{"id":10,"date":"2015-07-06T15:13:47","date_gmt":"2015-07-06T15:13:47","guid":{"rendered":"http:\/\/www.paidparanoid.net\/site\/?p=10"},"modified":"2015-07-06T15:13:47","modified_gmt":"2015-07-06T15:13:47","slug":"but-its-only-the-e-mail-password-right","status":"publish","type":"post","link":"https:\/\/www.paidparanoid.net\/site\/?p=10","title":{"rendered":"But it&#8217;s only the e-mail password, right&#8230;?"},"content":{"rendered":"<p>.. and there&#8217;s nothing important in my e-mail.<\/p>\n<p>I&#8217;ve heard this a lot more than I&#8217;m comfortable with when talking to people. It&#8217;s just their e-mail, they don&#8217;t use it for anything important really, there&#8217;s nothing confidential in there so why not just use (or, even BETTER, re-use) a nice simple password so it&#8217;s easy to access.<\/p>\n<p>Or why worry <a href=\"https:\/\/threatpost.com\/june-harvard-breach-hit-multiple-schools\/113601\">when your school has an e-mail breach<\/a>.<\/p>\n<p>There&#8217;s a lot people aren&#8217;t considering here:<\/p>\n<ul>\n<li>Password re-use. While I absolutely believe the password SHOULD be dead, there isn&#8217;t a suitably convenient and effective replacement. Mastercard is trying for <a href=\"http:\/\/thehackernews.com\/2015\/07\/mastercard-selfie-password.html\">selfie-based authentication<\/a>, but we&#8217;ve seen most of the facial recognition systems can be fooled by a photo &#8212; and if it&#8217;s just the single-factor, then it&#8217;s PERMANENTLY compromised if it&#8217;s broken. Breach records and password analysis have repeatedly shown that people continue to re-use passwords, so once one is broken, what else is out there?<\/li>\n<li>Password and account recovery. This one is, to me, scarier than the above. So you&#8217;ve practiced good password hygiene, used a different password and it&#8217;s a nice strong one. You&#8217;re even using a password manager and don&#8217;t type it in in case you get screen scraped. Now your e-mail is compromised, and you click the link to send the password to the recovery account. Ooops.<\/li>\n<li>Last (and probably least) now people can use your account for whatever &#8212; spam, malware, phishing. While it&#8217;s relatively easy to fake this still, a real account will pass more checks.<\/li>\n<\/ul>\n<p>E-mail remains the gateway to a lot of information, regardless of it&#8217;s various levels of insecurity (unencrypted SMTP across \u00a0untrusted networks with confidential data? WIN!). It needs protecting, and that&#8217;s why I&#8217;m so happy when I see services start to offer 2-factor authentication. It&#8217;s not as convenient, but having some kind of extra authentication whether via SMS, an application on your smart phone, or a token is one of the best defences you can have if and when someone gets the back end database for your system.<\/p>\n<p>It&#8217;s probably, depressingly, when.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>.. and there&#8217;s nothing important in my e-mail. I&#8217;ve heard this a lot more than I&#8217;m comfortable with when talking to people. It&#8217;s just their e-mail, they don&#8217;t use it for anything important really, there&#8217;s nothing confidential in there so why not just use (or, even BETTER, re-use) a nice simple password so it&#8217;s easy [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/www.paidparanoid.net\/site\/index.php?rest_route=\/wp\/v2\/posts\/10"}],"collection":[{"href":"https:\/\/www.paidparanoid.net\/site\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.paidparanoid.net\/site\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.paidparanoid.net\/site\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.paidparanoid.net\/site\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10"}],"version-history":[{"count":1,"href":"https:\/\/www.paidparanoid.net\/site\/index.php?rest_route=\/wp\/v2\/posts\/10\/revisions"}],"predecessor-version":[{"id":11,"href":"https:\/\/www.paidparanoid.net\/site\/index.php?rest_route=\/wp\/v2\/posts\/10\/revisions\/11"}],"wp:attachment":[{"href":"https:\/\/www.paidparanoid.net\/site\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.paidparanoid.net\/site\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.paidparanoid.net\/site\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}