The problem is that even people who follow good security guidelines are at risk.
For example, do you consider it reasonable to work on a laptop in Starbucks? I think most people would consider this quite reasonable, as long as they follow elementary precautions, like not doing anything confidential such as account maintenance, and not letting strangers peer over their shoulder while they are reading or writing email.
But consider this. Let’s assume (for definiteness) that you use gmail. When you are on your main ‘inbox’ screen, it just shows (mainly) a list of ‘subject’ fields. Nothing confidential there, and most people would think it quite reasonable to leave their laptop showing that screen while they sip their coffee.
So here’s the scenario. You are the good guy. The waiter is an opportunistic malfeasant (M).
While M is pouring your coffee, he happens to notice as one of the subject lines “Dreamhost Monthly Newsletter”. Just from that, M guesses that your are a Dreamhost customer.
Your Dreamhost account is now doomed … M will set in motion a train of events that, without any wrong behaviour on your part, will lead to penetration of your account.
M makes a mental note of your email address (which gmail shows prominently near the top right hand corner of the screen). He retires to the back office and brings up the Dreamhost login screen, enters your email address, and clicks on “please send me my password”.
He now knows that in about 10 seconds, an email will reach your inbox, and that you will naturally open it, and that it will say
Your DreamHost password is: whatever
You can now log in at https://panel.dreamhost.com/
If you didn’t request this email, don’t fret, the security of
your account has not been compromised. Somebody else must have
requested your password. That’s exactly why we email it to you
instead of just giving it out!
-The Happy DreamHost Passwording Robot[/quote]
He knows that he only has to read one word out of this email, and he knows exactly where on the screen it will appear, and with a lot of white space helpfully around it! He doesn’t have to peer over your shoulder, he need merely take a fleeting glance.
So he immediately returns to the vicinity, waits until he hears the “ping” which says “new mail has arrived”, and times it so that he re-fills your cup of coffee at exactly the moment when you are opening this email.
You, of course, are blithely unaware, since as Dreamhost is at that very moment telling you, “Don’t fret, the security of your account has not been compromised”. Maybe, just to be on the safe side, you look around to check that nobody was watching your screen. There is nobody there. Well, there is that waiter who re-filled your coffee a few seconds ago, and who is now attending to the next table … but there was only a split second during which he might conceivably have glimpsed your screen, not nearly long enough for him to have taken anything in … so nothing to worry about there.
Far fetched? Yes, a little. But possible. And so easy for Dreamhost to fix the loophole, which puts responsible and security-conscious customers at risk, and which no excellent web hosting company could possibly be proud of.