Wednesday, January 13, 2010

Orphaned Credentials on the Web

Hi everyone, just a quick post today ...As I sat and stared at my password manager this evening trying to make sense of the mountain of credentials I haven't used in forever - I had a thought.  How many sets of credentials do I have out there?  Worse yet - how many do I have that are all either (a) the same or (b) similar enough to cause me pain should one of those sites be compromised.

We all know that there are many poorly constructed web sites out there; and almost every site you visit wants you to register in one way or another - thus creating a login name/password credential pair.  If you're anything like me you probably have upwards of 150 credential pairs out there some of us have numbers doubling that.  That's a scary thought.

Ask yourself one question - and be honest with yourself - how many times have you reused the same login name/password pairs?  How many of those sites that you registered at have your primary email address ... or an email address that's tied to some other service that's important to you.  For example, if you've registered your company's domain name with your GMail address - that's probably a pretty important account for you to keep safe, right?  If you have your login as your GMail address, and your password maybe the same as your GMail password - it takes just one teenie compromise or slip and you're completely hosed.  Game over.

I'm writing about this briefly today not because password re-use is a new thing, because when that issue was new I was still riding my dinosaur - but because it's a forgotten topic amidst the other security "advisories" out there.  Especially now as tax season approaches ... watch your passwords folks!

What do I do to combat this silliness?  Here are some suggestions from a paranoid ...

  1. Create a classification system for sites you visit/register with (3 categories is probably the most you want - critical/sensitive, important, throw-away)
  2. Create a separate "persona" (login name, password mechanisms) for each of those categories
  3. For the throw-away category - use credentials that put distance between your real life persona and your site registration.  Hint: If you register as Donald Duck it won't matter much!
  4. Guard the sensitive & important categories and try your best not to re-use those
Stay safe!

No comments: