Password Mugging
Hopefully you've already figured out the damage someone could do to you if they get into your e-mail account. They can impersonate you causing problems with your personal and professional contacts. They could read all your stored e-mails and anything medical, financial or otherwise important in them. And, of course, they can unlock your other accounts and do even MORE damage.
So knowing that, why is that people give up their passwords willingly to services like Facebook, MySpace, and other social networking sites?
They promise not to store the password or peek at anything except your contacts which they say they'll use to find out if anyone with those e-mail accounts is already using the same service. This way they can add your friends for you without you having to do it manually for each one. Sound tempting? So did Snow White's apple.
Consider the following:
- If the company or anyone working for them has more plans than they say, there's nothing to stop them from storing the password or anything else they find in your mailbox.
- Does your login and password and all the other details they send back and forth from your e-mail account have any kind of protection to keep it safe while it's being sent? Chances are that it doesn't and all that important information (including your password) will be sent all over the net unprotected.
- Even if all the above were somehow safe, the very practice of asking people for passwords is a violation of one of the most basic rules of computer security. Call it a personal rant, but it's irresponsible to train users to engage in risky security. It's an abuse of trust.
- And speaking of abusing trust, if you're not very careful about reading all that small print, you may end up embarrassing yourself when they use your e-mail contacts for more than you expected.
E-mail Account Abuse
"You've just been added to John Doe's Reunion.com Address Book!"
"John Doe wants to connect with you! I looked for you on Reunion.com, but you weren't there…"
Any of these messages look familiar? If so, a friend of yours (or at least someone who has your email address in their address book) has fallen prey (knowingly or not) to what many say is an overly aggressive way to coerce people into joining Reunion.com's "get in touch with old friends" service.
In this article you can read a description of how Reunion.com abused the trust of their users and sent out spam e-mails to everyone in their contact list when they gave up their password.
I received an e-mail just like the ones described above that said something like "Someone's looking for you on Reunion.com! Sign in to find out who it is!". Immediately following that was this e-mail:
Subject: My apologies to everyone who recieved this Re-Union E-mail
My apologies to everyone who recieved this Re-Union E-mail, I understand that this was bothersome. You will not recieve it again. There is no need for response.. Eric
Consider that this poor guy had personal and business contacts in his address book all of whom got this spam from Reunion. He was more than a little embarrassed.
What To Do
Remember that unlike places like Best Buy and Kmart online, social networking sites make money by collecting and selling people and their data. Reunion isn't the only one training people in bad security by asking for passwords, they ALL do it:
- MySpace
They're not providing the service for fun or your benefit, they want as many subscribers as they can so they can serve ads or sell your data to data brokers.
Give Us Your Bank Info!
You would think people would know better than to give up their banking information, but that appears to not be the case. Consider mint.com, a personal finance website where you can supposedly give them "read-only" access to your online banking so they can show you where your money goes and help you better manage it.
This is all good in theory, but they say in their "About Us" page:
YOU can't move money… But can they? And even if they're claiming they can't, did you verify that with your bank first? Unless your bank tells you that they've determined a service such as this is safe, supported, and that they will back up and fraud or accidents, why would you ever take such a risk?
That's not to say that Mint.com is bad (because I don't know that for sure) and, in fact, I think it's a great idea in theory. The problem is that the only thing protecting you once you've given up a password is their "promise" which historically companies aren't very goo about keeping.
Even if Mint.com employees and everyone else who has access to the data (the network and data administrators) is safe and trustworthy, they still become a target of hackers. The first one to get into their system will have a goldmine of completely defenseless bank accounts to play with.
You might say, "So what's the difference? Banks have accounts too!" True. But banks also have strong regulation, stiff penalties, and financial responsibility for breaches. Does Mint?
What to Do
Remember to distrust new sites and services until and unless you've verified and validated them personally. But most importantly:
Make good passwords, keep them safe, and NEVER willingly give them away. |
Cross-site Login
The last thing to watch for are the sites that let you log in with multiple different credentials. It's natural to think "oh hey! I can login with a name and password I already have instead of creating a new account on this site… sweet!". What you should be thinking is "this site wants the name and password to my other accounts! Heck no!"
First, the site you're logging into might just be collecting your login information for their own use. Second, if they're legit, there still could be security or implementation issues (like not using https during the transmission from their site to the service that actually owns that login). Third, I'd bet there's at least one if not more ways to trick a site into letting someone into an account when they use this kind of cross-site login.
This is a risky thing to do and should be treated the same as giving away your password for adding contacts.
What to Do
If there's an option to avoid login, do so. In the example I provided, you can leave a comment anonymously or with a simple name/url combo (neither require a password). Otherwise, if you want to use a site or service, just make a new account or use Bug Me Not to see if there's a shared name and password available.
About the only exception is for sites that are owned by others such as the case of Google who owns Youtube and Yahoo who owns Flickr. In those cases, you can go to the main website (Google or Yahoo) and sign in THERE. Then try going back to the supposed "partner site" and see if you're already logged in. If so, they really do have some kind of relationship.
You MAY want to consider the privacy implications of tying all your photos or videos to companies that already know so much about you (Google and Yahoo). For Privacy reasons, it might still be worth creating an entirely separate account on each site.
Making Good Passwords
To understand what makes a good password, let's talk about what makes a bad one first. |
Making good passwords can be complex, but here are some tips and tricks that will make it easier. |
Password Protection
Once you've taken the trouble to make a good password, the next step is to keep it safe! |
Now that you've done all this work, you have to learn the most important rule of all: DON'T GIVE THEM AWAY! |
Although there may exist websites that do ask you for the login and password for another website/email account etc. in which case obviously they shouldn’t be trusted, as I understand the current trends are different. There are many websites that let you “log in with your Google/Facebook/etc. account” as opposed to creating a new account.
So let’s say a website example.com allows you to login with Google/Facebook accounts.
As I understand it, the way it works is different – you don’t provide the login and password to example.com, but rather you log in to the Google/Facebook account, then those websites add example.com to your list of “trusted websites” and allows example.com to access your profile information – name, avatar, sometimes other data. And as long as you are logged in to Google/Facebook, you will also be logged in to example.com.
Assuming I understand it right, this does not allow example.com to “steal” your Google/Facebook account, they can only use the Google/Facebook API to access some information in read-only mode and that’s it.
So, as far as account security is concerned, I think this trend seems rather safe. It still does not solve privacy/data brokers issues, so there are other valid reasons to avoid Google/Facebook, but that’s another topic.