Passwords Part 4 “The Weakest Link"
The security in passwords is that no one else knows what they are. This security is diminished when you leave clues as to what those passwords might be. The weakest point in your password system will be your email. Especially if you are in the habit of keeping emails long past their prime. This is the case with more than 90% of the internet world. If in my case there were emails on my hacked account that had account retrieval information on them then I would have opened the door to two things.
1. What accounts I have online and
2. What my password is or a clue to what my "password system" might be. Let's look at these and see why you should be worried.
Just recently one of my sub email accounts was hacked and my hosting company called me (even before the barrage of sever error emails arrived) to tell me that there was an unusual amount of emails going out from this account and that they had changed my password for me. I immediately changed my password but for my "Primary" account. Those two accounts had the EXACT same password. I made sure it was different and wiped the beads of sweat forming on my forehead. Here is why I was worried and you should be too.
I, from time to time, have to go to a site that I have not visited for a long while. I forget the password like most of us do and say $#*&%!! (there's a password right there). Now I have to do the "I forgot" dance that has an email going out to me with some way to "Change/Reset, Answer Questions, or (the worst) Retrieve or view my password.
ANSWER QUESTIONS: This usually happens at the website when you click on the "forget" link. So you will rarely have to worry about this type of email. And although the security level is much higher the questions will usually be personal enough that someone might be able to figure the answer. My advice is to answer the question with a password or answer it incorrectly or with a funny answer so that you remember it easier. If there is a set of questions rotate your answers so that you're answering the next question.
RETRIEVE: The worst is if you retrieve a password because you are having it sent to you directly. That's fine if you are the only one viewing your email. If not, anyone else that sees the email will see my password and the "jig is up". So if you see this type of email coming from a website. Make sure you delete it right away. Ummm and hopefully I don't need to tell but you should be dumping the trash too. Frequently!
CHANGE/RESET: A little higher on the security scale is changing your password. If someone is looking at your email they do not get a sense of your password regiment. Especially if you are creating great passwords. The challenge here is that they get will get an idea of where your other accounts are online. And if other emails with delicate information are sitting around your inbox then you have a problem again.
Now there are different types of resets out there. There is the one where you are issued a random password that resembles our new grandmascookies password. If you get this emailed to you should login right away (which you are probably going to do anyway) and then change it RIGHT THEN! Do not wait. You could go ahead and use this new password if it is up to the basic rules we went over. But no matter if you do make sure that you erase the email.
The next type lets you set your own password on a landing page directly on the site. This is good too but make sure you delete the email to remove traces back to the site. Some of these will have a "time out" setting that makes you go and start over if you do not get your password changed within a certain period of time. That is awesome because the link will not be valid later if someone stumbles onto your email. Yes you should still delete the email!
I believe Google has probably the best password resets process in use today. You can set your account to send you a quick text message with a code you type in the page. You can't beat that security unless your hacked by your neighbor and he comes over to "borrow" your phone.
Well that is all I have on passwords for now. Follow the basics we discussed and remember to clean out your emails.