•  

Are your accounts safe?

Wed, Mar 12, 2008

Personal, Security, Technology

Have you read the latest here and here about a really cool GMail backup utility called g-archiver?  It was discovered that this little gem was harvesting usernames and passwords, sending them to a mailbox under the name John Terry.  Looking at their website, g-Archiver describes the issue:

gmail-password-thief-screenshot

What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

Um, okay…  Then they go on to suggest a course of action to solve the problem:

It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away.

Problem solved, right?  Wrong!  And here's why. 

I believe many people use the same password for many websites and services.  Assuming John Terry has had access to your email before he lost his mailbox, he could go and see what other sites you connect with to gather addresses and usernames.  Let's not forget that he could read any previous change password emails you may have received.  Starting to get the ugly picture?  This domino effect can impact all of your websites and services that have sent an email to your GMail account.

Am I sounding paranoid?  Probably.  Is what I say possible?  Yes.  Is it probable?  I'm sure some will say no, but I believe the answer is yes.  So now you're thinking, 'what can be done about this?', right?  Well I hope you are thinking this question.

Before you run off to change all your passwords have a look at my list of suggestions on how to better protect yourself:

  • Start asking websites to offer a different means to authenticate; OpenID and Cardspace are good examples but let's not forget SecureID for those really important sites.
  • Don't sign-up for just any website that asks for a registration.  Many e-commerce sites will allow you to order without creating an account.  This is a good thing!
  • Never use a public Wifi for accessing websites that don't offer encrypted login screens.  For example, do you log into your blog in the clear?  Is the password the same as everything else?
  • Use a different password for each website and/or service.  How?  Glad you asked…

Some people suggest using a using a tool to create a unique password for each site.  Usually someone will end up storing these 'unique' passwords in some sort of e-wallet/wallet, which is only slightly better than using a single password.  I say this because these 'unique' passwords will end up being too difficult to remember, much less type into your website.  So don't even go down that road.  Until we have a globally accepted identity process such as OpenID or Cardspace I would suggest something like the Password Maker software like I use.

Do you have any suggestions for protecting yourself that I didn't include?  Feel free to add a comment to this entry to let us all know.

Comments are closed.

Private