With all the debacle about the Sony security breach and concern about their perhaps less than stellar security handling, it may be a good time to think about our own handling of personal data.
Sony is not the first and will not be the last where customer information may be compromised. It has become big news because it is a high profile company, but our personal information may still be just as much at risk with low profile entities with less than stellar security policies or policies that are not enforced.
A concern for outselves is how useful is that information at any single location? Do we have the same account name in multiple locations? Do we have the same password? Do we have the same account name and password and email address in multiple places? Is any of that information used in gaming context also used elsewhere in other parts of your life?
If a place has a not totally crap security handling they will never have your actual password stored, but instead a hash of it – essentially an long number calculated from the password which would be different for different words and one cannot revert the calculation to deduce the word from it.
Check what happens if you click on the “forgot the password” option most places have. If they will email or send you the actual password, then definitely think twice about using their services. Anyone that does actually store vital information in clear text that have no need whatsoever to be stored that way is a big potential disaster.
Places with better-than-crap security will always require you to create a new password in those cases and through a secure link. They should also send emails to notify that the password has been changed afterwards and send a notification that for other important information that have been changed as well.
In gaming context account identities should really also be different from anything that is shown in public; character names, in-game IDs, forum names etc. I think Cryptic screwed up a bit when they by default had account names and global in-game IDs to be the same. Using email addresses as account names are not ideal either IMHO, at least not when other vital information may be stored in the account information.
It is good to see that two-factor authentication is being used in some places (e.g. the Rift authenticator). It will not help if someone manages to break through to a company’s servers, but at least someone will not be able to use information from some other place, or simply get in through brute force if you have a bad password. I really hope more places start to use this, at the very least as an option.
In a market where we have an increase of online games, F2P games to try out etc we tend to increasingly leave digital footprints in many places we should think about what kind of prints we leave behind in various places.