I’ve been thinking…
Some websites and organisations are more careful with security than others. Some sites, when you register with them, will allow you to set your password – but then they will email you a confirmation: one that INCLUDES YOUR PASSWORD IN CLEAR. Sites that understand the concept of security won’t do this, because they understand the (admittedly minimal) risks this exposes your information to.
Most emails are like letters without envelopes: anyone with access to the network can read their contents as they pass from A to B, so in theory someone could read your password. Email postmasters are generally trustworthy and usually too busy to snoop… but not everyone can be trusted.
What if their email system messes up and sends the email message to the wrong person? Or if your ISP messes up and bounces it back to their postmaster (who perhaps is just on his way out of the company? who knows?).
So, how to deal with this?
The ‘Advanced Version’ of the ‘One Ring to Rule Them All’
This involves using two – or maybe more, but let’s KISS (Keep It Simple, Stupid) and start with two – ‘strong’ passwords that you use when setting up your passwords, as described in my ‘One Ring’ article a few days ago.
‘Ring One’ you would use for sites you feel confident you can trust to know what they’re doing (banks and the larger, well-known, e-commerce organisations).
‘Ring Two’ would be for the odd places that you’re not so sure about. Those chatty forum sites for instance. If you’re not sure which ‘ring’ to use, then use Ring Two first, and perhaps switch to Ring One when you feel confident about the site and its trustworthiness. You will of course need to remember which one you’ve used: but you’ll know which sites you trust and which you don’t. And if you should find that you can’t log in somewhere – just try the other Ring :D
This adds a further level of security to the system. But: it’s not something to stress out about. If you’ve been slack about your passwords up to now, the One Ring technique makes your data a whole lot more secure than it was before.
I’ll freely admit that the one thing that this technique doesn’t address is the Typical Security Eggspurt’s advice to "change your passwords frequently". Let’s face it: who does that in real life? It’s one of those things we all should do (like backing up important data) but never seem to get around to. The Expert Advice here is simply posterior coverings: ‘what? your password has been stolen? Well, when did you last change it? … what’s that? You NEVER changed it? Ah well, then: it must be YOUR fault!’.
If you’re feeling community minded the next time you register with a website that sends your password back to you in their ‘welcome!’ message, you might send them a friendly note pointing out that you’re not impressed with their attitude to security.