shahine.com/omar/

Here is a newsflash… the security of the majority of your online accounts is only as good as the security of your email address. As many of you know, Sarah Palin’s Yahoo account was recently compromised by taking advantage of public information to answer her secret question and take control of her account. You are at the mercy of the strength of the Password Reset Mechanism. Password Reset today is flawed.

Rule #1: Never ever ever enter your email address and username into any webpage on the Internet except that of your email provider. You are placing yourself at significant risk if you do so (there are some exceptions to this rule of course, like if your email provider is also an OpenID provider or supports delegated authentication).

Rule #2: The answer to your Secret Question should be a random string of gibberish. “Who is your best friend”? The answer should be: d8239d#5d. This way no one can guess it.

I learned the hard way just how vulnerable I was when I lost access to my Hotmail account. I cannot begin to describe what this felt like. It might feel like losing the keys to your house, arriving at home, finding a burglar in your house and getting a busy signal when calling 911.

Jeff Atwood wrote about this exact problem a few months ago:

1. Number one with a bullet: your email account is a de-facto master password for your online identity. Most -- if not all -- of your online accounts are secured through your email. Remember all those "forgot password" and "forgot account" links? Guess where they ultimately resolve to? If someone controls your email account, they have nearly unlimited access to every online identity you own across every website you visit.
2. If you're anything like me, your email is a treasure trove of highly sensitive financial and personal information. Consider all the email notifications you get in today's highly interconnected web world. It's like a one-stop-shop for comprehensive and systematic identity theft. How do I know Yelp isn't going to dip into other areas of my email?
3. Even if I trust Yelp absolutely, how do I know they're not going to store my email password, perhaps insecurely, in a place some disgruntled programmer or hacker can eventually get to it? Giving out your password puts the recipient in the highly unfortunate position of having to secure your password. Give that email password out enough, and you're now vulnerable in dozens of places spread across the face of the web. The odds start to look pretty dire.

You should re-read these words a few times and internalize just what they mean. #3 is exactly why you should generate a unique password for every single website you visit. You should manage this complexity using a tool such as RoboForm, PassPack, Verisign PIP, Keepass or LastPass.

I don’t know 95% of my passwords.

Almost every single account you have will have something called a Password Reset feature. You see, none of us can remember all the passwords we use for our different sites. Heaven forbid we actually try and use unique passwords and then forget a password. How do you get access?

Well in the case of many banks and such that store highly sensitive information, you have to get on the horn and talk to a human proving that you are who you are. Usually this is done by sharing something with them that only you know and that they can verify. Things like:

• The Credit Card Verification (CCV) code on your credit card
• Your “secret answer” to a question (most use Mother’s Maiden name)

And in some cases, they will physically mail you a new password to your registered address.

But what about the sites that don’t think they have highly sensitive information, or don’t want to incur the cost of such a human labor intensive process? Well they will do one of the following:

1. Email your actual password to your email address on file
2. Email you a new random password
3. Email you a new random password that you must change on login

Now lemme clue you into a little secret.

If the website you are using does either #1 or #2 then FAIL. That website is storing your password in the clear, or in the case of #2 transmitting it in the clear and not requiring you to change it. The only acceptable mechanism for resetting any password via email is #3, to Email you a new random password that you must change on login.

Since you have absolutely no idea how your passwords are being stored with the website (are they hashed, encrypted, in a cage at the data center) you should assume the worst. Some of the BigCos obviously understand the risk of storing such sensitive information and will do all the right things:

• Credentials are stored using a one way hash
• Machines that store such information are in a caged server environment
• Credentials never pass around in the clear, such as over HTTP or any unsecured protocol.

If you have access to an email account that has more protection than a webmail provider (like a work or university email address) I highly recommend you use that email address for your password reset. It’s likely that your business is an order of magnitude more secure if they manage their own email services.

Finally, for all the reasons I mention above, don’t EVER give your email username and password out to anyone or any website unless that website clearly belongs to your email provider. NEVER.

Beware of social networking websites that ask for your username and password to “import your contacts”, aka your Social Graph.