One of the most hated security policies is that of asking users to have different passwords for each different service they make use of. Many see this as unnecessary because they reason that if their chosen password is strong enough then having multiple passwords is an unnecessary precaution. Worse still, it is not just everyday users that ignore this best practice as we have seen by the HBGray federal compromise; even senior managers, up to the CEO, of a security company had been using the same password on multiple services.
Thinking that a single strong password is effective enough protection is flawed. A strong password might make it very difficult or even impossible for an attacker to crack it, but that’s not the only risk that can result with your password being compromised.
We use many different services, from forums to games, and in each of these we are asked to create accounts for authentication. We have no way of knowing how these work, how secure they are or even if they are legitimate. What if you sign up with a web hosting service, use your really strong 20 character password (which even includes symbols!) and then it turns out that this service is storing that password as plain text?
It might seem highly unlikely but unfortunately it happens, as reported by The Register where InterWorx, a web hosting control panel system, suffered a data breach and they admitted that their system was storing client credentials in plain text. Those clients who used the same credentials on all servers and whose credentials were stolen have figuratively opened their organization’s (and home) doors to these hackers until they change their credentials.
It is also safe to assume there will always be a sizeable gap between identifying an attack, informing the users about it and the users changing their passwords on all their systems, thus giving attackers plenty of time to gain a foothold before the situation is resolved.
Best practices and security policies are there for a reason and it is important that they are followed.