I thought I was done posting about security, but I realized today after using a brand new service that I have a security leak. Before I go into what I found, I want to link to my other three posts related to security. Start there.
- My Online Password Strategy (2014)
- Scan, Encrypt, Store, Delete, Shred: Going Paperless!
- Even More Security
As much as I thought I had locked down my security, I discovered a problem today. Techcrunch just posted the article Dashlane’s “Inbox Scan” Tool Uncovers The Passwords You’ve Saved In Your Email
Even if you create and use secure passwords with your various online sites, there are still a number of ways they can leak out. One area that’s often overlooked, according to password manager and digital wallet provider Dashlane, is email. That is, people often share their login credentials and plain-text passwords along with other sensitive data via email messages. That means if hackers get into your inbox, they can quickly gain the keys to a wide range of your accounts. And if you tend to re-use passwords, the damage could be even worse.
Before I got a password manager, I would store passwords in email. I think a lot of us have. When I first setup the password manager I removed a lot of those emails, but I’ve had a GMail account since 2004. There are thousands and thousands of emails. Going through all them would take months.
So I used the free Dashlane tool and in seconds all my email was scanned. 99 accounts were found, some with passwords. Even if the passwords aren’t there, all it takes is knowing which email account was used to sign up for an account and clicking a reset password button to take over an account.
I’m almost done with 2005. This is going to take a while.
As I go through each account, I reset the password and then delete the emails. If I don’t use the account anymore, I will close it. When I complete the project, I will empty the Trash.
This will provide greater peace of mind, but it still isn’t perfect. If a hacker gains access to your email and you have an email from your bank, they could initiate a password reset, because at that point they know who you bank with and with what email. I’m not sure how to defend against that attack, but for now getting a decade worth of potentially sensitive emails deleted is a good start to securing my inbox.
UPDATE 4/11/2015: Oh boy! After finishing the cleanup from the Dashlane tool, I found over 200 more emails connected to online accounts that were not detected. I’m cleaning up all these right now. Once finished, I think I have an idea to lock down sensitive accounts even if your inbox is compromised.