Tuesday, April 28, 2009

Keep Your Password to Yourself

There is a growing trend to treat passwords as public information that can be shared with pretty much any service. This is being driven by services that want to tap into content stored elsewhere, which they don't directly control. Therefore, they ask users to enter their passwords and may provide assurances taht data won't be stored after use.

Web 2.0

Social networks want to know everything about you: your contact information, friends, etc. But such data can be distributed among several services. For example, e-mail addresses of you friends may be stored in your webmail account, while contact information for your relatives is on a couple of different social networking sites. Various websites try to make it easier to gather all the information automatically for you. Facebook will ask you to provide your credentials for AIM, Gmail, etc. abd use this information to identify a list of your potential friends. That's right, they ask you to give away your login and password to directly access your e-mail account. There is no obvious warning, or mention of a privacy concern. Giving away your password looks mundane, something you should not have to worry about.

Would you give away the login and password to your online banking service? Your Paypal password? No. But asking for access to your your Gmail account, which may contain sensitive e-mail messages is apparently just fine.

Enterprise culture

This attitude toward passwords is not restricted to Web 2.0 sites. In many companies, asking the IT department for help often means giving them your personal password as a standard procedure. That same password that may allow people to change their 401K contribution, access paychecks online, or give a bonus to their direct reports.

It is also common to share personal passwords with co-workers because it is more convenient. Security and ease of use are often in contradiction, and both need to be balanced. But sharing your IT password should never be an option.

Better practices

Especially in the enterprise, a strong message needs to be put forward to let employees know that:
  • A personal password must never be shared, without exception
  • Credentials must always be entered on using encrypted protocol taht does not permit clear text transmission: HTTPS should be used by websites, GPG/PGP/SMIME for e-mails, SSH for remote shell access, etc.
If you need to share a password with a friend or coworker, this password should not be used for any other service.

As for Web 2.0 sites, a few companies have started to offer ways let the user share their data with third-party applications without giving away their password: Facebook Connect, OAuth (Twitter, Yahoo, Netflix, Google), etc. This needs to be encouraged.

-- Julien

No comments: