Lazy may be too harsh, but there is a risk associated with doing what some sites offer when you log in for the first time. For example, the first time I recently logged into a website, I had the option of using Facebook or Google to log in. Essentially, I could use my Facebook or Google credentials to automatically log into a website with which I had no experience.
Now at first glance that may sound like a great idea. After all, I would only need one ID and password for both sites. But I didn’t accept the offer and you shouldn’t either. Here’s why:
Using the credentials from one website to log into another creates a possible security issue. If either site has a data breach exposing login credentials, both sites put me at risk. Once the breached data is available to evildoers, they will be able to get on both sites as me. Maybe I don’t care too much about Facebook (and I don’t), but I do care about Google.
So, let’s look at the threat level of exposed Google credentials. Logging into Google gives me (or hackers) access to my Gmail. It gives them access to my contacts and calendar. They would also have access to all my Google docs, backed-up photos, Google Sheets, Google Drive, etc. They would be able to act like me for as long as it took to discover the breach. (Note: The last security breach potentially affecting me took two years to discover.)
And here’s the scary part—if any of the websites I log into using two-factor authentication (TFA) use an email for the TFA proof, then that additional level of security is compromised along with the website credentials. Consider the risk if you used your Gmail as your TFA credential with your bank.
Are you beginning to see the value in securing your credentials?
What can you do?
This will sound like a broken record for those of you who read my other articles, but the advice remains:
- Use long and complex passwords.
- Use a password only once.
- Don’t share your passwords and ID. (Many times, no ID is needed. It’s your email address that is readily available.)
- Use a password vault application to make this process easier.
If you have been affected by a security breach, get help. Don’t start by posting it on Facebook. Contact your bank, put your credit cards on hold, change the important passwords, contact your medical providers, your pharmacy, your lawyer, your family, etc. You are going to be busy for a while,s but hopefully, there won’t be a severe impact.
Jarren Ringle is a member of SourcePoint and a volunteer instructor. He teaches various technology classes throughout the year. Jarren also volunteers at the Delaware County Office of Homeland Security and Emergency Management. With many years of project management experience in various technology fields, he enjoys helping others with technology.