.. and there’s nothing important in my e-mail.
I’ve heard this a lot more than I’m comfortable with when talking to people. It’s just their e-mail, they don’t use it for anything important really, there’s nothing confidential in there so why not just use (or, even BETTER, re-use) a nice simple password so it’s easy to access.
Or why worry when your school has an e-mail breach.
There’s a lot people aren’t considering here:
- Password re-use. While I absolutely believe the password SHOULD be dead, there isn’t a suitably convenient and effective replacement. Mastercard is trying for selfie-based authentication, but we’ve seen most of the facial recognition systems can be fooled by a photo — and if it’s just the single-factor, then it’s PERMANENTLY compromised if it’s broken. Breach records and password analysis have repeatedly shown that people continue to re-use passwords, so once one is broken, what else is out there?
- Password and account recovery. This one is, to me, scarier than the above. So you’ve practiced good password hygiene, used a different password and it’s a nice strong one. You’re even using a password manager and don’t type it in in case you get screen scraped. Now your e-mail is compromised, and you click the link to send the password to the recovery account. Ooops.
- Last (and probably least) now people can use your account for whatever — spam, malware, phishing. While it’s relatively easy to fake this still, a real account will pass more checks.
E-mail remains the gateway to a lot of information, regardless of it’s various levels of insecurity (unencrypted SMTP across untrusted networks with confidential data? WIN!). It needs protecting, and that’s why I’m so happy when I see services start to offer 2-factor authentication. It’s not as convenient, but having some kind of extra authentication whether via SMS, an application on your smart phone, or a token is one of the best defences you can have if and when someone gets the back end database for your system.
It’s probably, depressingly, when.