Security Sprint – Internet Passwords
We’re all busy people. A security sprint should take no more than two hours… which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.
You’ve probably heard about some of the recent attacks against various websites. The problem here is that if one of the sites you use gets attacked AND they’re not encrypting your password AND you’re using the same password on other sites, then that one breach on one site can put all your other sites at risk. Of course, if you want to be on the Internet, you have to accept some risk… but it’s hard to accept the risk when you don’t know it’s there. So let’s figure it out.
1) Take twenty minutes and make a list of all of your Internet sites in a spreadsheet. Try to remember all of them, not just the common ones. There’s a list below to get you started:
2) Go to the login page of each site and click on the “forgot your password?” link. Yes, this will reset your password, but that’s the point.
3) Once the new password arrives in your email, look at it. Does it sound like something you’d pick for yourself? If so, there’s a good chance that they’re not encrypting their passwords properly. Create a “secure” column in your spreadsheet and mark them as “no”.
4) If the password arrives and looks random, then they reset your password for you… which probably means that they can’t access your password directly. This means that it’s probably encrypted in the database. Mark these as “yes” in the “secure” column.
5) There is a drawback to this plan, and that’s that all of your passwords will change. Most of the sites that you marked as secure will force you to change your password when you log back in. If they don’t, change their “yes” to “no”.
6) Now you have a list of all of your sites and know which ones are the more trustworthy. The last step to this sprint is to reset your passwords to something more secure. There are lots of articles and tools out there, and I see no need to add to the pile. All I’ll say is that you should pick ones that you can remember and that aren’t the same for all sites. If you want to use really complex systems, look into password wallet software.
7) Once all your passwords are changed, and you have an idea of how risky your sites are, you can proceed with your Internet life in relative security.
Sites to consider:
- Email: Gmail, Yahoo Mail, Hotmail
- Social: MySpace, Facebook, Livejournal, Twitter
- Professional: LinkedIn, Plaxo, Namez, Zoominfo, Notchup
- Images: Flickr, Photobucket, Smugmug
- Documents: Scribd, Docstoc, Instructables, SlideShare
- Shopping: Amazon, Zappos
- Bookmarking: Delicious
- Video: YouTube, Vimeo