What’s a secure password?

Technorati Tags: , ,

The other day I started getting eBay messages in reply to messages I had supposedly sent out. The messages sent under my name claimed to be from a company exporting electronic equipment from China, complete with email address (not mine) and a phone number. I sent a couple of messages to those who’d contacted me telling them that the messages were a scam and weren’t from me. (Interestingly, none of them were abusive at all; one of them told me the prices were too steep, but there were no F words or insults.)

Anyway, I clicked on one of the messages in my Sent folder, and tried to click the “report this” button. I typed out a message saying that this message, and several others like it, had been sent under my name, but the system refused to accept the report, as the report and the offending message were under the same ID, i.e. I can’t report myself. So I had to search for an email address, and after clicking the usual “contact us” link, I ended up sending a message to eBay through some other channel, which I can’t remember (and I didn’t get a saved copy; perhaps it was through an eBay web forum, perhaps through Yahoo mail), with a copy of the dodgy ad and a notice that I’d be changing my password, which I did.

Not long after I did that, I got a message from eBay telling me my password had been reset due to unauthorised access. “It appears that your eBay password has become known to a third party,” it informed me, before informing me that this could have happened when I followed the instructions in a spoof email. To get my access back, I’d have to set a new password, then take their tutorial and enter a pin number which I’d be told over the phone. I could not, of course, use the password I’d just set; I had to make up a new one. (I also had to find an email from eBay and click a link in it, without being able to check my messages as you normally do with messages purportedly from eBay; the message was where emails of that sort end up: in the Yahoo Mail spam bin.)

When I finally took the account protection tutorial, I found that among the thirteen questions was this one:

Which of these passwords is a secure way to protect your eBay account?

a. Your User ID is ilovepuppies and your password is beatlesfan#28 b. Your pet’s name, Fido c. Your User ID is jimmyinjersey. Your eBay password is jimmy. d. Your email password is $uperman1963. Your eBay password is also $uperman1963.

The correct answer to this question is “none of the above”, but that wasn’t an option. None of these are secure passwords - a secure password does not have a recognisable word, in any language, in it. I don’t think a recognisable word with a common shorthand symbol, like $ for S, is any exception; surely the criminals out there are wise to that trick. The answer they accept is A, but nobody who knew about network security would recommend using that as a password; if I’d used it on the Unix system at college, I’d have been running the risk of the computer department cracking it.

Anyway, the assumption was that I’d given away my password in replying to a “phishing” email, but that wasn’t the case. I know all about phishing and my Thunderbird mail client now knows to mark all such emails as spam, and they get deleted unread. The most likely cause is my use of my mail password for eBay; I access Yahoo Mail through their POP3 port, and everything is transmitted unencrypted. EBay, on the other hand, does not allow this. You log into a secure website. The likely way these people got into my account is listening in on my network connection and reading my password that way. The tutorial does tell you to use a different password for each account you have, but doesn’t tell you not to use one you also use on an unencrypted account, especially if you have the same ID on the other account.

Besides which, how easy is it to use a different password on each account you have? I can’t remember how many accounts I have: there’s my two home computers, both of which run versions of Unix, my web host account, my content management system accounts on my website, my GMail, Yahoo and Hotmail accounts, various web forum memberships, my SourceForge account. I have two passwords between my unencrypted accounts and another couple for the encrypted ones. I simply could not make up different secure passwords and remember them all without writing them down, which you’re not meant to do in case someone finds it.

Anyway, I resent eBay treating me like a fool by assuming I’d broken one of the best-known rules of online security, while burying the bit about using different passwords four questions into the tutorial. They also did not bother to correspond with me personally - rather than reading my message and taking account of it, they seem to have just hit a button and send off a prepared notice. I appreciate that eBay are a big operation, but surely they could spare more than the time necessary for a couple of mouse clicks and correspond with me as if I’m an intelligent human being?

Possibly Related Posts:


You may also like...