Why you may need to change your email password, now

Now for something completely different: The web 2.0 world requires people to register accounts with logins and passwords these days. I am registered with so many of these services, some I use and some I don’t use, that I’ve lost track.

Apparently, the typical internet user these days has upwards of 21 different accounts that require passwords, says a British online-security consultant NTA Monitor in Wikipedia. Now I’m guessing that most people, like me, don’t come up with a range of different passwords for each and every one of the many accounts they sign up for — but tend to use the same password or at least similar variations.

The reason would be that keeping a separate password for each web 2.0 site that you sign up for would just be a nightmare. This especially so because it all has to be in your head. You shouldn’t write passwords down. Not ever. Not even on that little scrap of paper buried in the corner of your garden, north by north west, five paces from the mango tree, two paces from your mother’s favourite rose bush.

According to Wired, an analysis of the most common passwords found on 34,000 hacked MySpace accounts were: “password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.” Yes, would you believe that even “password” is still used these days. I was surprised I didn’t see variations of “secret” or common first names in there either. If you want to go further, here is a list of 2000+ of the most common passwords (Yours there perchance??)

So, here’s the thing that’s been on my mind (and forgive me if this is ridiculously obvious to you): But most sites require your email address as the login these days, instead of some other arbitrary login. Now if you had to combine your email address with your generic password (the one you use everywhere, including your email account)… hey presto… someone potentially has access to your Gmail or Hotmail account: the user name/email address AND password. Then from there, who knows what else.

Granted there are many reputable online companies out there who protect these details like nothing else. But who knows what will happen: it just takes one disgruntled employee or a company going bust that isn’t quite on the ball anymore. Security is not my area, but I’d venture an opinion that online applications have created a security nightmare. Yes I know Firefox has a neat system that stores your passwords, but you don’t always access your account from that Firefox browser.

The solution: It’s simple, really. There is a strong argument to use similar passwords for all the little and big web 2.0 services you sign up to because practically what else are you going to do? But I’d argue you should choose a completely new and separate password for your email account, your bank account and perhaps a key social networking service you use. Make those passwords the kahunas of passwords, keep them unique and separate from the other generic passwords you use on other sites.

Comments (4)

  1. Uno de Waal wrote::

    Alternatively, use OpenID

    Tuesday, November 27, 2007 at 12:05 pm #
  2. Funny, this is exactly what I have been doing for the past year or two. The problem is that not everybody uses OpenID and sometimes OpenID providers stuff up and you loose access to all your accounts. I would either set up my own OpenID server or otherwise just use some other password scheme.

    The ideal has always been for me to use public/private keypairs to authenticate, similar as with SSH. However, this would require a new standard to be set up and support from all the major browsers so is probably not something that will be materialising overnight.

    I think that Web 2.0 sites should try to avoid forcing the user to register as far as possible. Maybe some of the less-frequently used sites could send you a temporary token via instant messaging or e-mail every time you need to log on, but this will become tedious for sites you use frequently.

    This is a serious problem however so the more research and development done in this area the better in my opinion.

    Tuesday, November 27, 2007 at 1:48 pm #
  3. Twylite wrote::

    Don’t use OpenID. It makes your security dependent on the DNS system and your OpenID provider (often a cheap web host), both of which are more easily hacked than your password. Read “OpenID: the bad and the ugly” (http://www.crypt.co.za/post/39).

    You basically have four options for managing a lot of passwords:

    (1) Don’t. Give up, use only a couple of passwords, and surrender to having your accounts compromised. Remembering of course that your next employer is going to Google you.

    (2) Use a system to construct and remember passwords. Read Building Strong and Memorable Passwords (Part 4 of 4).

    (3) Use password derivation software (also called password hash generators) like http://passwordmaker.org/ . These allow you to combine a single master password and a URL using a one-way cryptographic function to create a unique password for each site.

    (4) Use a password manager like Password Safe (http://passwordsafe.sourceforge.net/). Because your password database is well encrypted you could even keep an online copy (e.g. on box.net) if you absolutely need it.

    Tuesday, November 27, 2007 at 5:11 pm #
  4. Great post! Much appreciated 🙂

    Thursday, July 16, 2009 at 8:26 am #