As a user of the internet the one thing that you have to get used to all of the time is the different passwords and user names that you have spread throughout all of the different accounts that you access daily. While it would be nice to be able to use just one name and password everywhere, and a lot of people do, it is not safe. So you must put up with the hassle of having different user names and passwords on many of the different web sites that you visit.
The problem with this is of course you have to be able to remember all of the different ways to access these accounts. While there are programs that will allow you to encrypt your passwords so you are able to access them for multiple sites most people stick with a piece of paper and a pen. Or they may use the insecure way of writing the password on a digital note in notepad. Once again, like using the same credentials on many different web sites, this is not safe and should not be done.
But sometimes when it comes to handling password and user names, the problem is not you but the web site that you signed up at. Even though there are a lot of security people that are really quick to blame the end user, sometimes it is not their fault but the web sites themselves. One example that you will see that is a security failing when dealing with people and their security credentials is when a web site asks for a user name and a password through a format like email. Or if they do not do it through email they may do it through a phone call that you might have with the company. This is very bad policy and can really lead to a major security breach.
Why is a company asking for your user name and password through email so bad?
To a lot of people who use the web this may seem like a normal step to take. Why not let the company ask you for your user name and password? They are trying to help you and they need to be able to access your account. There is a big problem with that logic. One thing is that they should already be able to access your account without having your password or user name. The only reason someone would ask you for that is to be able to get into it later on. And that is another problem. If a black hat hacker knows that the policy of certain companies is to do this, then they will create a fake email and try to send it to you. It will look so real that you will not be able to tell of it is official or not. Every time you open an email from this company you are going to hope that it is real and not fake. You do not even want to click on a link from an email to go to the web page. The fake email could be sending you to a web site that again looks just like the web site that you do business with.
The best procedure to avoid being caught in this trap is to go to the web site directly and access the account yourself. There is no reason why the administrator of a web site cannot get in themselves so there is no reason for you to give them your user name and password. Also, as I just said in the previous paragraph, no matter if the email is official or not, do not click on the link. It is almost always safer just to go directly to the web site. The only exception that we have to this rule is when you first sign up for a web site and they send you the confirmation email. Most of the time it is safe to click on that link.
When it comes to the telephone, never give your user name and password away. Just like people can fool you through an email, they can do the same with a phone call as well. And it is easier to get away with it because the people are not expecting it. When you talk to someone directly on the phone your guard comes down. You are not expecting a scam. But I am here to tell you that people run scams on phone lines to so do not give your information away on there as well.
Hopefully I have shown you why it is important for companies to not ask for user name and password through email or phone. If they do and they refuse to change policy consider doing business with someone else. It might be safer in the long run.