Give me back my Login ID: How decoupling the Login ID and email address is better for security

Everyone seems to be talking about the recent email account compromises that have resulted in the disclosure of some sensitive documents (or at least some embarrassment). The latest one is that of a Twitter employee which is detailed in the following Twitter blog entries:

All kinds of "experts" in the field are writing about these incidents and making suggestions to prevent things like this. Most suggest a stronger password and improving upon the security questions that you need to answer in order to recover your account if you forget your password.

First, I highly recommend that everyone read this article "The Anatomy of the Twitter Attack" from techcrunch. It's probably almost 6 pages long, but worth the investment.

Here is my take on this issue. I wrote in December 2005 about Web Security Getting Weaker as I started to see web sites transition to forcing users to use their email address as their login ID. I don't think this is a good idea since this means that a typical user will have the same login ID on practically every site they use. Once you have this info, then all that's left is to guess the password or try to recover it fraudulently by making guesses to the security questions. With more users signing up for SaaS services in the cloud, this literally means that if you have gained access to someones email account, you pretty much have everything.

What can be done to prevent these continued account compromises?

I suggest the following:

1. Change your login ID to something other than your email address. I am a firm believer that no one except you should know your login ID and your password. This means that it should not be your email address. If the web site or email service doesn't allow this, bug them to change this policy.

If you have no choice, you can create yourself another email account for the sole purpose of using it as the login name for web sites. Make it something that someone could not easily associate with you. It can be almost anything, although there are some character restrictions at most sites.

Set this new email address to forward to your real email account and set this password to something very complex. Write the login ID (email address) and password down and keep it somewhere safe and secure. You should not need to log in to this account often at all. Warning: Don't use an email service that disables your account after a certain period of inactivity. This is how the perpetrator in the latest gmail-twitter hack was able to reset the password of the victims Gmail account. Don't give this email address to anyone. Now, change your login name on the sites in question (webmail) to the one you just created. Remember to only change your login ID and leave the email address set to your primary (public) email address. While you're at it, you may as well change your password to something strong that you will remember.

2. Be creative when setting account recovery questions and answers. The security questions can be used to your advantage to further secure your account if done correctly. Let's look at an example. The above article mentions that one of Google's security questions is:

  • What was your first teacher's name?

Your answers to these questions can be ANYTHING you want them to be. Make something up! Set your first teachers name to 'monty python' or 'big iced coffee from starbucks' if you want. As long as you remember what you initially set, or store it securely somewhere, you are all set. If you don't have a very good memory, see item 3.

3. Use a secure password manager. Let's face it, we don't all have amazing memories especially as we get older. Do you really expect users to set a different complex password for each of the sites and services they use and change them on a regular basis to another complex password? It's a pipe dream. Anyone who does this is probably using one of the many available login ID and password management tools available.

One of the great things about such tools is that most of them have a strong password generator built-in. Once you are accustomed to using a password management tool, you will then find it very easy to start doing things like setting unique login ID's for each of the sites or services you use. There are some great solutions that will even synchronize with your mobile phone if you need access to login information when you are away from your PC.

I have tested and used many of these password management tools, and will post a follow-up that will provide an overview of my experiences.

No comments:

Post a Comment