Am 07. Jun, 2012 schwätzte Greg R so:
What is frequently missed during these internal discussions is that
practically every website out there uses an email address as the recovery
channel for forgotten account/password. So it isn't just 'same account name'
that you have to worry about, it's 'same recovery email address', which is
highly likely to be uniform or a very, very small list.
If sites like LinkedIn would stop blocking valid characters like +,
more people could at least somewhat have one-off email addresses. That
misfeature kept me off LinkedIn for years. The only reason I finally
created a LinkedIn account was in order to contact one person.
Allowing typical recipient delimiters would also allow them to put in
better filtering as they could make sure email from $service is coming to
$email_address_for_service and mark everything else claiming to be from
$service as spam. That doesn't quite work for LinkedIn ( and probably most
social networking sites ) as people will invite whatever email address
they know. It does work well for financial institutions, utilities, etc.
Better seperation of official email from spam email is in the best
interest of the corporations/sites.
Currently, most people with a small list of email addresses probably only
have multiple email addresses because their email address has changed and
they no longer have access to the old email addresses. Wonder how many
former eHarmony customers ( probably only if there's a no cost option and
I don't know if there is ) suddenly have active accounts looking for dates
and the actual account holder isn't getting email alerts...
Because of this, I remind people that the login information for their primary
email accounts should be treated to bank-like security. Events like these are
good reminders of that.
Yup. It's also good to remind them to have secondary accounts in addition
to the primary accounts or at least use recipient delimiters to pretend
there are multiple accounts.
If there isn't a list of allowed recipient delimiters for common mail
services ( gmail, yahoo, aol, etc ), then we should make one :).
For sites that have usernames rather than email addresses for logging in,
use a random string for those as well :).
"Welcome back Herr/Frau sdfjk3L"82;;8a. Glad to see your return." :)
Use random strings for challenge question responses and also for the
questions when you're allowed to create your own question.
All the random string ideas do presume that one uses a password manager of
some sort :).
I learned recently that most places using a 4 digit pin will actually
accept 5 and maybe 6 digit pins. Using the longer pin should make it less
likely to be cracked since most people wouldn't know to check. Then again,
if the cracking libraries know to check...
I wish I'd know the problem the + would be and had chosen something
else as my recipient delimiter all those years ago. Even more, I wish
sites/corporations would stop restricting valuable and allowable
characters in email addresses, usernames and passwords.
ciao,
der.hans
--
# http://www.LuftHans.com/ http://www.LuftHans.com/Classes/
# <betsys> "it's not what you do, it's how the whiteboard looks..."
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
