Sunday, May 25, 2014

Protecting your identity online

There has been an upsurge of interest in privacy and safety of late due to the NSA scandals and to the Target store data theft and now the Ebay incident.  I've happened to read a couple of technical articles on on-line security and thought you might be interested in what some experts are saying about what works and what doesn't.

If you really, seriously, need to communicate securely online then there are some very advanced things you need to do that might actually foil the NSA to say nothing of your spouse.  However, for most of us, three simple rules can substantially lower the risk of problems.

1.  Don't reuse passwords.  This is the single most important thing you should do.  The way many security problems arise is that somebody steals a file of user ids and passwords.  Since we typically use our email address as a user id and use the same password on many sites, once a thief has a file they just try the userid / password combination on a variety of sites and exploit whatever success they have.  It's hard to memorize a vast list of passwords, but at a minimum you should do the following:

Recommendation: Have distinct passwords for your primary email accounts, online banking and credit cards and never use any of those passwords any place else.

Following that rule insulates you from most of the bad consequences of most of the security breaches.

2.  Use long but not complex passwords.  A fad has developed for password with special characters (like "%") and complex rules about having numbers and upper and lower case letters.  This is usually counter-productive.  "$" and "A" are equally obscure to a computer.  And the more complex our password has to be the more likely we are to reuse them or to put them on sticky notes by our monitor or in a little book, thus creating a far more serious security issue.   You might get away with this at home, unless you live inside the Lifetime Channel, in which case they will be stolen by someone no one will believe would do it.

On the other hand, longer passwords are harder to crack by brute force methods.  So "Koiningsburg979" is a better password than either "Dog99" or "$z*f8)k"

There is one exception to this and it involves passwords formed from common whole words.  If your password is "FriedGreenTomatos" or "LucklessPedestrian" it can be subject to a "dictionary attack" where the hacker systematically runs through the dictionary trying every combination of common words.  This is why some companies limit how many times you can flub your password before having to pay penance by dealing with their voice mail system (one might suggest this limit could be much higher than 3, however).

Unless you have access to truly high value accounts (the controls for a nuclear power plant, or the American Idol voting) you are very unlikely to be the victim of this sort of attack.

Recommendation: Use longer passwords formed from some combination of easy to remember words and numbers.  Consider words that are names or places or not very common.

3.  Change your security questions.  Those well-loved security questions about your first pet, first love or mother's maiden name have become insecure.  With all the stuff we dump onto Facebook and other social media, it isn't going to be that hard to find out those facts about many of us.  So choose more obscure security questions if given a choice "State you first got arrested in" or something like that.  Or start gaming the answers - for example, add "123" to the end of every answer so that your hometown is now "Edina123" and not "Edina."

While these three rules are not going to prevent a concentrated attack against you as a specific target they will dramatically reduce your risk of being caught up in some massive theft of data we regularly hear about.

And if you really do want to be completely secure online?  Get a computer (with cash) that has never, never been on the Internet at all, disable all the connectivity it has, reformat the hard drive, overwrite the unused file space multiple times, print out your correspondence on a printer you bought with cash on paper you've only handled with gloves on and mail letters from random locations that have no surveillance cameras.  That should work.

But to be completely serious: Do Not Reuse Your Passwords (to key accounts) – just please do that and you are likely to be safe for years.

No comments:

Post a Comment