These days everyone seems to be talking about moving their lives to ‘the cloud’. Google has started making noises about an operating system based on our data stored online, but I think that we the users are not ready for this yet. The average user has a terrible dark secret that we don’t want anyone else to know about, but could expose all of our online data to a hacker.
Passwords are the keys to our online lives. We need good secure passwords to prevent unauthorized access to our bank, blog, twitter, google, yahoo, flickr, and that slightly dodgy looking service that we signed up for thinking it was something else, but it wasn’t. In practice the average user has one, or maybe two or even three passwords, not a separate one for each service.
So, here is the first way that all of your accounts can be hacked. I design websites with secure logins, for which users may sign up for and provide a password. Now since I have a conscience and good moral fibre I make sure that these passwords are encrypted and obscured even from me – but not all programmers do that. It only takes one rogue programmer that has access to an unencrypted password database to discover your password. If you have used the same password for your other accounts they could also log into these.
However, that still requires access to the servers in the first place and there are other hacks that can be made on poorly designed websites. It only takes one badly programmed website, that you have an account with, to reveal your password to an enterprising hacker. So again if you do not have separate passwords for each website, this hacker could try your username and password on other accounts, like your bank or email.
The thing is that even though both of these security vulnerabilities are the responsibility of the programmers of the flawed website, it is the user’s fault if subsequent accounts are hacked with the same password. I understand that in reality we have not seen many examples of non-celebs having multiple accounts that have been breached, but as we move more and more of our data online we, the average user, have a responsibility to provided better protection for the tempting silos of data for the online criminal.
I have my own personal password policy, but it is very technical and not necessarily practical for most people, so I am currently looking into a suitable alternative that could be used by anyone. I look forward to revealing my results here in the next few weeks.