frankschmitt.org:

After having a friend’s email account compromised (which he only found out about after a bunch of fortunately harmless spam went out), I got to thinking how it might have happened.

I’m guessing it wasn’t a terribly strong password, but at the same time, attacking a site like gmail with more than a few bad passwords will get you CAPTCHA’d if not completely locked out. Then it occurred to me that what likely happened is another site was compromised that used his email address as the username and the same password.

Typically I’ve had three levels of passwords: One for banking, PayPal, eBay, and other things where security is really job one. I use a second password on accounts like, say, Amazon, where someone might be able to order stuff in my name. If it’s compromised it will be a pain in the ass, but ultimately I’m not going to lose my life’s savings. Finally I have a password that I use for throwaway sites (comment boards, registration walls, etc.). In a perfect world I would have unique passphrases for every site I visit, or give my life over to something like 1Password, but the preceding is basically how I roll.

But I learned an important caveat: your email should have its own unique password, different from those you use anywhere else, particularly places where your email address is your username. After all, in most cases someone who has access to your email can use a “forgot password” link to be able to log into almost any site you’re registered for. So having your email compromised is kind of a Big Deal.

So until the day when you have unique 20-character passphrases for everything, do change your email password to something strong and different from anything else you have a password for.