I've Been Mugged: Pass The (Password) Salt, Please

Monday, November 12, 2007

Pass The (Password) Salt, Please

The Working Assets data breach reminded me of one frustration computer users experience: how to securely manage the sign-in information (e.g., ID and password pairs) for all of the Web sites and databases we access. The company's breach notification included this about its stolen sign-in information:

There is potential for misuse of this information however, should you use the same email address and password on other personal accounts, whether Working Assets products, banking, PayPal, Amazon, etc. Convio would like to advise you of important steps that you can and should take to prevent misuse of your personal information:

- If this email address and password are used together on any other accounts, it is recommended that you change your password on those accounts and sites immediately. We recognize that this is an enormous inconvenience, but this step will minimize your security risk.

Managing sign-in information for several web sites is a chore. Experts advise us not to use the same sign-in information at multiple web sites. The obvious reason: an identity thief can use your sign-in information for one site to easily access and steal at the other sites you use... and quickly drain your financial accounts. So, varying your sign-in information for each site makes sense.

Experts also advise us not to write down our sign-in information on paper. The obvious reason: once a thief gets your printed information, they have access to all of your accounts. Plus, the thief can copy your printed list and you may never know it was stolen.

So, what's a computer user to do? Writing it down is risky and memorizing it is impossible.

If I had the answer to this dilemma I'd patent it, sell the answer, get wealthy, and retire to my own private island in the Caribbean. But, there doesn't seem to be a silver bullet for this dilemma. Some people suggest password salting, but that solution is not 100% secure either. To learn more, try DailyKos or Digg.

Some suggest password manager software. To me that seems even less secure and foolhardy. If somebody steals your computer (and laptops are very vulnerable), they have all of your passwords. Plus, you won't even know the passwords to your accounts since the password manager stored that information. That like storing telephone numbers in your cellphone. After a while, you don't remember the phone numbers of the people you call frequently. For these reasons, I do not use the password manager features in my web browsers.

Others suggest a combination of password salting and password manager software. To me, that still doesn't solve the problem if you your laptop gets stolen. The dilemma is worse if you consider password rotation... how often Web sites require you to change your sign-in information. Since different Web sites require users to change their passwords at different intervals (e.g., some every 30 days, others every 90 days, and others never), whatever solution you choose must be flexible enough to accommodate password rotation.

If you have any solutions to this sign-in information security dilemma, I've Been Mugged readers want to hear your suggestions.

Posted on Monday, November 12, 2007 at 08:45 AM in Data Breaches, Identity Protection, Technology | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e008d035db883400e54f92809d8834

Listed below are links to weblogs that reference Pass The (Password) Salt, Please:

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Excellent points on the subject. My approach is to have a non-secure identity and a secure identity. I use the non-secure identity to register for fluffy stuff and sites I don't transact business on (e.g. flikr) and a secure identity that I only use for trusted sites that I do transact business on. Its not perfect, but it reduces the risk you cite.

Posted by: Andre | Wednesday, November 14, 2007 at 05:15 PM