Lots of account hacking activity in the news recently. The Blizzard hack (via RPS) caught my eye because of some of the wording used to describe it:
“Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.”
Now, I’ve trained my parents never to use the same password on any websites connected with billing information. That’s a no-brainer.
But I’ve always lied on those secondary verifiers because it just seemed like I should. It’s intuitive to me that I’d want to have different verifiers for each website *despite* them offering the same set of questions.
But I wonder if others are as careful? The recent publicized Apple/Amazon combo hack suggests that some combinations might be unavoidable, but that doesn't mean you can't take other precautions.
Have you used the same “mother’s maiden name” verification information across websites? Could the compromise of information you supplied to a “throwaway” website lead to compromise of a really important one?
If so, it might be time to go through all the websites you use most frequently, and change the information there. Yes, all of it. Then write down your new lies somewhere you can find them.
Secrets should be shared between you and each website – not between you and every website.
Because until we get to an identity metasystem, where every single website doesn’t rely on independently re-verifying every single detail about your life, anything you share with any website may eventually become public information.