering them on important websites. For example, if you use the same email and password to login to every website (like online banking, email, etc.), you now run the risk of one data leak compromising your entire online portfolio. If you look at the problem from this standpoint, changing passwords frequently is much less work than undoing all the damage from a hacker.

Final Thoughts

There is no single method to passwords that are considered secure. There are, however, best practices that can be followed. If you choose to utilize any of the four methods outlined here, it will severely reduce the risk of an online compromise.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade