Online Security Review Completed
Following the security review I mentioned yesterday I now feel considerably more relaxed about my online existence.
When I was writing yesterday's post I had no idea the Gawker thing was about to kick off. Talk about timing. Not that I had a Gawker account but who knows who else Gnosis might pick on!?
The same password is no longer used on more than one of the services I use.
More importantly, none of my logins use the same email/password combination as used for the inbox for that email account. School boy error!
Until yesterday my Apple ID's password was the same as for the GMail account to which it was tied. You'd like to think you could trust both parties implicitly but I prefer to treat all websites as having an equal potential for being compromised.
It's nice to know everything is backed up and in one central repository. And it's not just website logins I've registered. I've also covered all the SSH and RDC passwords to servers I host. Also the FTP and SQL passwords for websites I host. And then there's the passwords for my hardware - routers etc. Until you write them all down you don't realise just how complicated it all is.
Big sigh of relief!
Although one thing still troubles me. As good as all these ultra-high-strength passwords are there's still a single point of failure -- all sites have a "Forgot my password" process.
All you need to do is know things like "the name of my first pet" and I'm compromised. If the website email you a new password then this is all fine, but what if they ask you a "secret" question and then let you reset the password there and then? Bad, bad, bad.
My approach to "secret answers" has been to use the same non-word answer for all them. That way I always know what the answer should be and nobody ought to be able to guess it. Any flaws in that approach?
And Finally
The prize for the dumbest approach to password management goes to... ...Screwfix.com who convert your password to all lower-case, without telling you. In some perverse way this may have made sense to the developer at the time, but you try and work out why you can't get in!
That aside, yesterday I changed my (all lower case) Screwfix password to a new one generated by 1Password. But, like an idiot, I forgot to copy what I'd submitted. Never mind, they must have a password retrieval process, right? Yes, they do, but it doesn't help. All it does it email you your sefl-set "hint". If, as in my case, your hint doesn't help then you're snookered.
I Tweeted the Screwfix people about this and all I got in return was a stock "Call our support team on this number and they will help" response. They completely missed the point, which is that they've made it impossible for me (a customer) to give them (a business) my money.
No real flaw in using nonword answers. I like the better idea of creating a fake persona for yourself and always using those answers. Never share that fake persona so no one could guess what you used either.
I have used layers of passwords for some time based on integration with the service and need for usage. Plus trust in new betas I am always in mean they don't get "real passwords" at first.
Reply
On Facebook, I don't put my real birthday, so I get "Happy Birthday" wishes in February, which is not even the real month (and I won't share the month here).
I also use fake answers to challenge questions. I never plan on using the challenge questions, as I keep common sites like LinkedIn passwords encrypted in my Password Protector database:
http://blog.maysoft.org/blog.nsf/d6plinks/FPAO-7T2PFN
Finally, for banking, I use long (>16 char) passwords along with texts to my cell phone with extra login info to foil keyloggers.
Reply
Same here. I use fake, 'almost' non-word answers for the security questions and manage them the same way I do passwords.
In a conversation a while back with some teenagers and password security, the group had a grasp on the fact that passwords should be secure and shouldn't be shared with the boyfriends and girlfriends. But then when I mentioned how unsecure the hint questions are, I got blank faces. They hadn't considered that before.
Reply