Why Businesses Shouldn’t Know Your Password
Maybe you don’t regularly use an account, or maybe you had a momentary memory lapse. Whatever the reason, you click on “I forgot my password” and a familiar series of steps comes next, including security questions, authentication by email, authentication by text, and more.
They all lead to resetting your password.
Have you ever wondered why businesses don’t just give you your old password? One answer is that it’s safer to reset it. But there may be an even bigger reason: the business doesn’t actually know your password.
At AT&T, we handle all user passwords through something called one-way encryption. Using this technique, we cannot decrypt your password. Once it is encrypted, it stays encrypted. We cannot see the password or store it in plain text, not even a part of the password. When you enter your password at log-in, we encrypt the password you entered and compare it to your stored, encrypted password. If they match, you are logged in. As a result, you are the only one who knows your password.
Knowing how this works should help you be more aware of the authentication practices used by the businesses you interact with. It’s a way for you to better understand the security steps those businesses take. Here are some things you can do:
- Learn how companies protect sensitive information like passwords by asking if they use one-way encryption. We believe that one-way encryption is a safer way to manage user password and log-in data, but not all companies use the technique.
- To better protect yourself, use a different password for every account.If your password is taken from a single site, fraudsters will often try to use the same log-in information on other sites. Why? Because that’s what people often do!
- Save your passwords in a password safe or vault for ease of storage and security. There are free or inexpensive password tools for your smartphone, tablet, laptop or PC.
- If an organization sends you a message to change your password because of a security problem, verify the message is authentic and then change it promptly. And change any other passwords that might be similar.
While you can’t control the policies businesses deploy, if you’re aware of them, you can do more to protect yourself. You can also learn more about creating strong passwords here.