Monday, February 22, 2010

No Matter How Diligent You Are...

Today, I got an email from a service provider I have only rarely used stating that they had been the victim of a successful hacking attempt. They reassured me that they didn't store any credit card details but I should change my password as soon as possible.

This is the second time this has happened in the past year and both sites are fairly insignificant in the grand scheme of things. They aren't, for example, financial services sites so I shouldn't panic unduly.

I have no changed my password on the offending website so all's well, right?

Wrong!

Whoever hacked this site may now have my name, address, email address and a password they know I have used in the past. Matching this password and email address may grant them access to other services I use online. That's not an unreasonable assumption on the part of the hacker, of course. How many people reuse their "favourite" password on each service they sign up to?

I think of myself as fairly diligent, though. I do have a "favourite" password. In fact, I have 3/4 "favourite" passwords! But NONE of them are used for my mission critical services: banking, being one!

However, I should now consider that one of my "favourite" passwords has been compromised and should be decommissioned. That now means I should take a look through my password safe and change the password on those services that make use of this now redundant password. What a pain!

The personal damage has been contained somewhat. My mission critical services are still safe. (In fact, I have no idea what the password is for these services and have no intention of ever "learning" what I have them set to!) If only everyone else behaved as responsibly. In fact, if only I behaved even more responsibly by having a separate password for every service I use!

My tips for the day, then, are:
  • Even if you have a high-quality password, always consider it vulnerable as you have no idea how your service provider stores your password
  • Try to create a different password for each of the services that you use (and avoid prefixing or suffixing your "favourite" password with the service details - passw0rdebay and passw0rdfacebook are stupid passwords)
  • If you still feel confident reusing your "favourite" password, avoid the temptation to use it for your banking services
  • Re-evaluate what a mission-critical service is. Banking is definitely mission-critical, but your reputation is also critical and having your Facebook or Twitter accounts compromised because of a slack password policy isn't clever either
  • Invest in a password management tool - even something as simple as Password Safe ought to do the trick and it is free!