Friday, December 24, 2010

GTOW Email (Password) security

I know - I haven't written a GTOW in a long time.  Maybe this is my GTOQ (quarter).  This may be the most important one of the year though.

Over the past month or so several of my friends have had their gmail or hotmail accounts "hacked".  I've been lucky enough to avoid this peril and being the IT security guy in residence among my circle of friends, I get asked about this quite often.  How it happens, and how to prevent it.

How it happens is 90% caused by password re-use.  Most people have very few or even just one password that they use for almost everything.  From their Gmail account all the way to their bank.  The best of us normally have only a few.  The recent leak from the Gawker sites really highlighted this for many people.  Many use the same password on sites all across the net.  In Gawker's case it was just passwords used to comment on stories on their various sites.  Not a lot of attention was placed on security (by both Gawker and their users) as this doesn't seem very important.  The problem is that when these accounts were leaked  - they contained email addresses and Internet handles where the same password was used.  From that seemingly innocent password leak thousands of email and twitter accounts were compromised. I in fact have an account on Gawker but since it has a different password than any of my email or social sites I was OK.

How to prevent this:  Don't use the same password.  Seems simple but no one can remember different passwords for every site.  What I recommend in order of increasing security are the following:

  1. 4 or 5 different passwords of increasing security level.  One that is "open" - you use it only for things like the Gawker comment system.  Then a step up - sites that have a little personal info on you but nothing that could really be used to steal your identity or money.  Then a step up - social network sites.  Another for shopping or sites that keep your credit card info on file and finally one for just your bank and one for health info.
  2. A mnemonic algorithm.   Such as this one
  3. A password safe and individual, highly secure, random passwords for every site.  This one sounds like a crazy pain in the butt doesn't it.  Actually - it's not at all.  Here's the recipe:
I highly recommend Keepass.  Mostly because it runs on everything.  I mean everything - Windows/Mac/Linux - plus every smart-phone, PDA and some things I've never even heard of.  This way you can have the app on your phone, work and home computers and even a USB stick.  I also recommend it because you can store the encrypted password data file anywhere you want.  I store mine on my Dropbox account.  I use Dropbox for the same reason I use Keepass.  It works everywhere.  This way my current password data is available to me everywhere.

Keepass also does two other things that make setting all this up worth the work.  First it generates really great passwords at the click of a button.  Second - it types in your user name and password for you on all of those sites.

Since setting this up I've taken to using a different random password on every site and system.  Oh, the other thing I forgot to mention - both Keepass and Dropbox are FREE.  Dropbox is also awesome because it copies your files to your local system whenever they are updated online.  That way even if you don't have Internet access you have the most recent copy available.

Also - on top of all this password security - make sure that you fill in and regularly update the recovery options on your email accounts.  I can't overstate this.  I've had at least two friends that had ignored these items and had an amazingly hard time getting back control of their accounts.  Both Google and Hotmail allow you to specify another email address and/or a phone number where they can securely send you account recovery links - after you answer some security questions. 

For gods sake don't use your mother's maiden name (or any other personal data that can be looked up) as your security question!  The famous Sara Palin email hack - her security question was "Where did you attend high school?".  That took some real hacker skill to guess didn't it. Even if you aren't famous - disgruntled employees or acquaintances can easily look up your home town, birth date, and have probably heard stories about your dog.  Don't do it.

Happy holidays!

Posted via email from ninjahippie's (pre) posterous

No comments: