Stop. Look. Change your Password

[I’ve been neglecting this space for the last few weeks… this was published on the BBC News site on October 9]

If you use a web-based email service then here’s a public service announcement. Tufty the Squirrel says ‘Change your password. Now. Before you read the rest of this column. And if you use your webmail password for any other services go and change it there too.’

OK, assuming you’ve done that, we can discuss the apparent plundering of tens or even hundreds of thousands of login details from Hotmail, Yahoo! Mail, Gmail and other web-based email services, revealed last week when a partial list of ten thousand addresses was posted to – and quickly withdrawn from – the Pastebin code-sharing website and details of another 30,000 accounts were posted elsewhere.

The compromised email addresses seem to be the result of a number of phishing exercises, where fake websites are set up to harvest login credentials from those who can be tricked into visiting the phishing site instead of the authentic home page for their service provider, and not related to any security flaws in the webmail services themselves.

Their existence demonstrates yet again that current online security techniques are not working, despite the massive investment in teaching users about security, building phishing-detection technology into the major browsers and attempts to track down and remove the fake websites involved. Users are still being fooled into handing over their usernames and passwords by fraudulent websites, and online criminals are making money by selling lists of compromised accounts to be used by spammers.

This should worry every internet user, because few of us have the discipline to use unique and hard-to-guess passwords for each online service we sign up for, and often fail to distiguish between ‘throwaway’ passwords for sites that require you to register in order to use them and the vitally important passwords used for banks, email and social network sites.

Perhaps we should not be surprised that phishing still works. We are constantly bombarded with login pages and requests to re-enter passwords in order to verify our identity so that we all suffer authentication fatigue, carelessly typing the same username and password into every login form that is presented as we surf the web.

As far as I am aware I’ve never been caught by a phishing attempt, but of course a well-crafted fake site will take your credentials and then redirect you to the authentic location so you might never know. And a good criminal gang will keep your details safe for a while rather than use them straight away, relying on the fact that few of us bother to change our passwords at all regularly.

The ease with which people are persuaded to hand over their details matters hugely to the future growth and development of the internet because our confidence in online services will be severely affected by incidents like this.

New, less confident net users who may only just have graduated from a taster course in their local LearnDirect centre are likely to be deterred from further exploration, while companies that rely on online sales will find that potential customers are less likely to buy if they are unsure about internet security.

Dealing with phishing, like dealing with spam, is difficult because the architecture of today’s internet is based on the assumption that most users and most computers will play nice. Those who choose not to have an advantage, because dealing with them can easily result in the loss of the capabilities which make the network useful in the first place.

We could probably stop phishing if every website had to be registered with the national government of the country hosting it, but who would want to build a website in such a world?  Just as the price of providing absolute security against terrorist attack would be the loss of the very liberties that are under attack through terror tactics, the cost of making the internet completely safe and secure would be the things that make it worth going online.

Better teaching about technology would make a significant difference, without requiring massive changes to the way the network operates.  If users had a better understanding of how these vital technologies work they would be able to make their own decisions about which sites and services to trust, just as we generally accept that people can make their own decisions about which banks to trust or which car to buy.

But we also need to think about the support we offer when things go wrong. There are government guarantees in place to ensure that people get their money back when banks collapse, and warranties and guarantees that ensure that if I buy a duff car I will be compensated.

Access to email and social networks is now as important to many people as access to their telephone, and for me at least it’s a lot more important than access to television. Perhaps it is time to think about the level of support we offer to those whose email and other accounts are compromised, instead of leaving it to the service providers to decide whether they will reset passwords, suspend access or simply leave people to sort it out themselves.

Bill’s Links

Phishing: http://www.theregister.co.uk/2009/10/06/gmail_webmail_phish/

Accounts compromised: http://www.guardian.co.uk/technology/2009/oct/06/gmail-yahoo-aol-phishing-scam

Popular passwords: http://www.wired.com/threatlevel/2009/10/10000-passwords/

One Reply to “Stop. Look. Change your Password”

  1. Do the villains really hold off using your password until they get around to you? I’ve assumed that stolen credentials will be used in a split-second, so changing your password each month, as is practised in some businesses, is a bit inadequate. And changing distinct passwords on multiple services, dratted annoying. I’d say don’t use a password where it can be stolen, unless it’s one for something that doesn’t matter much.

Comments are closed.