Saturday, January 3, 2009

Where do dead passwords go?

What happens to your login password when you cancel a membership on a website?

I know that in some places, data retention laws require the user/pass to be stored for some period of time.

I'm curious about the overall safety of user information when in this state of limbo - unuseable and inaccessible to the entities who presumably created/own that information, but of great interest to parties of less-than-benevolent motives?

Any sysadmins out there care to comment?


Justin said...

Funny you should bring that up. When I was a sysadmin we pretty much just went with inertia and only eliminated old user accounts when we had to do system restores and/or rebuild databases. I think it was Aeleen Frisch who used to say that one of the key characteristics of a good sysadmin was laziness and most of the good ones I've met had that in abundance. If it couldn't be automated, it didn't get done.

But what is even funnier about your timing on this is that as I was reading the Lifehacker thread on the demise of JournalSpace this comment caught my eye: "This is the problem with "The Cloud", some of it is managed by clods. And the consumers have no way of knowing where their data goes. I work on the server side of the brave new internet services and let me tell you, it ain't always pretty." That seems relevant here.