January 14, 2011

Password Sharing - I'll Never Understand

I have never, nor will I ever, share a password. To be clear, I mean a password for anything. It could be my PIN for my Coke Rewards points account, or it could be my primary email address.  The likelihood that I'll just give that out is exactly the same; zero. It's a trust thing. Not that I'm doing anything sketchier than the next guy with my E-Identity. But, I know the temptations exist, and there are some pretty damn creatively destructive people out there. 4chan alone is a perfect example.

It never ceases to amaze me when I get calls from users asking me to reset someone else's passwords. Add on top of that the fact that these people tend to get indignant when I tell them I won't reset it for anyone but the affected user, or supervisors that call and tell me that the EU will just have to give them their new password anyway, and you have a delicious parfait of stupid. So many levels! So many flavors! As a garnish, let's add the user who calls up and before you can even finish your greeting, blurts out "Hi, this is soandso, and my password is XXXXXX." Whoa! Slow down Hoss! Didn't you get the memo that you shouldn't ever respond to a request for your password, much less volunteer it?!

But, this is something that absolutely shocked me. This morning, we had a user send a scatter-shot email to several different people saying she'd forgotten her password. Now, this particular application is supported by a third party vendor, who was included on the email. Ok, that's fine. When in doubt, try and find the right person to help. I'm ok with that.

Here's the thing that gets me. The vendor then replies back to the user (care of the reply all feature) with her user name and new password. While yes, that's an egregious breach of security alone, add on top of this that the affected user has rights to access sealed court records, and juvenile court records, and you have a recipe for a potential breach with catastrophic consequences.

It's days like today when I really start to wish I'd have taken that black-hat road and become a social engineer. I mean, it's got to be so EASY! Trust me, I understand how big a pain in the ass it is to have to have a different, complex password for every single system you have an account for. I have the same, if not more since I need to be able to log in to test/reset passwords on them too. It sucks! But, it really is important.

Part of me is convinced most people just don't understand WHY it's so important to keep your online identity safe. Heck, too many people don't take their real identity seriously, so I can understand. But, they really should, and here's why.

Let's start with a plausible situation. My bank has a perk for its members where you can use their online banking to transfer money between account holders, even if they're with a completely different bank. Kinda handy. However, let's say that User A hands out their password to a coworker, User B, to make it easier to do some menial task on that machine in the event they're unavailable to do it themselves. While logged in as User A, user B visits the online banking site and is able to get in either with a guessed password, finding it under a keyboard, or having it auto fill from the browser. Using User A's credentials, User B transfers money from one account to their own. Because this was all done under User A's digital name, there's no easy way to prove it was done without their consent.

Think about leaving your password with someone and what they can do with your email. Perhaps you have a coworker who's a prankster and decides that you're suddenly going to be very opinionated about a local issue and you just have to share your thoughts with the local paper. They open up your email program and fire off a feisty letter to the editor. It could be detrimental to you, it could be harmless. Either way, it's your name attached to something that wasn't your creation.

My point is, keep your name safe. Much like trying to get toothpaste back into the tube, reclaiming your digital identity is a chore. A chore I don't think anyone wakes up in the morning looking forward to.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.