In Are you giving away your password? Dan Blacharski blogged about the perils associated with using weak passwords or passwords based on information that is in the public domain:

We still wonder how people managed to hack into our email accounts–but a recent survey gives us the answer. Is your email password “Spot”? How about “Rover”? Oh, you’re a cat lover? Okay, then I guess “Fluffy.

According to a survey on the people search website www.yasni.co.uk, 83 percent of British users responding to the survey use their dog’s name, or their own date of birth or maiden name as a password on private email accounts, or even worse, to log onto online banking.

But passwords are not the only problem; password reset information is equally as vulnerable to exploitation. You remember what happened to Sarah Palin, right? Her personal email account was hacked as the answers to the password reset questions for her Yahoo! email account (zip code, birthday and where she and her husband met) were all easily found online. At the end of the day, it didn’t really matter whether her password was “Fluffy” or “$up4r$str0ngP@$$w0rd” – the reset questions provided an easily exploited backdoor.

Worse still, once an email account has been compromised, other accounts can be compromised too. Last year, Herbert H. Thompson published details about how he used online information to gain access to a friend’s old college email account. That account enabled him to access her Gmail account. And the Gmail account enabled him to access her bank account. Herbert commented that his friend was disturbed that “Her whole digital identity sat precariously on the foundation of her college e-mail account; once I had access to it, the rest of the security defenses fell like a row of dominoes.” The fact is that people often do not realise that password resets can represent an extremely weak link in the chains that they create. They don’t simply don’t think that mentioning “FluffyWuffy” in their blog could provide somebody with the means to hack their email account or bank account. Heck, most people probably don’t even remember what security questions were asked when they set up their email account all those years ago.

What companies should take away from this is that they shouldn’t permit their employees to use personal email accounts for business communications. The corporate email policy should make absolutely clear that all business communications must be sent through the company email and, ideally, a web filter should be used to block access to personal email accounts.