Post by Admin on Apr 7, 2017 9:02:48 GMT -5
I know it is tempting to use the same login name on multiple sites. And for that matter, the same password. And, heck, none of us set up a new EMAIL address each time we join a new web site. But I'd like to have a frank chat about login, password, and email security, and the possible impacts to YOU and YOUR PRIVACY... and even your safety.
I'm not trying to scare anyone. I'm trying to give you some hard cold facts so you can make security and privacy decisions that best suit your situation. I'm also disclosing some facts of the way that ProBoards (this forum's host) works, FYI.
Password safety, inadvertent loss:
a) If ever you use the same login name and password on two different sites, if it becomes compromised on one site, your account at the other becomes vulnerable, too.
b) In the case of this forum, we are hosted by ProBoards. I believe ProBoards only stores your hashed (encrypted) password. (I will try to confirm this, and update this post.) Data loss of your encrypted password is usually of minimal risk; it is very hard for someone to extract your "real" password and use that to impersonate you here or elsewhere.
c) Some sites save your password "in the clear"; this is a VERY dangerous practice. You MUST use a unique password on these sites to make sure that loss of your cleartext password is not used to impersonate you on other sites. How do you know if they do? Generally, you won't. A) You can ask. B) If ever they have an option that says "email me my password", and the site emails your password back to you in the clear, you know they are using a VERY unsafe design.
Password safety, who has access:
e) In this forum, neither myself as Admin nor any of the mods have access to EITHER your cleartext or encrypted password. Nor can we cause or request for it to be reset. This security layer is entirely between YOU and ProBoards. If you trust ProBoards, good.
f) In the case of other sites: you need to decide if you trust their privacy policy and system design.
Email address, who has access:
g) In this forum, Admin and the mods ("the staff" of the forum) DO have access to your email address. This is how ProBoards sets things up. This provides a way for the staff to reach you in case of some urgent matter; it also allows us to keep tabs on -- and if necessary, contact -- members who turn out to be kinda creepy or are otherwise questionable participants. When I invited each individual moderator to be a moderator, I asked them to pledge they would not access this info for anything other than bonafide forum matters, and they each agreed. If you trust me and the mods, good.
h) If you use the same login name and email address on another site that you also use here, anyone with access to THAT site's email addresses will then -- by seeing the same login -- will know your email address here. This again comes down to a matter of trust: do you trust those who can "see" your email address THERE to not inappropriately connect it to your posts and private disclosures here?
Email address, inadvertent loss:
i) Email addresses ARE kept "in the clear". If any site is compromised, and inadvertently releases records connecting your login and email address (or has the info stolen), then any site where you've used the same coupling is now known to anyone who links the two together.
j) One way to protect against this is to use an "email forwarding service" or a "disposable email address". Google each to see if they are right for you. If you use this to create a unique email address for a given site, then if your "login/email" record is inadvertently disclosed from there, it at least doesn't disclose the email address that you used for other sites.
General questions or concerns? Post them here if they will be of interest to others; PM me if you have a question that is kind of private.
I'm not trying to scare anyone. I'm trying to give you some hard cold facts so you can make security and privacy decisions that best suit your situation. I'm also disclosing some facts of the way that ProBoards (this forum's host) works, FYI.
Password safety, inadvertent loss:
a) If ever you use the same login name and password on two different sites, if it becomes compromised on one site, your account at the other becomes vulnerable, too.
b) In the case of this forum, we are hosted by ProBoards. I believe ProBoards only stores your hashed (encrypted) password. (I will try to confirm this, and update this post.) Data loss of your encrypted password is usually of minimal risk; it is very hard for someone to extract your "real" password and use that to impersonate you here or elsewhere.
c) Some sites save your password "in the clear"; this is a VERY dangerous practice. You MUST use a unique password on these sites to make sure that loss of your cleartext password is not used to impersonate you on other sites. How do you know if they do? Generally, you won't. A) You can ask. B) If ever they have an option that says "email me my password", and the site emails your password back to you in the clear, you know they are using a VERY unsafe design.
Password safety, who has access:
e) In this forum, neither myself as Admin nor any of the mods have access to EITHER your cleartext or encrypted password. Nor can we cause or request for it to be reset. This security layer is entirely between YOU and ProBoards. If you trust ProBoards, good.
f) In the case of other sites: you need to decide if you trust their privacy policy and system design.
Email address, who has access:
g) In this forum, Admin and the mods ("the staff" of the forum) DO have access to your email address. This is how ProBoards sets things up. This provides a way for the staff to reach you in case of some urgent matter; it also allows us to keep tabs on -- and if necessary, contact -- members who turn out to be kinda creepy or are otherwise questionable participants. When I invited each individual moderator to be a moderator, I asked them to pledge they would not access this info for anything other than bonafide forum matters, and they each agreed. If you trust me and the mods, good.
h) If you use the same login name and email address on another site that you also use here, anyone with access to THAT site's email addresses will then -- by seeing the same login -- will know your email address here. This again comes down to a matter of trust: do you trust those who can "see" your email address THERE to not inappropriately connect it to your posts and private disclosures here?
Email address, inadvertent loss:
i) Email addresses ARE kept "in the clear". If any site is compromised, and inadvertently releases records connecting your login and email address (or has the info stolen), then any site where you've used the same coupling is now known to anyone who links the two together.
j) One way to protect against this is to use an "email forwarding service" or a "disposable email address". Google each to see if they are right for you. If you use this to create a unique email address for a given site, then if your "login/email" record is inadvertently disclosed from there, it at least doesn't disclose the email address that you used for other sites.
General questions or concerns? Post them here if they will be of interest to others; PM me if you have a question that is kind of private.