PayPal chief says his staff should remember their PayPal passwords. I say he's wrong

David MarcusDavid Marcus, the President of PayPal, is upset with staff at the company's San Jose headquarters.

As VentureBeat reports, he chastised workers in an internal email, telling them to leave the company if they weren't prepared to install the PayPal smartphone app.

And, he said, you can clear off if you can't remember your PayPal password as well.

Here is part of what he wrote:

Part of David Marcus's email (with my highlighting)

Part of David Marcus's email (with my highlighting)

In closing, if you are one of the folks who refused to install the PayPal app or if you can’t remember your PayPal password, do yourself a favor, go find something that will connect with your heart and mind elsewhere. A life devoid of purpose, and passion in what you do everyday is a waste of the precious time you have on this earth to make it better.

Hang on a minute Dave.

Isn't not knowing your password actually a *good* thing?

If you know your password, chances are that you've chosen an easy-to-remember password. Or you're using the very same password in multiple places.

A much more sensible and safer approach would be to use unique passwords for every single account you use. That way, if your email password gets phished there is no danger that the bad guys will use those credentials to access, say, your PayPal account.

PayPalIndeed, I would go further and recommend that every password you use should not only be unique but be a complicated, hard-to-remember sequence of characters and numbers (or a gibberish phrase) that is never going to be guessed and would be arduous for even the most dedicated hacker to crack.

Of course, people don't need to remember their passwords if they are using decent password management software - which can store their passwords securely, and generate a new, random, complicated password everytime they need one.

I, for one, have no idea what my passwords are for Amazon, PayPal, email, Twitter, the list goes on...

David - if you *know* your password rather than having a password management program to do that for you, I'm kind of worried.

If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a phishing attack or key logger) and then hackers using it to unlock your other online accounts.

Maybe it's time to try out some password management software like Bitwarden, 1Password, and KeePass to make your passwords both safer and easier to remember.

Poor old David Marcus hasn't been having a great week.

On Monday he tweeted that his credit card got skimmed during a visit to the UK.

Tweet from David Marcus, president of PayPal

Lets hope things get better for him soon, and that he realises forgetting his PayPal password might actually be a good thing.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

3 Responses

  1. Darren Wall

    February 13, 2014 at 1:08 pm #

    What an utterly dickish email to send to your staff! I don't use the software which is made by the company I work for but I'm still able to find "purpose and passion".

  2. Ken Jennings

    February 13, 2014 at 5:41 pm #

    The problem is; and has always been, STATIC passwords stored on servers that we as users can not control.

    No matter how hard we try to protect ourselves by having long complicated passwords or by changing them frequently, using password vault software, we will still be victimized when the hackers hack the servers we trust to store our passwords.

    If you want to get a bunch of money, do you mug someone on the street or do you rob a bank?

    If you want to get a bunch of passwords, do you hack someone's email account or do you hack Yahoo, or Target, or Comcast?

    We need to STOP using STATIC Passwords
    We need to START using One Time Passwords
    We need to CONTINUE our vigilance to protect our privacy and Identities

    Ask your server operators to STOP forcing you to use STATIC passwords

    http://privacybydesign.ca.com/60774412
    urqui.com
    @embedprivacy @urqui

  3. Purnendu Podder

    February 13, 2014 at 6:37 pm #

    Yeah,, I agree with you Mr. Cluley, "not knowing your password is actually a *good* thing". I have accounts on 226 different sites and trust me I know passwords of only few of them. LastPass remembers all the passwords for me and I have faith on it more than I have on myself ;) …

Leave a Reply