|Back to Blog|
Who Owns Your Passwords?
Recently a client requested a file containing his customers' usernames and passwords for one of our web applications. In most cases passwords are encrypted and unavailable, but it raises an interesting question: Who owns log-in names and passwords? Personally I think the customers do, because they choose the pair under the assumption that it's private and provides them unique access to their data. Here are some other points to consider:
Although unwise, many people use the same authentication credentials for multiple applications: online banking, credit card access, email, etc. Providing these fields to the client could present significant privacy risks, particularly when combined with other personal data. Put another way, someone could cause a lot of damage if they had your first name, last name, mailing address, ZIP, phone, log-in name, and password.
Also, identity theft is currently a high-profile concern. There are several active bills before Congress, and almost once a month another high-profile case hits the news. Already in 2012 we've seen Zappo's, Linked-in, and Wyndham Hotels get hacked, revealing customer data. <
Not all of these stories specifically involve customer passwords, but here's one more article <> from a self-professed "password geek" who has compiled a Top 10,000 list after analyzing a database of 6M usernames and passwords. One statistic stands out: 79% of all users chose passwords that appear in the Top 500. With so much repetition, it's clear that revealing the username / password pair can be a lethal combo.
Neil Bibbins has worked in the Internet industry since 1996 in a wide range of positions including Network Abuse Manager, Director of Subscriber Services, Terms of Service Specialist, and legal liaison. He has been with Dominion Dealer Solutions for over five years as the Director of Compliance covering all of the corporation's marketing channels, helping ensure that all communications are sent legally, successfully, and respectfully. He is also Dominion's email deliverabilty specialist, working to maintain the reputations of both internal email networks and servers maintained by third-party ESP's. He can always be reached at 413-327-3042 or at firstname.lastname@example.org.