We all know that using a single password on multiple web sites is a bad idea, due to password-stuffing attacks (where an attacker uses a password stolen from one site to try and access another).
But here’s an interesting edge case.
Several years, two financial institutions I do business with merged. I have a separate login (and password) on each company’s web site, but my accounts are linked together. When I log in to either site, I can view information about accounts stored on the other. And there is a “single sign-on” link so I can switch between the two company web sites without re-authenticating.
So, the question is - is there any point in maintaining two passwords for this specific situation? Or would using a single password for the two be just as secure as two different passwords (as is currently the case)?
I can think of arguments on both sides of the subject, but I’m curious about what others think about this. And it is probably relevant to many others, since corporate mergers are a fact of life these days.
I would talk to the merged company and find out if they plan to merge accounts under one umbrella or continue to operate separate but linked accounts. If they plan to migrate users to a single account, the issue may be moot. If they plan to keep them separate then I see no real problem using a single password for two accounts. Not really different for my wife and I having separate accounts but using the same password for convenience. Just like how we use the same password on our Macs and same passcodes on the iPads and iPhones.
I was the victim of an attempted stuffing attack on my retirement account. Tried to sign-on and it was locked. Did the reset, logged in, and changed the password. Next day same thing happened. Called their support and was advised to create a new userid/password to access my account and cancel the old one. No further problems after that. Excellent proof for why passwords shouldn’t be reused between sites.
Creating an exception to “different passwords for different logins” sets the dangerous precedent of assuming how a business is run. Leave well enough alone until you are required to make changes.
Having a similar configuration with 2 institutions, I keep the two separate logins as their can be, on occasion, instances of faulty linkages between the two accounts.