Tuesday, April 5, 2011

A Reminder that Email Is Not Secure

Word is trickling out about an email server break-in that might have allowed criminals to obtain email addresses for half of the people in the United States. The potential scale of the leak is so large because the server in question delivered mass email messages for dozens of large online business-to-consumer brands. If you shop online regularly, it is fair to guess that your name and email address are no longer a secret.

That, like it or not, is the nature of email anyway. Even in the best of times, email messages are passed around willy-nilly from server to server, with no systematic way of keeping track of all the parties involved along the way. That is the main reason it so important not to put sensitive information such as account numbers and passwords in email messages.

It is also important to have relatively obscure passwords for your Internet accounts, and especially for your email account. You’ve likely heard about passwords before, but I’ll repeat some of the most basic points here: A password should not be a word or phrase that appears in a dictionary. It should not be personally identifiable information, such as your name or birthdate. It should not be a favorite song or book or anything else that you might write about online. All of these are relatively easy to guess. But you’re doing reasonably well if you combine two separate things to form a password. Also, you should change passwords from time to time. If you’ve been using the same email password since 2002, that is probably too long.

Email passwords are especially important because a person who has your email password can use your email account to gain access to many of your other online accounts. If you’re worried about someone breaking into your email, one of the best things you can do is change your email password to something that will be hard to guess.

When you receive email, it is important to remember that you can never really know who sent an email message. If information you receive in email is critical, verify it in a more secure medium (such as a web site or telephone call) before relying on it as a basis for action.