We need to have a standard for management of user accounts.
Given the number of high profile companies that have been cracked into lately, I have been going through the process of closing accounts for services I no longer use.
Many of these accounts were established when I was more trusting and included real data. However now, unless I am legally required to, I no longer use my real name or real data.
But I have been bitterly disappointed by the inability of some companies to shut down old accounts. For example, one service told me that “At this time, we do not directly delete user accounts…”. I also couldn’t change my username. Another service emailed my credentials in plain text.
To protect the privacy and security of all users, an enforceable standard needs to be established covering management of user accounts. It needs to be applied across the board to all systems connected to the internet. I know how ridiculous this sounds, and that many sites wouldn’t use it, but high profile services should be able to support something like this.
Included in the standard should be:
- the ability to completely delete accounts (unless there’s some kind of legislative requirement to keep, and then they should only retain the data that is absolutely necessary)
- the ability to change all details including usernames
- a requirement to encrypt and salt the password (that covers the credentials in plain text issue noted above)
- determine the minimum practicable data set that you need to maintain an account and only ask for that. If there’s no need to retain particular account details, don’t collect them. For example, I’ve never been contacted by phone by any of these companies so why was I forced to enter a phone number?
This is a short list from my frustrations today. Please comment to help me flesh this out with other things that should be done on a properly supported user account management system.
And please let me know of your experiences with companies that were unable to properly protect your privacy and security.