Wednesday, August 8, 2012

The Best Way to Protect All Your Online Passwords

Farhood Manjo advises:

Password recovery is a menace. Make sure your accounts aren’t daisy-chained together.

You should examine how your various online accounts are linked through forgotten password request services. In particular, look up your various important email accounts, financial accounts, social networks, and other services. Each of these accounts will ask you for an email address where your password requests should be sent.

If they’re all pointing to one another, a single hack could let an attacker get into everything else. For instance, if Gmail is set to send password resets to your Apple account, and your bank is sending requests to Gmail, then all the hacker needs to do to wreak havoc on your finances is steal your iTunes password (which is probably not very strong, because you hate typing out a tough password on a touchscreen to download apps). With your iTunes password, he can get into Gmail through a password request, and once inside Gmail, another password request will let him into your bank. This is exactly what happened to [tech writer] Honan.

What should you do about this? I would create a single, secret, ultra-secure email address that you designate as the one place to send all password resets. What do I mean by ultra-secure? I mean a new Gmail account—something like—with a very strong password and two-factor authentication turned on. Now go to all your other accounts and have them send password requests to this secret address. It’s important that you don’t use this address for anything else—don’t send mail from it, don’t use it to sign up for newsletters, don’t let anyone know that it has anything to do with you. As long as it remains secret, any password resets that are sent its way should be safe.


  1. I've actually thought about writing on Apple's security for a while.

    This author hits on a super pet peeve of mine. Apple's "super" security actually diminishes security. The App Store requires you to type in the original password -- not the password to your keychain or the password to the password storage program that you (hopefully) have on your system. That means that people who are not willing to go through the machinations that I am will just create weak passwords for their accounts.

    Security is a system. You have to consider the whole system in implementing security. Just adding a bunch of requirements to type in passwords actually diminishes security because it encourages weak password usage.

  2. Anonymous-- Excellent point, another example of the Law of Unintended Consequences, or as I called it years ago, the Law of Reverse Results (a social version of Le Chatelier's Principle, which says that a chemical system will react to oppose changes from an equilibrium state--Hey, Bob, maybe you could speak about this at the Austrian Scholar's Conference). Applies to almost all restrictions on behavior, meaning virtually all legislated law of course. But, as Rothbard pointed out in the video Bob just posted, someone benefits; in this case Apple, which gets to tout their "super" security.

  3. When placing a painting, you always place the bottom left-hand corner.

    This can be a game changer entirely for some, while others may still enjoy sticking to the basics, but with a much tighter group of combatants.
    But even that market is in decline, because there are only so many ways
    that you can phrase the Meta Model and stick it on playing cards.

    my web blog :: minecraft en ligne