22 June 2011

Why you now need a different password and a different ID for each account

You can't trust even the biggest companies to have sensible security.

My electricity supplier decided to get serious with using the web - what started as just a trivial "send us your meter reading" ID was migrated to be an "account management" ID - with bank details and direct debits and address and mother's maiden name and so on.  All very useful stuff to know.

Problem was most of the website was updated before they migrated me (or told me about the new system) and suddenly I was being asked for a 12 digit number I did not have.  No problem - the help line was very helpful - the agent was able to access all my details, and my ID, and my email address and my password in plain text - which were all emailed to me - in plain text.

No one ever needs to see a password!  Possibly generate a reset but never see the password.  Really really stupid.  Even more stupid to send the password in an email.

A doubly big problem if you use the same email/id and password on more than one site!   Really stupid to trust call centre staff with this sort of information.

So I set about changing all my IDs and passwords, which went fine until this stupidity






I changed my password and then it sent it to me!  Maybe there was a pending "request" - but good sites send you a reset link or a reminder 'phrase' - not the actual password. And this from a legal advice site as well.


And what do I do about services that are no longer available - because of expired membership, subscription or "gone out of business"?  The data is still up there - even if you can't access it - someone else can.

I don't care is someone hacks my UKSAABS ID or password - but if this gives them a clue to what I use for more critical sites - very bad.

This needs some thought

Unique IDs are tough as most sites use email addresses, unique passwords it will have to be - what a pain.

[Update June 26th - I found out (but only via the BBC news) that Travelodge (UK) have been hacked and had customer data stolen  and on Friday I got an email from a computer game maker warning me that customer data associated with a 10 year old game had been compromised.  So that is "small games company 1/major corporate with whom I currently do business 0)]

[Update July 20th - and now I am receiving spam mail directed to the email address I only use for Travelodge - and still they have not warned me that they have lost identity data]

No comments: