The news from Spotify being hacked once again shows that your data is not always safe. Even if you trust the company that holds it for you.
Most users know that they should use a different password for each service they use. But from personal experience I know that we don’t always do what is right. Most people use the same password for all their services.
The danger of using the same password:
Most web developers know that you should never save a password in plain text format but sometimes that just isn’t possible. Take Twitter, or any company with a popular open API.
While Twitter (hopefully) uses a hash for their users passwords, it is the Twitter ecosystem (the hundreds of services that are build around Twitter) that you should be worried about. Since Twitter doesn’t have a safe authentication method for their API (like oAuth) these services need to know your username and password in plain text (ie unencrypted) to query the Twitter API.
If you are a passionate Twitter user you probably use a lot of external twitter apps. What you get is hundreds of places where your Twitter password is vulnerable to hacking attempts.
As it is so easy to build a service around Twitter, and many of them have been build in less then 1 day or week, you can imagine that security is not the highest priority for these Twitter projects.
A hacker could probably hack Twitter services more easily than Twitter itself. What he/she would find is your Twitter username and password and in some cases even your email address. Obviously the hacker could abuse your Twitter account, change your password, sell your credentials, stalk you followers and more.
Given that many people use the same username/password combination for many different online services these hackers could also try to log into other web services such as gmail, flickr, Google docs and Yahoo.
In short, it’s a good idea to have a separate password for services like Twitter and don’t use the same password for different services. Use a password generator such as 1Password if you want to make sure your passwords are secure.
An extra benefit to changing your Twitter password is that you automatically filter out the services you don’t use anymore.
Thanks to Robert Beekman for the input.