Thursday, July 23, 2009

Poor Password Practices

When you use an online service, you can pick as secure a password as you want, but you're putting a lot of trust on the other end to handle it securely as well. There are a few things that some websites or applications do that are insecure. Apparently it's bad enough to lead to this breach of security. There are at least three things that you should be wary of:
  • The ability to recover your current password. This means that your password is stored in clear text instead of as a non-reversible hash (yes, in most places, the systems administrators CAN'T actually get your password out of a database). This is different from being able to reset your password.

  • Use of secret questions and answers. Or rather, choose them wisely. Some of those questions can be answered by someone other than yourself. For instance, mother's maiden name is often a poor choice for a lot of people. Keep in mind that the answer doesn't have to be related to the question; as long as YOU remember what the answer you put in is (for example, you could put in the name of your elementary school when asked for your pet's name).

  • Passwords that are e-mailed to you. Did you know: e-mail is not considered secure? (It's about as secure as logging into a website without SSL.) In addition, if your password can be e-mailed to you, then the first bullet in this list is probably also true. If this happens to you, delete the e-mail with your password in it, change your password to a unique or throwaway one, and contact the website asking them not to e-mail out passwords.

No comments:

Post a Comment