Most people know that reusing passwords for multiple services is a major security hole. If you don't know, XKCD can explain it to you:
Now, assuming you aren't going to memorize a unique password for every service requiring one, there are a few ways you can protect yourself from programmatic identity theft.
- A good balance between security and sanity is the maintenance of passwords with different security levels. This should prevent a low-security service from emptying your bank account. Three example levels are:
- An ultra-secure password. Use this password only for services where the compromising of their system would make the news. A good rule of thumb is to keep this password for Fortune 500 companies, corporate emails, and banks.
- A likely-secure password. This password group is for services you trust. In order to trust them, ask yourself whether a compromising incident would impact their bottom line. Also, it should not be a world changing event if a third party stole this password. A good example is the note taking system EverNote. I like EverNote, my password is probably secure with them. However, when I signed up for the site, I had to trust a programmer who's stock options will probably never payout.
- An insecure password. This password is for systems you might not even return to. Basically, only use this password if you wouldn't mind handing out a flier with your account credentials to the service.
- Another strategy for preventing programmatic attacks is to prefix or suffix the password with the name of the service you are using, so your YouTube password would be MyPassYouTube. Make sure the password is long enough to be secure without the prefix or suffix. This base password (the password without the service name) should be at least 8 characters long. If one of your passwords are compromised, then a computer would not be able to find your other service accounts by the method in the comic.
- A complex but rewarding strategy is to register your own domain and plug it into Google Apps. As a domain administrator you would be able to register for every site with a different email address. For instance, I could sign up for a YouTube account as YouTube[at]seanbmcgregor.com. This will also allow you to activate rules on your account if a service sells your email to spammers. If you don't want to go through the trouble of registering a domain, at least signup for a Gmail account for sites likely to spam you.
Of course these steps are not as strong as maintaining a unique password for every service you use, but at least if you hold to one or more of these rules, it would take more than a line of code to hijack your digital life.
My last piece of advice: If a low-security service does not accept the password it should accept, don't enter your other passwords. It's a trap!
* Note: I omitted OAuth services like Facebook Connect because the general public is not very good about recognizing a proper OAuth form. Also, granting a site access to data within unaffiliated sites like Facebook, makes you more vulnerable to social engineering.
- seanbmcgregor's blog
- Log in or register to post comments