Weak password: it is your fault if your friends get spam.

You might think "What? How is it my fault if my friends get spam email? I'm not a spammer!". That's true, you are not. But there's more to it, that you just might not have thought of.

Introduction

More and more internet and email users are using web based email accounts to send ad receive their email. This is most likely because of the better HTML technology, faster processors and internet connections and greater availability of online connectivity (almost anywhere one can find some sort of way of getting online today). In the past,protocols such as POP and IMAP were most frequently used, which allowed the user to access email off-line, practically only from their own PC or Mac. However, not all users who have transitioned, have fully understood what this entails.

The main difference between accessing and having email on a web browser based system has to do with security. This post discusses risks such as password hacking, account abuse and the responsibility of the user's own contact database.

Address Books and Hackers

Most web based email systems have an address book associated with them. Most of them get automatically populated, which means that when a user sends an email to somebody for the first time, the address book automatically adds that email to the user's address book. This is a cool feature, as it will quickly and easily help you send emails to that person again: it is usually simply necessary to start typing their email address, and boom! the full email address populates automatically. These address books also usually have a pretty easy way to send an email to a group of contacts or to all contacts, making it easy to let all your friends know that you just had baby, or about your upcoming event (if you don't want to use social networks).

Now, here is where hackers come into the picture: why would somebody want to get into somebody else's email system? I can come up with at least three reasons:

1. To be able to read your personal email for some nefarious purpose;
2. To be able to send undesired emails (spam) to others without being caught;
3. To increase their list of valid email addresses to spam to (or sell to someone who spams).

Those who try to get into somebody else's email account, usually don't care about reading their personal email, unless it's a jealous boy/girlfriend, i guess, which would be small percentage. So we won't take that into account. Most of these people are, in fact, spammers: they want to be able to send spam emails from a valid email address, one that will let their email through all the anti-spam mechanisms out there. What better way than to use use the account of a trusted email user like you? And even better: they can send email to not only their already existing long list of email addresses, but also to all your friends, who will certainly not block emails coming from you! And then they can export this email list, and add it to their existing one, to keep spamming with other resources.

Responsibility

So who is responsible for all this? Well, certainly spammers are the first ones to blame. Given they are hard to find, there is little me and you can do to fight them, without investing a huge amount of time. Those who keep and maintain the web based email system usually (not always) do a decent job at not allowing unwanted access to their systems (otherwise they would be down most of the time). It's the users themselves who are mainly responsible by using weak passwords.

You create a new email account an put a password like "password" or "simple" or same as your username, or something else that is easy to guess, because you think otherwise you will forget it, and because who cares anyways, if they guess that password: there is no critical information in that email account anyways! Well, spammers have bots or scripts which crawl the web, automatically trying to get access to email accounts, trying to guess passwords based on dictionary words and simple algorithms. If your password is simple, chances are high it will be guessed, and your account will be hacked into. Everyone in your address-book will receive spam emails from now on.

The bottom line

When somebody gets into your account and gets ahold of your address-book because of a weak password, you have effectively (even though unwillingly) given away the private information (names and email addresses) of your friends without having asked for permission. This is a lack of respect toward them. Whenever we keep a database of personal information of our friends (which is what an address book is), we have to accept the risks and responsibilities: we either don't keep one, or, if we do, we should make sure this information is as secure as possible. Now, there is no need to go over-board and be paranoid: simply keeping your password complex and hard to follow is a huge step.

Always keep passwords complex: i generate different unique random passwords for each and every online system i use. This way, even if somebody where to get ahold of one password, only the data in that system will be compromised, and that password will be useless everywhere else. How do i remember all those passwords? I don't! We have computers to do that. There are plenty password management systems available which make life so much easier. These systems usually offer a very securely encrypted database where all the passwords are stored, kind of like a safe. So the user only has to remember one master password. They also usually offer various utilities, like the one to come up with random passwords to accommodate various requirements, and automatic form filling.

I use 1Password, which automatically fills out password information on trusted web sites with a keystroke. I love it, it really has changed my life. Now i never forget a password anymore... hem, actually, that's not precise: i always forget the passwords, but i know where to find them.

---

duckone version: 1.1.4