With a series of high profile security breaches in recent weeks (Twitter, Evernote, LinkedIn and others) the obvious concern is that the attacker has access to your account. In some cases it’s more than that.
The real cause for concern is, after the stable door is bolted and the passwords are changed what to the attackers still have access to – and what (in many cases) have they uploaded to the internet for others to share?
They have your user details – name, email address, gender, age, State and City. Maybe even your three favorite security questions.
So, the best outcome you can hope for is more spam because now your email address – a confirmed, validated, active email address because it’s the one you choose to use with a service you trusted to keep it secret is out there in plain text.
Worst case they have a username and password you use on multiple sites, or enough details to try and attack other accounts depending on how much has leaked – as we’ve seen recently social engineering “hacks” have helped attackers gain control of accounts with some fairly minimal information.
I try and be good – I have different passwords for most sites (either based on an algorithm that makes sense to me but not much to a robotic sniffer, or auto-generated using LastPass) and I routinely lie about my personal details (yes, I am an 84 year old woman living in Des Moines … probably explains some of the more unusual adverts I get on Facebook!) and I make use of the + ability in Gmail to give me a clue where my email leaked from (sure, it’s easy enough to strip those off, but in many cases why bother) …
Long after the uproar of the original breach has passed and everyone has reset passwords and done all the right things there’s that residual nagging feeling that the damage has been done.
Password schemes today suck. Two factor authentication is certainly a step in the right direction (as long as we can have a scheme that’s user centric, not one per site… I don’t want to carry a small bag of tokens everywhere I go!) but the real challenge is getting sites to stop requiring information they don’t need… there has to be a better answer there…