In the spirit of Little Brother I’ll post about a password stealing idea I’ve worried about for a while now: using email addresses as login names. It’s now a very widespread practice among webapps and the reason is they’re a convenient way to eliminate having to come up with and remember a unique identifier and in the process they make you give your email address away, which is a boon for marketing and for easily authenticating you. In itself there’s of course nothing insecure about the practice but the problem is that they make registrations so simple and straightforward that suddenly they’re everywhere and you don’t think twice about them.

And the true problem is that a lot of people use one password everywhere and the chances are high many will choose the same password for the webapp du jour as for their lifelong email account.

So imagine an unscrupulous webapp maker who creates a popular webapp requiring registration and doesn’t hide from himself user passwords (there’s absolutely nothing but his own conscience preventing him). It is now a simple matter of running a script to test each email address password pair for him to coolly break a good bunch of email accounts.