Thursday, September 23, 2010

Proof that without privacy, security is moot, and strong passwords still matter

Elinor Mills rights the "Security Complex" blog on cnet.com. She was talking to the founder of People Security, a security consulting firm, when he said that it's easy to hijack email accounts. She challenged him to hack hers. She details the experience on her blog.

It's fascinating. He started knowing only her name and employer. Using mostly readily available and free resources to find out information that might be about her. His big gun was Ancestry.com, which anyone can access either as a free trial or for a relatively cheap fee. 

He had a time limit of an hour, which turned out to not quite be enough time. But Elinor continued what he'd started, and knows that with just a little more time he would have had access to her account. She also notes that, as a someone who writes about security issues for a living she is more security conscious than most, and probably a little harder to crack. But the amount of information that could be gathered in an hour was shocking, and all he was trying to do was figure out her email password.

Read the article. Ms. Mills experience is strong evidence that without privacy you cannot have security, and vice versa. Being able to control who can access information about you is the only way to have privacy