Smugmug

Your Email Password is Your Most Important Password

Here is a newsflash the security of the majority of your online accounts is only as good as the security of your email address. As many of you know, Sarah Palin’s Yahoo account was recently compromised by taking advantage of public information to answer her secret question and take control of her account. You are at the mercy of the strength of the Password Reset Mechanism. Password Reset today is flawed.

Rule #1: Never ever ever enter your email address and username into any webpage on the Internet except that of your email provider. You are placing yourself at significant risk if you do so (there are some exceptions to this rule of course, like if your email provider is also an OpenID provider or supports delegated authentication).

Smugmug

Rule #2: The answer to your Secret Question should be a random string of gibberish. “Who is your best friend”? The answer should be: d8239d#5d. This way no one can guess it.

i learned the hard way fair how vulnerable i was when i lost access to my hotmail account. i cannot begin to delineate what this felt like. it might feel like losing the keys to your house, arriving at home, finding a burglar in your house and getting a busy signal when trade 911.

Jeff Atwood wrote about this exact problem a few months ago:

You should re-read these words a few times and internalize just what they mean. #3 is exactly why you should generate a unique password for every single website you visit. You should manage this complexity using a tool such as RoboForm, PassPack, Verisign PIP, Keepass or LastPass.

I don’t know 95% of my passwords.

Almost every single account you have will have something called a Password Reset feature. You see, none of us can remember all the passwords we use for our different sites. Heaven forbid we actually try and use unique passwords and then forget a password. How do you get access?

Well in the case of many banks and such that store highly sensitive information, you have to get on the horn and talk to a human proving that you are who you are. Usually this is done by sharing something with them that only you know and that they can verify. Things like:

And in some cases, they will physically mail you a new password to your registered address.

But what about the sites that don’t think they have highly sensitive information, or don’t want to incur the cost of such a human labor intensive process? Well they will do one of the following:

Related posts: Iran earthquake, Tgif, South mountain, Lehman brothers india, Discovery communications