Password vulnerabilities

Published on 7 Nov 2008. Tagged with migueldeicaza, security, reddit, openid.

While skimming through my old bookmarks, I found an article by Miguel de Icaza in which he talks about an incident of password theft at reddit and password vulnerabilities in general (both links taken from the article).

[M]any of my friends use combinations of 'the same password everywhere' (specially the non-technical), 'the password with the site name' (slightly more technical), 'three tiers of passwords: weak, normal and high-security'.

I belong to the group of users who try to remember a small number of different passwords for different levels of security. I don't like this approach, but everything more secure is a usability disaster if you have to access some of your accounts from different computers (which, on the other hand, is always a security disaster).

Evolving technologies like OpenID might be a solution. Using OpenID, account password data is stored on a central server and doesn't get exposed to every site on which the account is used. But there are risks, too: If, for some reason, the OpenID server doesn't respond, you will be unable to log into sites that depend on an OpenID account. And in case your OpenID account's password gets stolen and changed, the thief will be able to log into all sites linked with this account. I guess that's what security questions were invented for.

I think the most important point about password vulnerabilities is to be aware of them. Besides that, common sense is always a good thing: Do not log into your online banking account from a computer you do not control; always pick unique passwords for important accounts and keep them safe (= in your head or at least offline).

Trying to estimate the probability that someone is going to try to hijack one of your accounts would result in an expression like the Drake equation. – You just can't tell.

Oh, and do change your Google password every few weeks. Start now.