Passwords are nowhere near useless in era of mobile apps
Originally posted to www.indefenseofdata.com
Recently a friend of mine lost her smartphone. She sent out a message to all her friends in her social network about how she wouldn’t have a phone for a few days. She also did the right thing and went to her mobile carrier and reported it lost, turning the service off. Unfortunately though she wasn’t using any smartphone feature to find her phone or remote wipe it. But at least she was able to make sure it had no access to rack up her phone bill.
All good right?
Unfortunately, her smartphone did not require a passcode to access the apps. Ugh. I asked her about this and she replied back that it was no big deal because she didn’t have any really private information on there, and if so, the phone had no 3g access anymore to send anything off of it. Also her password would be required to sync the data off of it.
No worries then?
This is a common thought with consumers I think, and perhaps an even more sophisticated answer than most users might give.
The reality of course, is that someone could simply put the smartphone on free Wi-Fi and use her email app to reset most of her important passwords. Online bank password? Click “Forgot Password”; approve change via smartphone app. Done.
To combat things like this many sites require that you answer security questions in addition to having access to an email account. There have been some high profile arrests however in cases where people use publicly available information to defeat that too.
The fact is, if you have email access on your smartphone using a mail app that does not require a password to open it (i.e. all of us) then having access to your smartphone is pretty much game over for identity theft and much worse.
At work, we all sort of know this intuitively and most customer IT teams require a passcode for this very reason. But I HIGHLY recommend you make sure your family and friends understand this as well. Until the smartphone vendors start making a required password a default, your friends and family may be at great risk.
It’s worth pointing out though that while passwords will deter curious people finding a smartphone in a cab or airport, passwords like 1234 don’t help much beyond that. The requirement for at least seemingly random passwords is still a must.
When I talk about this with most of my friends and family, nearly 100% of them are using a visual pattern to easily remember a password. The 4 numbers in the corners? A “Z” pattern across the dial pad? A reverse “Z” pattern? An “L” pattern? There are only a number of these and any attacker trying to get to your smartphone will certainly try them.
On a related note, I found a pretty good blog posting about picking secure passwords. The author suggests dividing up sites by risk, and applying harder passwords to the riskier sites. This would allow you to have “throwaway” passwords for sites with little-to-no risk that are easy to remember, yet still protect the important stuff. I had been following this method intuitively. My online bank password for example is not written down or saved anywhere and is completely random. But, on less risky sites, I use PasswordSafe on my work machine and 1Password on my Mac.
The only thing I would add though, even though many email systems still send the password in clear text, is to put email into the “Banks” zone of risk. Getting access to your email pretty much leads to owning everything else about you since most “Forgot Password” systems can still be used simply by having access to someone’s email account.
I advised my friend to go IMMEDIATELY change her email password. This would cause the app on the smartphone to fail authentication and prompt the new owner of her phone for the correct password and likely mitigate at least this issue. She had thought of the risk of the data on the smartphone. She had thought of the risk to her phone bill. But something as simple as her email password wasn’t a thought at all.
Be safe. But make sure your family and friends are too.