Most people (and I would dare say that even security professionals) do not realize the greatest risk to online security. The greatest risk does not come from having one password spread out over multiple sites, or even having your password written down (granted, these are HUGE risks). The greatest risk for online account security comes from the email-based password reset mechanisms.
The issue is that when a user forgets his password, most sites will allow the user to reset his password via email. This means that the easiest way into most users’ accounts is through access to their email account. In other words, the single most important password that you must protect is the password to your email account.
Unfortunately, there are huge gaps in current password security systems, including those for email accounts. The biggest gap comes in the form of a question-answer reset mechanism. Generally, the user trying to reset his password will be asked a generic question, such as “What is your high school mascot?”, or “What color was your first car?”. This mechanism results in a major weakness in online security, given that it is significantly easier to guess that my first car was black, than to guess my actual password.
Here are a couple of things you can do to immediately improve your online security:
1. Change your email password. Make the password as complex as possible without using a scheme or a pattern that has been used in the past. Ensure that the password is about 8 alpha-numeric characters with at least one uppercase letter and one special character.
2. Modify your password reset questions and answers for your account. If possible, create your own question, and use answers that only you could possibly know the answer. Do not let the answer to a question be something that can be “Googled”. If you are not given the option to create your own question, consider being unconventional. For the color of your first car, answer with something unrelated, for example, “Starbucks”.
Remember to keep the password to your email account in a secure place. Implementing these two simple changes may improve your online security, but the bottom line is to always be aware of the risks, and take steps to prevent others from getting to your passwords.
