According to cmswire.com, one of the major security risks with the Internet of Things is Insufficient Authentication/Authorization. When it comes to the Internet of Things, should I use a different password for each of my devices, or is it okay to come up with one very secure password to use on all my devices?
More specifically, if I have bought multiple iterations of the same device, should I come up with a different password for each one?
Many vendors have bad security practices and ship all their devices with an identical default password (which is easier than programming and labeling each device with a unique password or mandating a password change before it can be used).
When such devices are accessible online it becomes trivial to find them and use such default credentials to abuse them at scale.
The fact that you make effort to change the default password is already sufficient to thwart a large part of that potential abuse, almost regardless of the actual strength of the password you select.
Is it okay to come up with one very secure password to use on all my devices?
Re-using the same password in many places is universally a bad idea.
The main problem is that good security is hard and you can't really tell from the outside if your really good password will be properly secured or not, at least not until the moment that it becomes clear that the security failed, or there was never any security in the first place.
For instance even the best password in the world is useless if the device/application/website will effectively hand over that password, in clear text, when asked correctly. It would be especially bad if that password can then subsequently be used to unlock many more devices/applications/sites/secrets.
If you don't have a password manager already and don't want one either simply labeling devices with a unique password is quite effective and secure against digital attacks, as is an old fashioned notebook.
Using different passwords for different devices does not improve the security in a large scale. It can be a help if someone needs to breach in and get into all of your devices, one-by-one.
But in most of the cases, security breach in done via the weakest device of your devices, and in most of those cases, the device itself is the vulnerability, not the password.
In real life it's really hard to memorize a lot of passwords (of course we can use a password manager) and those Strong Passwords are even harder to remember.
Using a strong password may help you to some extent, but the real security problem isn't your password!
Since you should be using long random passwords, which isn't really practical unless you use a password manager, there isn't much overhead to using different passwords on every device.
In practice, the domestic advantage gained is probably fairly minimal. However if you re-use passwords on your local domain, any one weak device gives away access to all the others. For example, the Noke lock has/had a unpatched vulnerability during 2016 where the over-the-air key exchange disclosed it's private key (albeit an internally generated one, not a user provided one).
What is critical is that your IoT devices do not share your communications passwords.
