When we approach to a system we define a proper level of security based on how much we accept to risk that data or access to the service may be stolen. More important is the service, more strong will be the authentication and data protection.
So it’s natural, for example, that a PayPal password will be stronger than the Minecraft password because cracking the first will cause more problems than obtaining unauthorized access to the second.
What more often is not considered is the bond between accounts with different security levels. If there is a bond with two accounts, we have to consider only the weakest security as the whole system security level.
If we have a strong 30 wide chars password for our e-commerce account and we have linked it to the email that is protected by 7 characters password we have to assume that a malicious hacker is likely to attack the weak email and then use the reset password procedure of the e-commerce website, bypassing the high security of the account.
The same is with the magic question in some password recovery systems. You can set a password impossible to crack but in fact is easier to attack the forgot password system based on a question, with a little knowledge of victim’s life.
What is your dog’s name?
What is your first school’s name?
What’s the surname of your grandmother?
These are all questions easily to answer with a little social engineering, so (if you have not answered to them with a long random characters array) we must assume that the security of the account is not the long password but the answer to the secret question (and eventually the password of the email used to receive the reset link).
Password managers also suffer of this problem. We are going to use a password manager because we are not able to remember all the complex and different passwords we use for many Internet services, so we store them in an encrypted vault protected by a master password and we do not worry anymore to forget an account’s password.
In this case, the security of all of your accounts resides in
- How strong is the encryption method of the password manager
- How strong is the password used to protect all the other passwords
- How hardened is your computer against penetrations
If these points are weaker than the passwords stored in the pass.manager, we have to assume that the security of all of our accounts is the same of the weaker system.
So it’s always good to stop and make an assessment on our accounts security, reconstructing links between them to find security weakness that may compromise even strongly secured accounts.