identity theft warning - Beyond Tiki

H hanford_lemoore Tiki Socialite Tiki Central Joined: Mar 23, 2002 Posts: 1899	H hanford_lemoore Posted posted on Thu, Aug 12, 2004 1:21 AM This is a GREAT post, Mick. Thanks for bringing it up ... You know, you can visit a site that offers a free service, let's say free photo hosting. Now, they'll ask you for an email address and a password. No money, mind you. Commonly people will enter their email address and the SAME password they use for that email address! If the website is crooked, they have just been handed the keys to their member's email account, which could be quite dangerous. While you can probably trust your password to Yahoo or Amazon, can you trust your same password to freephotohosting.com for example? For paypal, the login IS your email address, so you might have just handed some website your paypal login and password if you use the same password for everything. Once they have access to paypal, they have access to cash. Hell, they could automate a paypal check for every new user that logs in .... But think about it ... you're handing a password and your email address over to a website. How much do you know about this website? Can you trust them with this infomation? Who knows if it's just a guy running the site, reading everyone's passwords and trying the password on the email account? On the ebay or paypal account? The best method to use here is to have a different password -- a low security password -- to enter in websites like that. Make your email or ISP login password unique and never give that out. Early on when I started Tiki Central I started getting bounced registration emails from users who entered their email address incorrectly. At the time this email included their name, email address, and password in plain text. I didn't like the idea of seeing other people's passwords, so I changed that email to say "password not displayed for security purposes" or something like that. And Tiki Central saves people's passwords in an encrypted form that is non-decryptable, not even by me. My suggestion is to have "trust levels" for passwords. have a High-security password for the few websites you trust with money and personal info. Have a low security password(s) for sites you don't trust, which should only be sites that won't be dealing with your sensitive data. Okay, I'll get off the soapbox now. ~Hanford

This is a GREAT post, Mick. Thanks for bringing it up ...

You know, you can visit a site that offers a free service, let's say free photo hosting. Now, they'll ask you for an email address and a password. No money, mind you.

Commonly people will enter their email address and the SAME password they use for that email address! If the website is crooked, they have just been handed the keys to their member's email account, which could be quite dangerous.

While you can probably trust your password to Yahoo or Amazon, can you trust your same password to freephotohosting.com for example? For paypal, the login IS your email address, so you might have just handed some website your paypal login and password if you use the same password for everything. Once they have access to paypal, they have access to cash. Hell, they could automate a paypal check for every new user that logs in ....

But think about it ... you're handing a password and your email address over to a website. How much do you know about this website? Can you trust them with this infomation? Who knows if it's just a guy running the site, reading everyone's passwords and trying the password on the email account? On the ebay or paypal account? The best method to use here is to have a different password -- a low security password -- to enter in websites like that. Make your email or ISP login password unique and never give that out.

Early on when I started Tiki Central I started getting bounced registration emails from users who entered their email address incorrectly. At the time this email included their name, email address, and password in plain text. I didn't like the idea of seeing other people's passwords, so I changed that email to say "password not displayed for security purposes" or something like that. And Tiki Central saves people's passwords in an encrypted form that is non-decryptable, not even by me.

My suggestion is to have "trust levels" for passwords. have a High-security password for the few websites you trust with money and personal info. Have a low security password(s) for sites you don't trust, which should only be sites that won't be dealing with your sensitive data.

Okay, I'll get off the soapbox now.

~Hanford

Post #107898 by hanford_lemoore on Thu, Aug 12, 2004 1:21 AM