Wednesday, June 20, 2007
Sharing is Caring - but not with passwords.
This follows on from my previous post.
We all (should) know by now that we shouldn't share passwords.
But how many of us know exactly where we should use passwords on the internet?
Phishing and its elk have shown us that you can't trust website links that are sent to you via email.
But what if a friend (or what seems to be a friend) pops up on MSN Messenger or via email or facebook and tells you to "check out this cool site". You do it, you trust your friend's judgment and enter your password only to get caught out and your identity is used to send out the next bunch of "hey, check out this cool site" messages.
That is all in my last post which has a real world example of how one can get caught but the question is how do we define what is right and what is not?
My hotmail username and password is my MSN Messenger password and apparently opens up a whole bunch of access for me to other sites. This is the whole "passport", single-sign-on concept dreamed up by Microsoft. I sign on once to one of the "passport" sites and voila, all the other sites need no sign on. Amazing. Except that someone out there could hijack the system and pretend to be a "passport" site gaining them my password and access to all of my "passport" stuff.
Putting down Microsoft's security efforts is like running the 100 meters against a fish. Its too easy; but Google is starting to move in the same direction. My Google username and password gets me into gmail, igoogle, blogger, etc and the list will expand as Google buy more and more companies and bring more and more stuff out of their labs. I don't really use yahoo!'s services but I imagine that they are following the trend which is not limited to Google and Microsoft but is a general industry wide trend.
When I signed up for Blogger I didn't need a new username and password etc; I just logged on with my Google password. Blogger said that they are a Google company so, boom in goes the password. I did check things out first but that's just me, I doubt most people would.
Another thing that surprised me was when facebook asked me for my email username and password so it could check my email contacts against its subscriber base - not my facebook username and password but my online email username and password. This is obviously a service that a large number of people use or else it would have been taken down, freeing up some vital real estate on facebook's main page. Entering this information is optional, but if you do, you have to trust facebook will not store the information, if they do store it then you have to trust that they will store it securely, and not use it themselves except to check your contact list once. Do you trust facebook?
It seems there are no easy ways around this issue. You have to check to make sure that you trust each site you give another site's password to or, better still, don't share the passwords at all.