As time goes by it is a near certainty that you will find yourself signing up for more and more websites and associated web-based services.
Each of these will want varying amounts of data from you but, as a minimum, they’ll require a username and password. There isn’t anything suspicious about that – its just the de facto method of securing a user’s login. Of course many other services will want more than that – they’ll also want your email address and real name for the purposes of adding you to an email list, either so that they can send updates to you, or so that they can advertise directly to your inbox.
A much bigger problem than receiving such emails though is what to do with all the passwords you are generating – only using one password for all of your accounts is a crazy idea after all.
By the time you have six, seven, fifty online accounts, the ability to remember a huge number of unique login credentials is severely diminished.
Thats why the majority of websites and services offer the ability to reset passwords – too many people don’t use a password manager and are sensible enough not to write passwords down – and so they forget them.
If you’ve ever tried to reset a forgotten password you’ll know that many will only deliver the reset link to the email address you signed up with. Many, however, also require an answer to a security question.
So what do you think could happen if your email is compromised and you have used the same security question for every account?
I know too many people who are savvy enough to use different passwords everywhere but then employ the same security question on every site, and they use something obvious too, such as their mother’s maiden name.
The problem is, though, that once someone has the required secret answer, they can then use it to access all of your other accounts too.
Whilst there is an argument to be made about the type of security questions posed (too many sites and services are limited to asking the same few questions) there is also a point here about the responsibility of the user.
Whilst I think people are slowly getting the message about password variety (lots of work still needed though, based on password dumps from recent breaches) I also think that we need to start educating users about the need to not rely on the same security question either.
Or, at the least, not give the same answer to every site (a memory better than mine would be required if going down that avenue though). So, for example, the answer to “favourite pet” could be used to enter your own best remembered animal or those of other family members or friends, changing the answer for each site.
In any event, I think there is much that could be done to dissuade users from employing repetition in both their choice of password and security answer.
The increasing number of hacks and breaches highlights how businesses could often do more to secure data but users would also do well to pay heed and take as much action as is open to them in order to secure things from their end.
At the end of the day, if you aren’t smart when it comes to creating your online accounts, the bad guys certainly will be when it comes to taking them over.