A friend of mine, Bill, found out that his password had been mailed to him in plaintext from his ’shiny, new 401k’ and he wrote about the disconcerting experience of a financial services company being careless with security. Having worked in a financial services company, I can only say that the troubles he encountered are not that bad… you should have seen some of the sausage in the factory I worked in.
That said, Bill violated a crucial rule of security and he needs to learn it as much as the Schwab folks need to learn their own lessons:
Never, never, never depend on someone else to provide your security.
Bill “used one of his common passwords”… and you shouldn’t have any of those. A common password is a common vulnerability, especially because you can’t know how companies will protect your passwords or your data — as he unfortunately learned. To avoid this, you can use a desktop application (such as the free Password Safe, originating from Bruce Schneier’s Counterpane Labs) or a browser plug-in (such as Password Hasher or Secure Login or any of the other 48 listed on the addons site) or the Mac’s built-in Keychain app so you can generate random passwords and never, never reuse them. Personally, I’ve been using Password Safe for years.
He also offers great tips for websites to make their applications more secure, like not asking for really constant, common, data like mother’s maiden name. The other option is to not answer with an expected response. Mother’s maiden name? Istanbul. Honeymoon location? Jones. And so on…
Never trust someone else’s security.
Technorati Tags: security, password, firefox
October 17th, 2007 at 9:50 am
Thanks for the link Matt!
Yes, yes, I know I shouldn’t reuse passwords ever. Shoot me. I’m a user! The problem with most of the solutions you recommended are that they are not easily portable, and I use at least 6 different computers on a daily basis.
By “common password,” I meant a password based on an algorithm I use that allows me to remember different passwords for each site. For example (and this is not it!): combine the an acronym for the site name, with a number, such as an important date, and a special character…www.schwabplan.com might then become SCHWB1225! Hard to guess, easy to remember (who doesn’t associate their 401K with Christmas?), and unique per site.
Your advice is of course solid. Unique, random passwords are best, but you must always balance usability. And your random password still ain’t worth a damn if Schwab writes it down and someone else intercepts it.
-B
October 17th, 2007 at 10:37 am
So here’s the twist that I forgot to put in the entry… I never received a password in the mail. Did I elect a different option (I chose edelivery of everything) than you or was it intercepted? I’m not sure… so now I’m changing my random password to another random password.
Sigh.
I balance usability with a thumbdrive.