Wow, I knew it was a problem, but the scope is mind-boggling. At least one of you out there is probably making this mistake. According to the security firm Trusteer, 73% of people use their banks passwords at other sites as well. You can read the article on MSNBC In addition to that statistic, Trusteer found that 42% of users use their banking ID and password on at least one other non-financial site.
Recently Rockyou.com coughed up 32 million email addresses and passwords. By logging into a person’s email account it is highly conceivable that one can find out their commonly used “ID’s. In fact, often by googling an email address I can find out “IDs” that a person uses.
In addition to the data breaches, a large number of people fall for phishing attacks in which they might just think they are giving the password to their Hotmail, Yahoo, or Gmail account, but in reality, due to poor password practices, they have given up everything. Stop for a moment and think… If someone really does need your password to your email account, do you really want to give them the password to your bank account too?
There are some interesting perspectives in the story about password management.
“Last year, analyst firm Gartner released a survey that reported similar results. It said two-thirds of consumers use the same one or two passwords across all Web sites they access. But Avivah Litan, who directed the Gartner survey, said that choice might not be as unreasonable — or as unsafe — as it seems. "They are making a choice for convenience over security," she said. "They are using a cost-benefit equation … and they don't want to try to remember 10 different passwords for everything they do. They don't think the trade-off is worth it, honestly."
Well, I think that Litan is making an incorrect assumption. I don’t believe most users are making a cost-benefit choice, I think that most are acting without thinking about the situation. Part of the reason they may do so is that they don’t know enough to consider the trade offs and they don’t know about password management tools they can use.
Amit Klein, chief technology officer of Trusteer makes a recommendation “As a more practical goal, he recommends maintaining three "families" of passwords — one for critical financial sites, a second for sites that store your personal information, and a third for generic log-ins.”
This is perhaps an acceptable compromise, but for financial and personal sites, such as banks, email accounts, social networking accounts, etc. I still recommend a password manager and unique passwords. Litan points out that if there is a keystroke logger then it doesn’t matter, except that the keystroke logger may be detected before you have used all of your different passwords, and not all keystroke loggers log all types of usernames and passwords. Some loggers are only looking for online games, or for banks.
Using your banking ID or password at multiple sites is not a very good idea.
Director of Technical Education
Author ESET Research, We Live Security