Stop using the ‘Register with Google’ buttons. You might want to stop using the ‘Register with Facebook’ buttons as well, depending on how valuable you find Facebook. If you stop using those, you are putting in place a simple strategy for reducing the chance of your email getting hacked.
There are reasons and there are exceptions. This quick post will explain those reasons, then list the exceptions. It will then give you a … let’s call it a strategy … for managing your numerous accounts despite not being able to use the ‘Register with…’ buttons. Maybe we can use some smooth marketing language to make this stick in your head. We can call it, ‘The #1 Thing You (yes, even you!) Can Take Today To Reduce Email Hacks (and losing your money and photos) By 50%!’. I might have definitely made up the 50% part. I don’t know if that’s the #1 thing you can do. Maybe not using Google and instead using always-encrypted email.
The Value of a Hacked Email
Brian Krebs published a solid post about the value of a hacked email. I won’t be able to add much to that. Instead, I will talk about why linking your random website logins to your email account could be a bad idea.
If you are a normal person, you use your email (likely Google) for most things. Your email and your maps and your calendar are all linked together within some sweet Google server. You then use your email as the username on your social media accounts, your bank accounts, and your mortgage accounts.
I know you don’t use the same password on all those accounts, because that would be foolish.
If someone is able to get into your email account, they can do that clever “I forgot my password” on all your other accounts, and fairly quickly reset your passwords and “take over” your accounts.
If that happened to you and someone was able to quickly steal access to your Facebook, Twitter, Bank, Mortgage, Amazon, Netflix, and Credit Card accounts, which would you call first?
Once in, they can pilfer any message you sent. That information will reveal your family, maybe some contracts for your last few jobs, and maybe the contract on the house you are renting. Now they have your address history, your work history, maybe even your identification (NI or SSN) and many other bits of information.
Those bits of information are excellent for opening a line of credit. And boom, like that, they have taken a loan out in your name. Or they’ve transferred money out of your Paypal. Or maybe they are nasty and they decide to put a malware on your computer and spy on you while you sleep. Sleep-fetishists are likely real.
Needless to say, scary. Fear makes people act. So, I want you to act smart. So, BE AFRAID, BE VERY AFRAID! They are in your brains right now. They see what you see.
— Okay, maybe not that bad —
Why ‘Register With Google’ Can Be Dangerous (on crappy sites)
Protecting your Google account is clearly important. Yet, you are giving people access to your Google account in exchange for access to sweet photos of cats or whatever. When you go to a site that doesn’t deserve a proper setup, you do the single sign on thing with Google or Facebook.
It’s supposed to be safer, because you have less passwords to memorise and reduces password reuse (the solution below… but wait, there’s more… the solution below… wait, I already said that.)
When you let a third party verify you through Google, you are permitting that third party access to elements of your Google account. They use that information to build a profile of you (ugh, privacy!?). That’s not the point of this post. Instead, you are trusting that third party to protect itself.
Recently, Pokemon Go had a serious security problem wherein they had access to the entire Google account of users. This can happen as NOT an accident on cruddy sites.
When a bad guy breaks into a website, that bad guy has access to the sites EVERYTHING, including the file that it uses to verify your Google information.
Now a bad guy can sort-of access your Google information. That’s WAY worse than a bad guy not being able to sort-of access your Google information.
Exception To The Rule
There is an exception to the rule. I call it Using A Fake Email Account. It’s not terribly complicated, and it goes like this:
- Setup a fake email account
- Don’t link it to your real email account
- Use that fake email account on all the ‘Sign Up With Google’
Strategy For Dealing With This
If you want to avoid the Google button business, you still need to manage dozens or hundreds of unique usernames or passwords. How the heck?
- Use a password manager. I recommend 1Password, but that’s because I love it. You can use Keepass or Lastpass. (I won’t include links so you don’t think I’m doing this affiliate marketing thing. That’s not how I make money, but I want you to trust me, so Google that crap yourself.)
- That’s it. Just use a password manager, create a plugin on your browser, and use it for all sites.