If you tell enough stories, perhaps the moral will show up.



OK. Another good title would have been "Idiot." It's a lesson to me. The lessons for you are at the bottom.

It all seemed so reasonable. The screen on my phone was going mental and it had to go for repair. I don't know enough about Android to be sure I'd erased sensitive info and so instead I had to change passwords for every app I used: Facebook, Twitter, my Google account and my email too. Just good practice. The phone was going in on Monday, so that's what I did on Sunday night. I was quite proud of myself.

Now I'm not foolish. I know the risks. I wrote the new passwords down on a piece of paper, and tested them (Can you see where this is going? No, actually you can't. Read on.) My memory of that is very plain, though I was getting sicker minute by minute. I struggled back to town on the Monday, and spent the rest of the week pre-occupied with a really horrible cold.

Back in Kent on Friday night, I thought I'd try and catch up with a week's worth of Twitter timeline. Except I can't log on. Check the bit of paper. Try cAPS lOCK. Try spaces or a punctuation trick. Nope. Try Facebook -- straight in. OK, so it's a silly error, and all I need is a password reset. Off to my mail to pick it up -- can't log on. Arses. Nothing I can think of will get me in. I even have a cached Twitter logon, but it won't let me change my email without knowing the password. And that won't help me get my email password back.

This is the fundamental problem with free services. There's no escalation. And by this time I was getting seriously vexed. It didn't help my peace of mind that there's a spate of password "guessing" attacks against personal email accounts at the moment. Or that the help page for my email blandly told me that the reset would be sent to my secondary email when I didn't have one.

So it's a good thing that there's one thing I don't get free: domain hosting. I pay a very large fee to use the excellent EasyDNS. I don't go there often enough to remember my password, but they do have a recovery system, and they do have a telephone with actual people who could change the email address once I was able to prove identity. Once I could change the zone file for my domain I could haul my way back into my mail. Hurrah.

So, yes, what are the lessons?

  1. Obviously, you can't remember all your passwords. Duh!
  2. Writing them down ought to be good enough but it isn't. Empirically proven! (Idiot.)
  3. You need a plan. At the very least you need to be able to say routinely that all your password resets will come to some email account or other. Realistically that has to be your main account because the same address is used by most services for ordinary communication.
  4. You need a password on your main email account which is different from the password you use anywhere else. Why? Because if any other service has its user/password list stolen, the thieves'll be trying that password to get into your mail, and once they're in, they'll lock you out and steal your identity. A whole different nightmare, but quite common these days.
  5. You need another email account you can trust to receive resets on your main email. I have a good relationship with my employers so I'm using my work account. You might pick someone you can trust (but who doesn't have an engrossing interest in you -- that could go seriously wrong) and set up a mutual arrangement. Or Hotmail accounts seem pretty permanent these days.
  6. And finally, you need to CHECK the password recovery options every once in a while. This happened to me once before and the route back in was easy -- but it doesn't work any more. And when you have checked, you need to test.

No comments: