Password Protection #101

I recently made a rather shocking observation. On one of my sites (I’ll gloss over the finer details), I ask users to register with an email address and a password. As you’d expect, many email addresses were from simple webmail providers such as Gmail and Hotmail. So, for educational purposes only (I must stress), I switched over to one of these said providers, popped in some random soul’s email address and password, and surprise surprise, it worked like a charm. In around 10-minutes of trial and error, I had successfully infiltrated around a dozen email accounts.

Now, most people’s inboxes are pretty unexciting, but once you have access to one’s email you effectively have access to every web service they use, and well, pretty much their entire identify. How? Well, practically every site with a login has some sort of ‘Forgot your password?’ feature. Hit that a few times across the web, and you’ll quickly find yourself with login details for dangerous things like Paypal, Facebook, or an ecommerce site (which may have your credit card details stored). From there, an unscrupulous character can cause all kinds of havoc.

Of course, this lesson is nothing you’ve not heard before. Most experts recommend using a super-difficult-to-crack but insanely-difficult-to-type-and-remember password – oh, and make it unique for each site you use. This is somewhat unrealistic, so I guess I’d recommend the following practical measures:

  • Use super duper cryptic passwords for really important financial sites like Paypal and your bank. Don’t even think about using these passwords for anything else.
  • You’re probably best having a completely unique password for your email too. If it’s never compromised, it doesn’t make all that much sense to change it regularly.
  • Use a simple throwaway password for simple websites where any risk is really small.
  • Never use a password for a random website, however innocent it may look, that you’re also using for something potentially damaging (email account, Facebook, etc.).
  • Perhaps keep track of your passwords in a handy spreadsheet (mine has 254 entries, which is somewhat disturbing) or a notebook.
 Tags: Internet, Random   Published: 9th September '09


15 Archived Wordpress Comments

Ivan Heneghan

This reminds me of a case in Ireland where an un-named college found that just over 80% of their students were using 'Guinness' as their password.

Ivan Heneghan

This reminds me of a case in Ireland where an un-named college found that just over 80% of their students were using 'Guinness' as their password.

Oscar

Thanks for the reminder!

I love that you put FB up there with equal importance as the email.

Jack Sleight

I know your point is that users shouldn't use the same password multiple times, but your site should really be storing them as salted hashes, so you wouldn't have any way to see what they were (nor would anyone who hacked your DB). This isn't a site I built is it? ;-D

Jack Sleight

I know your point is that users shouldn't use the same password multiple times, but your site should really be storing them as salted hashes, so you wouldn't have any way to see what they were (nor would anyone who hacked your DB). This isn't a site I built is it? ;-D

Keith Mander

Haha… no, it's not your handy work Jack. Just some dodgy free script I must have got from somewhere. You're right that as long as every webmaster does what they should be doing, then the risk is mitigated. However, I guess my point is that one should always be wary as a site's registration may be a front for collecting passwords and you shouldn't assume that data is encrypted.

Keith Mander

Haha… no, it's not your handy work Jack. Just some dodgy free script I must have got from somewhere. You're right that as long as every webmaster does what they should be doing, then the risk is mitigated. However, I guess my point is that one should always be wary as a site's registration may be a front for collecting passwords and you shouldn't assume that data is encrypted.

Neil Walker

I'd recommend using 'RoboForm' or similar which will auto generate secure passwords for each site (& then with one click, it will log you onto each site automatically) – as Tolkien said: "One Password to Rule them All…"

Neil Walker

I'd recommend using 'RoboForm' or similar which will auto generate secure passwords for each site (& then with one click, it will log you onto each site automatically) – as Tolkien said: "One Password to Rule them All…"

Anonymous

It disturbs me that you violated your own users’ trust. Why would I even give you my email (or name) when posting this comment?

Keith Mander

I appreciate your sentiment, however I can positively say that I never read any emails or stored any personal information whatsoever. Sharing this experience should help others, which I think makes up for any wrong doing on my part.

ano

I don’t like the spreadsheet bit at all – if your computer gets infected by a trojan you are in trouble.

Keith Mander

I tend to agree with you Ano, a spreadsheet is worryingly unsecure. Password protecting an Excel sheet is pretty much pointless too. Fortunately, there are a bunch of software apps that can help store confidential information in an organised and secure manner. For me, the spreadsheet works and being on a Mac, I tend not to worry about the risk of trojans.

Jye Smith

Mate, what a fantastic article. Some really practical advice and people forget about this all the time. Loved it. Delicious and sharinggg

Keith Mander

Cheers Jye – thanks for spreading the article :)