My Twitter account was hacked yesterday. I’m not sure how I was duped by a phishing scam. It could have been adding the Twitter Facebook app. It could have been trying to login somewhere else using Twitter single sign on. Or a bot might have determined it from any other site I use.
Like many others, I have a small subset of passwords for stuff online. One for beta programs, one for moderately important stuff like photo accounts and one for really important programs like Mint and GMail. By hacking one password, someone can be granted access to a whole host of my accounts.
Compounding this issue, though, is that many of my accounts are linked through various services. Tumblr is tied to Facebook is tied to Twitter is tied to FriendFeed. GMail is tied to Google Checkout. Mint is tied to Citibank is tied to ING is tied to American Express and so on.
All these accounts are tied together for good reason. But using username and passwords as security for all this is like using a shoelace as a seatbelt in the Space Shuttle – it’s just not enough.
We need better security on the web. There needs to be multi-factor authentication whether through audio, fingerprinting, using web cam to take images or sending a PIN to a mobile phone – passwords and protocols like OpenAuth just aren’t enough anymore.
Web security must be completed at the OS level or in the case of Chrome OS, at the browser level. Access a computer once through a very painful, secure mechanism which unlocks all the gates to every site.
While I’m waiting, I’ve started using the idea lent to me by a friend. I’ve created an algorithm to generate passwords for sites using the domain name. Not ideal, but it will work for now.