This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
In need of advice on Password Recovery emails...
The18thLetter
Member ✭
in Lounge
In the wake of Matt Honan's disastrous hacking situation, I'm revamping how my fiancee and I utilize our email accounts to recover passwords. I've been trying to finalize the best way to do this, and am coming up against a brick wall. (Maybe I'm over-thinking it, I'm not sure.)
One of the many common understandings that seems to be circling the web now, post Honan-Hack, is that your accounts should not be daisy-chained to one another. For example, your various email and financial accounts (i.e. your most important accounts) should have a different email address associated with them than your not-as-important other accounts. That way, if a hacker gains access to your "regular" email (the one you use to email mom and dad, the fellas, the wife and kids, etc.), they can't use that to gain access to your important accounts.
The specific advice given is that you should have a secret email address, one that:
1. doesn't have your name in it (so it can't be associated to you)
2. no one knows about
3. you do NOT use to send any email correspondence
4. you do not use to sign up for newsletters
That way, any password reset requests for your important accounts that are sent to this address should be safe.
Here's where I encounter trouble, using my bank as the example. My bank only requests one email address for all correspondence. Whether they need to email me my password reset info, or my monthly statement is ready to be viewed online, or they are contacting me about suspicious account activity, etc., all that information goes to the same email address. Doesn't that negate the intended purpose of security? Same for email accounts: if I use this secret email account to reset my passwords for my not-so-secret email accounts, then isn't that also daisy-chaining them together, thus destroying the security I'm trying to preserve?
What do you all do? How do you keep password reset/recovery information secure?
Thanks.
One of the many common understandings that seems to be circling the web now, post Honan-Hack, is that your accounts should not be daisy-chained to one another. For example, your various email and financial accounts (i.e. your most important accounts) should have a different email address associated with them than your not-as-important other accounts. That way, if a hacker gains access to your "regular" email (the one you use to email mom and dad, the fellas, the wife and kids, etc.), they can't use that to gain access to your important accounts.
The specific advice given is that you should have a secret email address, one that:
1. doesn't have your name in it (so it can't be associated to you)
2. no one knows about
3. you do NOT use to send any email correspondence
4. you do not use to sign up for newsletters
That way, any password reset requests for your important accounts that are sent to this address should be safe.
Here's where I encounter trouble, using my bank as the example. My bank only requests one email address for all correspondence. Whether they need to email me my password reset info, or my monthly statement is ready to be viewed online, or they are contacting me about suspicious account activity, etc., all that information goes to the same email address. Doesn't that negate the intended purpose of security? Same for email accounts: if I use this secret email account to reset my passwords for my not-so-secret email accounts, then isn't that also daisy-chaining them together, thus destroying the security I'm trying to preserve?
What do you all do? How do you keep password reset/recovery information secure?
Thanks.
Flag
0
Comments
-
It requires quite a bit of hard thinking to work out what's best for you.
Personally, I have a different email account for every financial service — maybe I'm paranoid. I also have a separate password recovery email address for those accounts that accept it.
Regarding reset/recovery, the most important thing is to ensure that you don't give truthful answers to the security questions. It's too difficult for me to link to the relevant Agile blog post whilst writing this reply.Flag 0 -
I think you're thinking of:
[url="http://blog.agilebits.com/2012/08/11/blizzard-and-insecurity-questions-my-fathers-middle-name-is-vr2ut1vnj/"][size=5][b]Blizzard and insecurity questions: My father’s middle name is vR2Ut1VNj[/b][/size][/url]
[size=5][b]<img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />[/b][/size]Flag 0 -
[quote name='khad' timestamp='1355622586' post='65541']
I think you're thinking of:
[url="http://blog.agilebits.com/2012/08/11/blizzard-and-insecurity-questions-my-fathers-middle-name-is-vr2ut1vnj/"][size=5][b]Blizzard and insecurity questions: My father’s middle name is vR2Ut1VNj[/b][/size][/url]
[size=5][b] <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />[/b][/size]
[/quote]
Hey Khad and Penelope,
Thanks for your input. I've seen that post before, and have made those changes in terms of security questions and answers, but still feel a bit lost as to a strong method for recovery emails not being linked to each other. One recovery email that is used for Amazon, my bank, my Amex and my Visa seems to defeat the purpose of security. If a hacker gains access to one with that email, then he'll have access to all, no? Again, maybe I;m over-thinking it and missing the obvious. Or maybe Penelope is right, and I need a separate email address for my accounts.Flag 0 -
I use a common e-mail address for all of the above, but it's a Google Apps (Gmail) account, with a highly secure password (that actually [i]isn't[/i] stored in 1Password -- only in my head <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' /> ) and two-factor authentication turned on, so it's very difficult to actually hack into without my knowing about it. Since the e-mail account ends up being at the center of just about everything, something that provides extra factors of authentication is always strongly recommended.
Further, in my case none of my actual financial institutions do any kind of e-mail-based password recovery -- I need to either answer the questions or call them directly to get something like that done. In fact, my primary bank doesn't really do [i]any[/i] e-mail communications at all. For security questions I simply lie, completely and utterly. The lies are effectively diceware phrases specific to each question, so I don't even need to store them in 1Password either.
I'm less concerned about third-party providers like Amazon and iTunes that might have my information on file as I generally protect myself by only using specific, low-limit or prepaid credit cards for online transactions anyway, thereby limiting my exposure, and I monitor all of my credit cards and other financial accounts daily.Flag 0 -
An important thing to keep in mind for those of you that want to setup a free e-mail account for password recovery only. Most webmail services will de-activate idle accounts after a period of inactivity. If you seldom log into an account created just for this purpose, you may lose the account and any soft of recovery altogether.Flag 0
