Best Practices Series: Passwords – Protecting Against Ourselves
The Internet hosts a myriad of web-portals that naturally involve entering or using information. Most of these require some type of identification, setting user ID and a password.
The online information associated with, and protected by, the password is often compromised if a password is stolen, lost or copied. Loss of privacy and even identity theft can result. To protect our electronic ID and passwords we are typically required to:
- Use strong passwords – consisting of at least 8 characters that contain alphanumerical characters, lower- and upper-case letters, and numbers
- Memorize our passwords – this is difficult if one has 40 accounts!
- Never reuse passwords across accounts – difficult if we need to memorize them!
- Change passwords regularly – difficult if we need to remember them all!
- Use computer programs to store them – storing all passwords on one software is convenient but creates a single-point of failure. An unrecognized bug or security flaw within this software in the future could have dramatic consequences.
A key problem is that few consumers follow the password security advice 100% of the time (we admit it’s hard). In fact, emails are very often compromised due to weak or stolen passwords rather than fancy cyber-attacks. Most of the time a dictionary attack (an attacker trying commonly used passwords/words and character combinations) on major email portals is sufficient to get inside many users’ accounts. A password is like a key to a house, and once this is compromised, no additional encryption or security utilized on the account will help.
So how is EPRIVO more resilient? Can EPRIVO privacy protect us against ourselves?
While we can’t enforce password rules on the user’s email carrier accounts, EPRIVO email privacy (based on physical separation with digital security) is designed to be resilient against individual password leakages. Even if a user’s carrier email account is compromised, for example, the privacy of the EPRIVO emails remains unaffected since no email carrier has enough information to enable the reconstructing of emails in plaintext. In fact, even if a user’s two email carriers (used in the EPRIVO account) are simultaneously compromised, the stolen information is not sufficient to affect privacy. Furthermore, EPRIVO never stores emails. (If any carrier account becomes compromised, a user is advised nevertheless to immediately reset the corresponding password at least.)