I recently made a rather shocking observation. On one of my sites (I’ll gloss over the finer details), I ask users to register with an email address and a password. As you’d expect, many email addresses were from simple webmail providers such as Gmail and Hotmail. So, for educational purposes only (I must stress), I switched over to one of these said providers, popped in some random soul’s email address and password, and surprise surprise, it worked like a charm. In around 10-minutes of trial and error, I had successfully infiltrated around a dozen email accounts.
Now, most people’s inboxes are pretty unexciting, but once you have access to one’s email you effectively have access to every web service they use, and well, pretty much their entire identify. How? Well, practically every site with a login has some sort of ‘Forgot your password?’ feature. Hit that a few times across the web, and you’ll quickly find yourself with login details for dangerous things like Paypal, Facebook, or an ecommerce site (which may have your credit card details stored). From there, an unscrupulous character can cause all kinds of havoc.
Of course, this lesson is nothing you’ve not heard before. Most experts recommend using a super-difficult-to-crack but insanely-difficult-to-type-and-remember password – oh, and make it unique for each site you use. This is somewhat unrealistic, so I guess I’d recommend the following practical measures:
- Use super duper cryptic passwords for really important financial sites like Paypal and your bank. Don’t even think about using these passwords for anything else.
- You’re probably best having a completely unique password for your email too. If it’s never compromised, it doesn’t make all that much sense to change it regularly.
- Use a simple throwaway password for simple websites where any risk is really small.
- Never use a password for a random website, however innocent it may look, that you’re also using for something potentially damaging (email account, Facebook, etc.).
- Perhaps keep track of your passwords in a handy spreadsheet (mine has 254 entries, which is somewhat disturbing) or a notebook.