Account Reset Terror
Email subjects on emails from the end of last week:
- “Etsy Security Notice”
- “Your IMDb password has been changed”
- WordPress.com News “Gmail Password Leak Update“.
I expect more emails like this over the next week. Only the last one — the blog post from my former employer Automattic — reflects a company taking appropriate steps:
We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.
It is frightening that “over 100,000 accounts for which the password given in the list matched the WordPress.com password”. That is over 14% of the gmail address that matched. Still I’m not sure that justifies the other service provider wholesale resetting all the gmail addresses that match.
I have accounts on a large number of services. It feels like I’m now regularly getting more required password reset emails and “If you didn’t make this request, it’s likely that another user has entered your email address by mistake and your account is still secure.”
Are IMDB and Etsy’s approaches good? Does it help customers?
Are real solutions to today’s authentication challenges on the horizon?