I would rather cut bait than be phished in Hotmail's waters
Nagging Capital One credit card commercials ask, "What's in your wallet?" Perhaps for the connected age, the question should be "What's in your digital wallet?" If the answer is a password used at Windows Live Hotmail and pretty much everywhere else online, your wallet may have been stolen.
As reported earlier today by Neowin, on October 1st someone briefly posted online thousands of Hotmail (e.g., Windows Live) account passwords. The number of pilfered accounts could be much higher. The source of the accounts information remains uncertain, although Microsoft claims they were gathered through phishing expeditions. I decided not to wait to find out.
I spent about four hours today scouring the Web to change my account passwords everywhere. MY GOD! Where did all these fraking accounts come from? Last count, my total is 35, and more of the little buggers are popping up as I search my memory and email archive.
Three Windows Live IDs, three Gmail accounts, two bank accounts, Facebook, Twitter and Yahoo are among the many. The number would be even higher if not for some connected accounts, such as Yahoo to Flickr or Gmail to YouTube.
I've got to ask: How many places do you have online identities? Please answer in comments. I'm remembering more as I write, putting the number at 40 since I started this post. It's really a nightmare of management. What ever happened to the promise of one online identity for everywhere?
I assumed there was no imminent threat of identity theft, but wondered, "Why be reckless?" So I treated the situation as a real threat, which meant performing some triage -- which accounts to change first, meaning those with the greatest risk. I present my choices for discussion and also perhaps to help other people to manage their password changes.
My problem -- and perhaps yours, too -- my identities, name or email address, are pretty much the same across the Web. The point of the social Web is to be found by people you know or want to. My similar identities can easily be found across numerous Websites. One password could unlock many of them.
I mainly use a variation of two passwords, with 13-19 characters. The third password is shorter and less complex, for those stupid sites restricting passwords to no more than 12 characters. Days gone by, I would mix symbols with numerals and letters, but an increasing number of sites won't allow them. Idiots!
This new set of passwords separates Windows Live from the other 40 or so online accounts. I also increased the number of passwords across different sites. If I've got to change them all, I might as well make the effort worth something.
I started the password changes with the three Windows Live accounts, seeing as how the Microsoft service is Patient Zero. From Hotmail the password malady could spread. That's really a denial attitude. Someone already leaked the passwords. Gulp.
I next shifted my attention to email accounts and others where my name is the username. Next: My blogs. I then moved to accounts where money could be lost: Amazon, banks, PayPal and utility services, among others.
PayPal was a real pisser. Perhaps because I changed the email address, too, PayPal required my authenticating the password change with either the credit card or bank account number on file. PayPal presented partial numbers and other data as assurance of legitimacy. I got pissed because the verification process reinforces the kind of behavior phishers exploit. PayPal shouldn't request this information. If the service doesn't ask this kind of information, well, I got phished from the PayPal site using Internet Explorer 8 (which I doubt).
After the money accounts, I moved onto others where I pay something, such as Netflix (subscribed February 1999) and Wall Street Journal Online (subscribed in autumn 1996). Lastly, I started working through some of the social media accounts. But there are so many I signed up for -- at least to test -- I may never uncover them all.
If someone had asked me last week how many online accounts did I have, the answer would have been 15 to 20. Certainly not 45, which is the current count since starting this post. The accounts just keeping adding up -- and I'm not a heavy forum user, which could really jack up the numbers. The new Web siren call is registration. "C`mon over here for our free stuff, but you have to register first. Don't worry, we'll protect your privacy." Yeah, right, but will you protect my identity if I use the same password at your site and 20 others?
I'm done griping, but don't you stop. I really want to generate a gripe session in comments about online identity and the shortcomings of managing who you are across multiple services. Please, let's dispense with any snotty comments about my whining. I'm not. This post was purposely written to generate discussion and for Betanews readers to vet their solutions.
The weakness of the social Web is simply stated: You are too many places.
How would you make it better?