Security is something no one wants to deal with. They don’t want to think that they are they are impervious to being targeted. Hacking someone previously was targeted. Being a victim in the Internet age is beyond trivial. It is a blanket attack instead of targeted. In an age where getting your Facebook account hacked is generally accepted, people haven’t found the need to step up their security. Hacking someone’s Facebook isn’t that offensive (yet), but we haven’t really seen a massive ID theft problem. Can we agree to stop the problem, and educate people about password security?
This series is not the end all be all of security advice. This is general information that everyone should implement. I understand that I’m omitting a lot of information, but the goal is getting more people to start thinking with security in mind.
The main issue is that there is no punishment for both the company that allows the database to get stolen, nor the individual that allows it to happen. The closest we came to any sort of outrage was the PlayStation Network losing full account information including credit cards of most of their users. Not even pension systems getting hacked, or government records being released has brought us to that level. Does anyone still care about wikileaks? Probably not because it doesn’t affect you directly. Even getting your credit card stolen, may only cost you $50, if that.
This is part 1 of many. If I had to come up with one thing that will make security better this is it. Get some sort of secure password manager, and let it manage your passwords.
If your password was compromised, it just proves the point you need another way to secure yourself. Sign up for LastPass with this code to get me a referral bonus: https://lastpass.com/f?76016
The two ways passwords get stolen are: 1) A database gets hacked, and 2) You give it to the bad guys. I know I’m really being broad here, but most attacks are done this way.
1) A database gets hacked: This is becoming increasingly common. Most sites were established years ago. In that time computers have increased in power (doubled every 18 months). What time it took to crack a password 6 years ago, is almost trivial now. Your username and password is there for the taking. Hackers then try these user/pass combinations on all the sites. If your password is password, chances are your password is password on all sites. Ask yourself, is your LinkedIn password the same as Facebook (both are social networks)? Even worse, is your password the same across everything.
2) You give the password out: Nobody just gives their password out. Well not explicitly. What used to happen is you would get an email asking you to log in and change your password. You were socially engineered.
Look at the following questions Yahoo! challenges you before it helps you into your account. Remember this is how Former Alaskan Governor Sarah Palin was hacked.
Take a close friend of yours, or your ex-wife, and try to answer these questions. Farmville has full access to your Facebook profile by the permissions it asks for. Are these questions answered in your profile? Generally there is no limit to the number of responses for secret questions, so from someone’s filled in Facebook page, you can answer this. It will take some time, but how valuable is the information?
LinkedIn got hacked a month ago. Your resume is probably there. A lot of personal information is on your resume. Some clever social engineering can create a pretty accurate picture of who you are.
So what can you do?
The simple answer is to use a different strong password on each site, and choose secret questions with fake answers.
However, that isn’t feasible because it is hard to remember all those passwords. I used to say to come up with a few different passwords and assign them levels of security. Have a common passwords for sites that need a password, but has no real personal information. You will have no problem if it gets compromised. Have a second for email and such that you rather not leak, but it isn’t a huge hassle to change. Have a third, that you will protect, never give out, and will have a huge crisis if it does get leaked.
I’ve changed the belief of a few good strong ones, and now fully recommend password managers. There are a ton of them, which is a problem. You have to trust the password manager. The biggest danger is that if you crack the password manager, ALL YOUR DATA is there. You really have to vet them. The idea is that it creates and stores the password for you. It will input it when you are asked for it. As long as you can remember one super secure password you are safe. Don’t just trust the one your teenage son’s friend made, really read into it. Some of them aren’t any more secure than having a post it note under your keyboard.
My recommendation for this is Lastpass (https://lastpass.com) They work on ALL platforms and browsers. They are free and my belief they are rock solid. They did everything right. If you want to hear my interview with them, you can listen to the inThirty show: The core functionality is free, but if you really get into security they have a $12/year option. If you like them, please use this code to get me a referral bonus: https://lastpass.com/f?76016
Second choice is 1password from agilebits (https://agilebits.com/onepassword) These guys have the UI down. It is a beautiful piece of software. The reason I didn’t start using them is because it was mac only. Since then they have developed to many platforms, not as many as LastPass however. For $40 they are rock solid and highly recommended.
Final choice is KeePass (http://keepass.info/). They may be the most secure. They are open source. This is a true Trust No One approach. You put your database on a USB key, and you have to always have it with you. It doesn’t support mobile (third-party apps only), and the UI is left to be desired, but this is the end all be all.
Remember, security is difficult. It is inconvenient. It is not fun, nor something you want to think about. Just like backing up, there are a ton of better activities you can do rather than think of security. The goal is to make your life easier with the best security you can have.