Saturday, January 19, 2013

An Unsettling Fact: Your Passwords Are Little Or No Use

Mat Honan's article 'HACKED!', in the December issue of WIRED magazine (p. 182) was a wake up call for me and made me realize what a fool's paradise we are all living in, depending on assorted passwords for protection,  As Honan notes, not even alphanumeric passwords of up to 19 characters protected him as hackers "destroyed my entire digital life in the span of an hour". His Apple, Twitter, Gmail accounts all went down - after which they used his Apple account info to wipe out his other devices, including: iPhone, iPad and MacBook (deleting all messages, documents and every photo ever taken of his 18 mo. old daughter).

Since that awful day, as Honan put it, he's devoted himself to researching online security. He's also found out how the hackers operate and how easily they can smash their way into anyone's system. As he puts it:

"Let's say you're on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that's easy to find in the age of Google. With that AOL gives me a password reset and I can log in as you. First thing I do? Search for the word 'bank' to figure out where your online banking is. I go there and click on 'Forgot Password' link. I get the password reset  and log into your account. Now I own your checking account as well as your email."

He goes on to note that in the summer of 2012 he "learned to get into well, everything, with just 2 minutes and $4 to spend at a foreign website".  Thr prizes?  "Your Social Security number, your credit card and phone number."

He goes on to assert the common weakness in all the attacks is the password. Adding:

"Today, nothing you can do, no precaution you take, no long or random string of characters, can stop a truly dedicated and devious individual from cracking your account."

What the hell happened? Back in the olden days, say ca. 1993 when many were just getting on the web, passwords were useful because they covered the most important applications, and you didn't have to make up or provide one for everything from buying books or wares online, to just reading an online paper. Because almost no personal information was in the cloud, "the cloud was barely a wisp at that point" - to quote Honan. In effect, there was little payoff for the hacker crew. By 2000, that equation changed.

First, with the avarice quotient ramping up near 2000, every online news source demanded  "monetizing" itself or at least how to ensure actual identities were behind the thousands of eyeballing of news stories. (To know how to direct advertising, popups etc.) To do this the assorted online sources then demanded you provide an identity by "sign on", including email address, password and usually a bunch of other info asked. Thus was born the massive overuse of passwords and the possibility of being interlinked to other applications you used, say buying books at Amazon.com or signing up at iTunes for more iPod DLs.

In the above template, the email addresses morphed into a kind of universal login and served as a username for just about everywhere. At the same time, people tended to use only one or maybe two passwords, and then often chose crappy ones like their dog's name, or wife's birthday in numerals. The combination of practices led to the disaster such as what Honan faced. Making it even worse, computer power massively escalated including the use of powerful algorithms - which could take virtually any password down. (This is also one reason I refuse to do any online banking because I do not believe the bank's systems can protect info to the degree needed!)

As Honan observes:

"In the age of the algorithm, when our laptops pack more power than a high end work station did a decade ago, cracking a long password with brute force computation takes just a few million exta cycles."

He adds, "What's shocking is that people still use such terrible passwords".

What are his DO's and DON'Ts?

His DO list:

1) DO enable two-factor authentication when offered. Thus, if you happen to log into a strange location, you may have to give your first pet's name in addition to your normal password.

2) Give bogus answers to security questions. Think of them as a secondary password and just keep the real answers in memory rather than the cloud.

3) Scrub your online presence. Use sites like Spokeo and Whitepages.com which can get your information removed from databases. Of course, if you habitually use Facebook that's not much use.

4) Use a unique and secure email address for password recoveries. Obviously, if a hacker knows where your password reset goes it forms a line of attack and you're vulnerable. So create a special and separate account you never use for communications.


Now, the DON'TS:

1) Re-use passwords. (If a hacker then gets hold of one password, he owns all your accounts). You may have to keep a special notebook in which you write all the different passwords for all the different applications, sources you use.

2) Use a dictionary word as a password. DUH!

3) Use standard number substitutions. I.e. Think "p455wOrd" is a good password? Here's a clue: NOp3!

4) Use a short password. Every such short password, e.g. h6!r$q, is quickly crackable.

Well, you live and you learn. Honan lived and certainly learned and it's good he could share his tips and insights with the rest of us.

If we diligently apply Honan's do's and don'ts, we may limit the damage to our own systems if they get cracked,  if not prevent the violation altogether. It would also vastly help if our government came out with stronger ID protection laws (like they have in Europe) instead of kowtowing to the business lobby and allowing every Tom, Dick and Harry to gain access to our most important info,  including the all-important (and over-used) Social Security number!

No comments: