Password Safety

Earlier today I heard an educator tell me that she uses the same password for most of her online accounts.  I'm sure you know people who admit to doing so.  Maybe you're one the millions of people who use the same password (or near variant... Password vs Password123) for your online accounts.  If so, I believe this post would be worth your time to read (or pass along to someone who could benefit from reading this article.)

Of course, using the same password is bad.  Dangerous and bad, for sure.  Most of us know the dangers of doing so.  The technology experts have warned against this practice for years.  Yet...

Let's be honest about something.  Most of us do share our passwords with our family members who may share the same home computer.  Or we may share our work passwords with those who work in the same office or down the hallway who may need access to our workstations when we are sick from work.  Most of us also have one password which is used for more than one account.  It's a matter of convenience; most of us don't have the memory (or desire) to recall 10 different passwords for 10 different security checkpoints. 

Still in denial about that, huh?  Does your garage door keypad code match your PIN to your debit card?  Is your voicemail password still factory preset at 1234?  Yeah.  Gotcha there, huh?

Do I seem harsh?  If it makes you feel any better, as I've stated, you are not alone.  Most people use weak passwords.  Here's some information on an interesting analysis of a recent leak of Yahoo passwords.  You may not be alone by using the same password in several places, but it's company with whom I'd rather not keep.

I'm reminded of a position I used to hold with my former employer.  This position granted me access to our clients' basic demographic information, through my access to our database management system.  There were roughly a dozen people working in my office at the time, and all of them had access to the same software and secure information I did (if not more.)  Most of us used the system for two things: finding clients' phone numbers or addresses.  However, the database held lots of other fields of information.... to which we all had access.

One of those obscure resources we had access to were our clients' online account access information; their username and password, security questions, website usage, etc.  I never recall being asked to use this information for anything.  They were just there.  In plain sight.  (I suppose we could use this information to help a client access their account if they forgot such information and were simultaneously locked out of their linked email account to request a password reset.)  Though I never used this information for anything productive, I certainly enjoyed finding themes in their username creativity (or lack thereof): prettygirl4u, basketball_is_life, MrBigShotDave, etc.

It never really dawned on me until a few weeks ago that such information could be terribly devastating in the wrong hands.  While it wouldn't be enticing for me to use their login information to change anything in our system by logging in as them, it led me to consider using this information to attempt to login to other systems using this information.

Consider this: I was given access to a client's username and password for our system, could it be possible that this user would use the same combination on other systems?  Could their social networking pages, personal blogs, professional website, email, desktop screensaver, online banking access, credit card accounts, photo sharing service, or corporate work accounts use the same username and password?

I believe it's not only possible, but probable. 

I've always heard that it's wise to use different passwords for every online account one uses.  Until recently, I had only thought that this would be to prevent someone who gained knowledge of your password from logging into your online account(s) and engaging in identify theft.  I personally wasn't worried about this possibility, because my passwords are secure, and I do not share them.  My passwords are my passwords.  I wasn't concerned with anyone finding out my password because I never tell anyone.

Or, so I thought.

The sad truth of the matter is this:  there is someone, somewhere who has access to my passwords, and your passwords.   Someone in the IT crew, the tech support, the customer service agents, or the database managers have it.  If they have access to your password on their system, to how many other of your online accounts do they now hold your login credentials?

Granted, not all companies share users' login credentials with their employees.  Most large companies don't, actually.  Most large companies with secure websites don't even have record of your passwords; they're kept encrypted and can't be seen, only reset when forgotten.  However, what about the small companies (like my former job) where the clients' credentials are displayed in plain sight on the screen in front of me?  Those are the weak links; those are the password security holes.

Something to consider.  Right, basketball_is_life?


Notes:

Need some help coming up with a good password?  Might I suggest this site to do a quick health-check?  (But, then again, do you trust the site's IT staff to not use your IP address to track you down and then login to your bank account management?  Maybe you'd better check the strength of a fake password?)

Maybe you're concerned that your email has been hacked?  Find out here.

Maybe you continue to be in denial about the security of your password?  I think this page may help you tame your tongue and open your eyes.  Try not to bury your head in the sand after you've finished reading.