I have noticed a trend with many web sites that require you to have an account with them. Sites are now using your email address as the login name. Many even mandate that your login name be your email address. The problems with this:
1. It makes the already weak practice of using single-factor password authentication even weaker. The fact that you can select you own login name is actually a security feature. Think about it. If someone knows your email address, they are a little closer in their attempt to gain access to your account.
2. As more sites do this, the result is that your login name will be the same on many sites. If someone were to compromise your account on one of the sites, the first thing they will try is to log into other popular sites with the same login name, i.e., your email address. And with the way most people deal with multiple passwords (ha!) you know what that means. Yep, the password is the same also.
With the recent initiatives to better secure personal information, it seems strange to see sites move to this model. We already knew that using just a login name and password was not that secure. Now we are down to just the password.
No comments:
Post a Comment