Are you using the same password on more than one website? Is your password for Ebay and Hotmail the same? If it is then you might want to re-think that decision.
It seems that every time I attempt to complete a transaction I am asked to create a new user account. With each account comes the decision on what password I want to use. Most people I talk to don't want to remember another password so they go about their lives entering the same password for every website that asks for one. The scary fact that is often overlooked is that you don't have any idea who is actually looking at your password or how that password is stored.
Sure you are sending the password over an encrypted connection (you looked for the lock icon on next to the address, right?) but what happens after you click submit and that password is verified/stored at the retailer? The truth may surprise you. Depending on the size of the retailer your password could be stored on anything from a simple text file to a unencrypted database. Not exactly how you would choose to store the password to be sure!
So what happens when that retailer is targeted by a hacker intent on gathering sensitive information? Even the most protected industries have penetrations (Commerce Bank, Visa and Mastercard) but what about the little guys who aren't about to contact the local news channel to let them know they have been hacked. The bottom line is that you will most likely never know when your information has been stolen from a retailer.
While credit card information is something you want to protect there are safeguards provided by the credit cards companies to cover your loss in the event your credit card has fraudulent charges. But what about your password? If all of your websites are using the same password then you really would probably never know when someone is logging into your Ebay or Hotmail account until after something malicious has been done.
All of this leads me back to the original question: Why are you using the same password for every site? There are several tools that can be used, both on the internet and available for download, that can produce a unique password for your websites. The key to making this work for you is to not try and create/store a unique password for each website.
What you want to use is a formula that combines a Master Password with a unique value for that website. For example: Let's say I have a Master Password of Happy (Please don't use this as your Master Password!) and I want to get a password for www.amazon.com. The script would take the Happy + amazon and run it through a hashing algorithm to create a unique password.
I ran across a HashAPass, great online version, of this type of password hashing tool a few years ago and decided to customize it for my own use. I now use my own Password Maker.
Feel free to use my online version if you would like. By the way, I don't store any passwords or capture any of the passwords that are generated with the online version. In addition, you will notice that I have provided a SSL connection to the online version to help ensure nobody else is capturing the traffic also…
CSS-Tricks
Janko at Warp Speed
Kim Cameron's Identity Weblog
Pluralsight Blogs
Mon, Oct 29, 2007
Personal, Security