Account Recovery

This week saw attention given to a new angle in which we all need to take precautions to protect ourselves online. If you haven’t seen or heard about it yet, you should definitely check out the article:

The gist of which describes a truly epic piecing together of the weaknesses of several different services, the password recovery mechanisms they use, and the data they consider to be good enough for authentication.

Now, I’ve been a user of LastPass for a while now, and while I think this service is fantastic and highly recommend it, I also think I allowed it to give me a little bit of a false sense of security. I’ve thought myself pretty well insulated from online assault by using LastPass and having different, randomly generated passwords for every service I use. It turns out I was wrong. As was demonstrated at Matt Honen’s expense, real consideration needs to be given to the account recovery options, procedures, and personal data that all of your online services have.

As we all should have learned 4 years ago in the Sarah Palin/Yahoo Mail hack that you can have as secure a password as you want, but if you don’t put much thought into the account recovery questions, it doesn’t mean a thing. For my security questions, I’ve decided to answer them with still more passwords. My reasoning is that with more and more of our lives being recorded online by ourselves, companies we engage with, and through different governmental bodies loading the public record onto the internet, it’s not so hard to imagine someone doing a little bit of digging to find out what my first car was, or what city my mother was born in…

With all of this in mind, I spent a number of hours today going through all of my major online services and reviewing how the password and account recovery options work as well as what personal and credit card data they were storing. And while it was a huge PIA and sucked away much of the day, I may have just spared myself from the kind of pain that Matt went through.