If you're a programmer, you might be thinking something along the lines of "well, duh!" while reading this article. Its common sense to those of us who live in that world.
For everyone else, however, I suspect that this may come as something of a surprise.
If you're like me, you've signed up for accounts on multiple sites. Sometimes I'll sign up for an account just to take a quick peek at how a website works. I have Gmail, Yahoo, LinkedIn, Facebook, Orkut, and Twitter accounts, to name just a few. Not to mention my various bank, credit card, and loan accounts.
A lot of these members only sections require you to sign up and either verify your e-mail address, or use your e-mail address as your username. Of course you are always asked to provide a password as well to protect your account, right? Right. There's nothing wrong with that -- privacy is very important! No one wants someone else snooping through their personal information or messing with their good reputation.
If you're like me, you begin to find it hard to remember what username you used on this site, and what password you used on that. After awhile, you may begin to use the same (or very similar) usernames on every site you sign up for in order to make them easier to remember. Chances are, you probably also use the same password for every site, or at least something very similar.
When you sign up for a new account somewhere, your information (such as your username and password) are saved, typically to a database. Now take a look at the following excerpt from a typical "users" database table (think of a database table as nothing more than a fancy Excel spreadsheet):
Notice anything alarming? If I asked you for my password, how long would it take you to figure it out?
I'd say about 2 seconds.
Now, even at the worst sites, databases are usually protected. They're not visible or available to the general public. But let me present you with two very possible scenarios:
- The site gets hacked, and the hacker(s) gain access to the database.
- An unscrupluous programmer or employee gains access to the database.
Hackers? Unscrupulous employees? That stuff doesn't really happen, right? Wrong. It happens more often than you might think. The FTC Estimates that 9 million Americans have their identities stolen each year. That's just Americans, and that's just those who the FTC knows about. That's as many as 1 in every 20 Americans each year between the ages of 20 and 64.
Sometimes your e-mail doubles as your username/login for a site you sign up for:
See any potential problem with that?
If I have gotten into the habit of using the same password everywhere, how long do you think it would take someone who found this database get into my e-mail account?
I'd say about 5 seconds. Definately before you could ever find out about it, and with more than enough time to destroy your identity.
If you're like me, you've probably got the last several years of your life archived away (perhaps even inadvertantly) in your e-mail account. Every credit card statement, every credit card payment, even sensitive work or family information is probably saved somewhere in your e-mail account. I use GMail, which offers virtually unlimited storage (similar to Yahoo and Hotmail), so I almost never permanantly delete anything. Its all there. If someone were to get inside my e-mail account, forget it. My identity is officially stolen.
And how about those handy little "Forgot Your Password" links on virtually every website you visit? A majority of them e-mail your password to you when you forget it.
Is that bad of them to do? Not necessarily. But if someone has gained access to your e-mail account, they may very well have gained access to your entire identity.
Does this mean that you risk having your identity stolen every time you sign up for a new account? No. A good programmer will actually encrypt your password in a way to make it impossible to ever figure out what it was. Others may simply encrypt it so that even if your information were ever made public, even the NSA would have a hard time figuring it out.
For example, the following image shows the same information as the original database tables above, except the password has been encrypted (or "hashed") by the MD5 algorythym. This means that the website can compare what you login with to make sure it matches what you originally signed up with, but it (or anyone who accesses it) will never know what the actual password is. Any programmer with the least amount of sense would, at a bare minimum, encrypt their users' password. Of course, websites like Facebook, Myspace, and Paypal go above and beyond to protect your information, but what about all the others? I would be willing to bet my right arm that an alarming number of websites out there don't do nearly as much as they should to protect your passwords to the naked eye in the event your information is stolen.
Not all programmers are good programmers. I don't mean to imply that some programmers are evil. I just mean that some are just plain lazy. They will opt for the simple way of storing your information, simply ignoring the possibility that your password may someday become exposed.
What is the lesson to be learned here? Never ever ever use your e-mail password as the password you use to sign up for other accounts and websites. The risk is simply too great.
If you insist on using the same password for several accounts, at the very least, use a different password for your e-mail account (not to mention your bank account and any other sensitive accounts you might have).
More Information:
Creating Secure Passwords
Password Strength & Password Security
Ultra High Security Password Generator
Firefox Plugin: SecurePassword Generator
More on Cryptography
An interesting and entertaining read, even if you're not a tech-head: