More perils along the journey to a better password
This post is the 4th in an ongoing series about passwords. You may want to check out the other parts by clicking on tag: passwords.
***
Some of the most popular sites today are social media sites like Facebook. For whatever reason, Facebook does not encrypt your password like a banking site would. How would you know?
Well, the giveaway is in the URL, or web address. Secure sites begin with https, not just http.
The “s” stands for secure, and it’s very much absent from Facebook’s sign-in page. This means that your password is sent unencrypted to Facebook’s servers after you click the Login button. Such a transmission is subject to a man-in-the-middle attack, meaning that if someone is “watching” network data coming from your computer, they can see your password. Secure connections encrypt the information you submit, so even if it is intercepted, it’s of no use to the interceptor.
It's not just Facebook either. Many, many sites require or "encourage" you to create a username and password to make use of the site. Even some web-based email programs like Gmail used http as the default protocol until recently.
If getting your password intercepted sounds unlikely, I assure you it isn’t. You can find free software online that would enable the 16-year-old sitting across from you at your favorite coffee shop to see everything you send unencrypted.
The biggest problem? If you use the same password for all your sites, you may be giving away your bank password when you sign into an non-secure site like Facebook even though it seems like you’ve done nothing wrong. You wouldn’t want to shout out your password to everyone in the coffee shop as you log into Facebook, but that may be what you’re doing.
Another way that hackers prey on folks is through the use of key loggers, which are a type of malware that sometimes sneak its way onto people’s computers. A key logger can record everything you type and sends the information to someone else. The more you type a password on a computer with a key logger, the more likely it will come to the attention of someone who wants to access your accounts. By the time you find out, it may be too late.
Additionally, if you use public computers a lot, the chance of a key logger being on the computer is greater. You really have no way of knowing who has used the computer and what their intentions were.
These are just a few reasons why using the same password for all of your sites is a bad idea. Once your password is in the hands of the bad guys, all of your accounts are vulnerable–email, banking sites, brokerage sites, and much more.
Picture the various websites that make up your online “life” as a bunch of rooms in a long, narrow building. Each room has a door to the outside and also a door to the adjacent room. If a thief figures out which key unlocks any of the outside doors, and you use the same key for each lock, he can go anywhere.
In the first post of this series, we established 3 basic criteria for passwords:
- My password can’t be simple and popular
- My password can’t say anything about me
- My password can’t be a real word
I strongly encourage you to add a 4th rule: at a minimum, do not use the same password for financial sites and email or social media sites. The risk is way too high. Just think about how often you see people posting on Facebook that their account has been hacked. Having some hacker write silly things on your Facebook wall is bad enough; giving him access to your savings account is worse.
If you’re feeling concerned, that’s good. A little paranoia goes a long way on the web. But I don’t want you to be too worried because I’m going to offer some solutions to these problems.
And it’s also important to remember that nothing is foolproof. As long as people are people, there were be good ones and bad ones. And we all make mistakes. The key is to find the right balance between security and ease of use.
Leaving your house keys hanging by the door step would ensure that you’d never get locked out, but it doesn’t keep you very safe. In a perfect world, we wouldn’t need keys or passwords, but the world isn’t perfect, so we must sacrifice a little convenience to keep ourselves and our families safe.
Stay tuned for more upbeat posts on passwords.
[Photo by anyjazz65 via Flicker]