- Login failed
- Incorrect user id and / or password
- Incorrect user id and password combination.
- Passwords are case sensitive
- User id and password combination do not match our records
These generic error messages give little info to you or someone trying to get unauthorized access to your account. While a more detailed explanation of why the login failed would be helpful to get logged in, it is also helpful to someone else trying to gain access to your account. According to Wikipedia, "As of 2011, available commercial products claim the ability to test up to 2,800,000,000 passwords a second on a standard desktop computer using a high-end graphics processor. Such a device can crack a 10 letter single-case password in one day." This statistic is staggering, and gives a small glimpse into the tools someone out to get our personal information may use.
So what can you do to protect yourself?
If you are creating a new user account, or have a failed login attempt, and receive any of the detailed error messages in the list below, you should create or modify your password to one you do not use with any other account. While it is always a good idea to use different passwords for each account, sometimes this can be daunting. If you reuse any passwords, try to limit this to only a few accounts. The more times you reuse a password, the more your information is at risk if just one of the accounts gets compromised. For helpful information on creating passwords, read our "How to Choose Effective Passwords" post.
Some detailed error messages to be wary of:
- User id does not exist
- Password is incorrect
- Password may not contain special characters
- Password may not contain dictionary words
- Password must start with a letter
- Password must start with a number
- Password cannot end with a number
These errors are very specific, which will help you get logged into an account or create an appropriate password. However, these messages also reveal detailed information about password formatting to anyone trying to sign in whether they are an authorized user or not. For instance, reporting "Password is incorrect" verifies the user id exists, whereas "incorrect user id and password combination" reveals almost nothing except that the credentials do not work together. When you reveal information like the "Password must start with a letter", you tell anyone with bad intentions to remove all special characters and numbers from the first character placement in their password cracking software. Every piece of information about the password format narrows the password possibilities which in turn speeds up the time it might take to crack the password. While sites give out what their password requirements are when creating an account, this is necessary or people would have to guess what was required. Giving out password formatting beyond this, like real words are not allowed, or the password must start with a number, letter, or special character, should be considered a bigger risk to the security of your data.
The information different sites give out related to password formatting for password creation or failed login attempts is out of your control. However, the user id's and passwords you create for these sites is in your control. The best way to protect yourself is to be aware of what information is being given, what additional information is given as error feedback, and choose unique passwords for sites which appear to be giving out too much information. These small steps will go a long way towards protecting this and every other account you have as well as your data security.
As always, keep your information safe, it is well worth the effort.
Enjoy this post? Subscribe to our Blog
No comments:
Post a Comment