It seems obvious, but it’s never a good idea to use the same passwords for different email accounts, domain registrar accounts, bank accounts…etc. Whenever you need to log on to an account online, it’s best to have different complicated login passwords. If you use the same password and that is stolen by a thief, they will have access to all of your private information and can easily log into your account and take control of everything:
From the Boston Globe,
“Using the same password for multiple Web pages is the Internet-era equivalent of having the same key for your home, car and bank safe-deposit box.”
Whenever it is offered, I strongly advise that you get a security fob to add an extra layer of protection to your accounts. I have a Paypal security key (which costs just $5.00), and I have recommended that at least one domain registrar implement this level of security to protect our digital assets.
Hi Elliot,
That’s a great idea from a secrity standpoint and as a business idea, for anyone with the expertise to execute on it.
BTW, why didn’t you register Securityfob.com and securityfobs.com after you original post? They were registered along with securitykeyfob(s).com about a week after that post, and I just registered security key chain(.)com and security key chains(.)com. I’ll definatly cut you in if I ever sell them.
great tip. i’m going to check out the paypal one, i never knew such a thing existed.
Agreed that a registrar needs to jump on board with the key fobs. Outside of banks, registrars probably hold some of the largest amount of simple digital assets in the world.
At some point these security companies need to take total controll of the business so that we can reduce the amount of fobs to carry around. I have several and it is a major pain in the ass as my keychain grows. If a registrar wants to do it right, they should contact the company that provides the Paypal security key and team up with them to use the same key. You just need to prove that you own both accounts and then you can use the same security fob. There is no risk between vendors because you would still need a seperate password for each vendor.
Anyone see anything wrong with this logic? I’m no security expert, but it makes sense to me that this is an industry where a monopoly (or maybe 2 players) should dominate the market.
Elliot, that’s good advice. More online companies need to start using the security tokens from RSA. They are simple to use and very effective. They’re great for securing applications, VPN access etc.
– Richard
Great and Informative post
@Conor
The way that one time tokens (that’s the industry term for them) work is that the site owner runs a key server on their back end that takes care of the verification of the token.
If companies were to team up to let customers use only one token, they would need to share or distribute the key server verification. I bet no one wants to share !
– Richard
I’ve been using this security key from Paypal since they introduce this service, defitely a great security protecting your online account.
No just registrar, I don’t know why banks is not doing this practice.
@Emil
Perhaps you should look for another bank. Many of the big banks and online brokerage firms are using one time tokens for logins and transactions like wire transfers and stock trades.
Heck, even some of the banks in the Bahamas use one time tokens !!
– Richard
Great post, and a good reminder that when it comes to web security, it’s usually the simple missteps that can cause the biggest problems.
——————————————————
Fred Reckling
Microsoft Security Outreach Team
http://www.microsoft.com/hellosecureworld/level7