Legal Tort Liability to Require Email for Login ID?
re: cyber social engineering
Should companies that require the use of an email as a login ID should be subject to legal tort lawsuits for engaging in risky security practices? Heck yes.
Actually, it ought to be illegal to require the use of an email. Congress, or states attorney general, could you do something useful please? One year to fix this noxious practice, then allow small claims court damages of $1000 per person per month for those that fail to comply—things would get fixed very quickly.
Same email everywhere is just like the SSN risk
A lot of people rightly object to having the SSN (social security number or similar ID in other countries) tied to anything and for good reason—identity theft in particular.
Anyone informed enough to understand that ought to understand that using the same email or login ID across the web is the same type of single-ID security risk. Ditto for using the same password for any two things.
Many of us us base our digital lives on our email address. Yet most web sites force us to use an email for our login ID. Thus giving away half of the challenge of compromising an account (login ID + password). And creating a huge hassle when an email changes or must be changed across two dozen web sites.
With email known, malefactors out there need only hack the password portion, greatly simplifying the attack across dozens of web sites. And that’s a big deal when your password is compromised.
While most users use the same email even when not required, this stems in large measure from the requirement to do so, users having been trained in utilizing bad practices. In this way, these corporations actively degrade the security of billions of people.
There are services that allow you to generate many different emails that all get routed to your inbox. A simple system like firstname.lastname@example.org can do the trick, varying the website name and the number portions. But this is a high-overhead headache:
(a) for most of us, it’s a hassle to find such a service, create/delete/maintain such emails, an ongoing burden,
(b) it is impractical for entering login ID (thought+effort+typos), making it likely you’ll use auto-fill and thus create a far worse security hazard.
vs Different login IDs
If you could simply invent your own login ID (that is not an email), you would not need any service or support or research. You would be able to use anything unique using any nomenclature you’d like. These ahole companies are denying you that, making your life worse, not better.
Some might argue that login ID + password should just go away and be replaced with passkeys. That argument is strong at first glance, but wildly unrealistic for many years to come. Even for a tech nerd like me, I have no idea how to use it*, and in essence it can automate total destruction of your digital life should the phone be stolen.
* If you need a 30-minute video to explain it, it’s too fucking complicated.
Reader Tait S writes:
Since you are on the topic of security...
I've tried to preach password security before - the only times that really seem to work was showing them places where their passwords are now known to bad guys:
MPG: great site, CHECK IT RIGHT NOW with your email.