The other day I was thinking about passwords and the “forgot password” links that are common on websites today. I got to thinking just how many passwords I have and how many I forget.
I use a different password for pretty much every site I belong to. I have a simple algorithm I can do in my head to remember that password (usually). But does it matter? Do multiple passwords really provide you with any added security?
Your entire online life is protected only by your email password, and identified by your email address
With the advent of the “forgot password link” that will email you a reset link, there is really only one password that is the key to every account you have. Your email password. If you got my email password you could gain access to all my accounts on the internet. All you have to do is reset my password, check my email, and bob’s your uncle.
Email addresses today are actually used as the single point of identification, if you really think about it. But at the same time, your email address is your SSO security key. With access to your email you have access to all accounts that implement the “forgot password link”.
Any site that I’ve seen that implements the “forgot password” feature, only requires you to click a link in your email. There is no other stage of identification required, with the exception of my online banking. The bank requires I call in and identify myself via my address, my Date of Birth, etc.
So why aren’t other sites doing this? Obviously you can’t have a call in to an agent, too many expenses for that. But why not have some other personal information stored to identify the person that clicked that link. As I wrote that last sentence, I realized how much of a privacy concern that would be. Especially after reading about so many DB dumps on Ars recently.
It comes down to a single password, a single email address. Your entire online life is protected only by your email password, and identified by your email address. The two most important things you have online.
Would you be willing to provide additional personal information to some random site? If you think about it, you already provide your email address, the thing that identifies you to each and every site out there. How much more info is required to properly secure your identification? Is a single email address enough?
I think I’ll go change my email password right now.
Matt is the owner of this site and primary author. He also
Comments
The opinions expressed in comments are entirely the responsibility of the various contributors. While I will do everything within reason to ensure that they are not defamatory, I accept no liability for them or the content of links included in them.
Your email account should be protected by two-factor authentication. Google supports this pretty easily for GMail and Google Apps accounts. I wish more sites / services supported two-factor authentication.
@skippy, Gmail does offer two factor authentication, but not for IMAP/POP access. Even Paypal, with the little dongle you get that generates random numbers, you can tell Paypal to forget about that when logging in. Bypassing the second stage.
We need a better way to do two factor authentication, without having to rely on external devices, like a random number generator, or phone.