Insecurity 2.0 … Don’t re-use passwords!
As an operator of a user generated content site I’d like to warn my family/friends/users and others to what I suspect is a big, and likely growing, security problem. Not every username/password system is as secure as the big ones you are used to (e.g. Gmail, Yahoo, AOL, etc.) so do NOT re-use your ”usual password” at all sites. All sites are not secured equally (however clean/crisp their front page might look) and you need to recognize the risk. Yes, this is common sense, but I suspect it is also common mis-practice.
Think about it … you create your username at some rinky-dink little web 2.0 website (like mine), and you use something you are comfortable with/you remember, perhaps based upon your e-mail address or your typical login. For recognition (yours and other folks) you use what you know. You use your e-mail account username, or your FaceBook username. Perhaps all are the same (or close enough.) Chances are a quick web search will connect your username to your true identity pretty quickly, or the username is identity enough.
Then you have to chose a password. Who can remember so many, especially with so many piddly little sites? You think “why take the time to remember one for that site?” … and proceed to enter your “usual password”. That password has just been given to somebody who might not be secure, who might not encrypt, who might have been compromised. (Heck, they might’ve created a simple site purely to capture username/password pairs and sell them on the black market. That is not out of the question, it is likely a cost effective scam.)
Giving your secure passwords to anything but the biggest sites is crazy. You just possibly gave away *all* the access credentials needed to access your privates accounts to someone/something you cannot trust. You might use that same username/password combination for their online banking information, for your e-mail, for any number of truly secure & important sites.
It is that simple. I suspect a large percentage of “average users” are giving their most private credentials to totally untrusted organizations. In short: create a new password for each site, and never trust your “secure passwords” on non-secure sites.
Why am I thinking this is a rife/growing problem? Recently … I’ve seen folks trying to log into my site with usernames of folks I know, who (when I ask) were not attempting to log in at that time. Basically someone (or something) was trying to log in using their credentials. In these cases they failed to log in (the credentials were different on this site) and I received a log message notification. It would seem that somebody perhaps thinks they may have stolen the credentials of these users and are seeing how much access they get with it. Maybe they’ve logged into their bank, maybe they’ve been reading their e-mail address & stolen their address book & are spamming their friends. Maybe they are just biding their time with full access.
BTW: I added “Open ID authentication” to my site in the hopes of easing this problem of memorizing passwords, except that the folks that truly need it aren’t comfortable using it, and so don’t. As such, the best defense is best practices.
Don’t re-use passwords. Don’t, not ever. Never, never, never..