Password recovery methods, available on almost any website that you can make an account on, are more than likely to be tethered to a user’s email address. If a person has sincerely forgotten the passphrase to their account, they would typically use such a feature to regain access. Today, the average internet user might have fifty or more online accounts connected to their digital identity. Is it really all that safe to trust your entire digital key ring to an email account?
You can install every shade of anti-malware and anti-keylogger software under the sun; you can make use of multi-factor authentication or one-time passwords, and you can even have 30+ character passwords. But the truth is, all of these are merely obstacles in the way of hackers and can certainly be outmaneuvered. Malicious software, if crafted carefully, can avoid detection by many anti-malware solutions. Multi-factor authentication methods are prone to Man-in-the-middle attacks, and automated password cracking can now be done with a desktop PC, using wordlists readily available across the web.
According to How Secure Is My Password?, it would take a desktop PC approximately eleven minutes to crack an 8-digit passcode that AOL.com considers “strong”. Eleven short minutes, and anyone can gain access to all of your accounts, which in turn, could give them unlimited access to your financial information, sensitive documents, family photos, emails and chats, and even your current GPS location.
The responsibility to secure your digital keyring lies not only you, but also the websites that you use. To this day, there are websites that set a limit on the amount of characters you can use in a passphrase (usually to something under 20 characters), and some don’t even advise against using dictionary words or personal information in login details. Educating users about proper security practices should be a top priority for all online services.
It is well understood that the human element is the weakest component of a security system. People can be easily manipulated into divulging information that could compromise even the most complex security systems, in a practice called social engineering. Also called human hacking, this practice can be used for good, such as in the work of “white-hat” penetration testers and security auditors, but of course, also in the work of “black-hat” individuals.
Customer-support induced password recovery is a simple technique used by a teenage hacker known as Cosmos, that granted him access to countless web accounts. This method involves posing as someone else to a web service’s support team in order to convince them to grant access to a person’s account. Often, in attempts to verify that the caller is who he or she claims to be, the representative may ask for vague, personally identifiable information that is often found on a user’s social media profile(s) or with a simple background check. Of course, there is always the $5 Wrench Trick.
As you can see, there are many exploits, of both the human and technical variety, that can be used to gain unauthorized access to online accounts. Of course, they can be applied to any email account, the digital key ring that could unlock numerous online accounts belonging to a single user. Email’s intended use is communication, not online account management. Be smart, and don’t let anyone get a hold of your key ring.