There has been an upsurge of interest in privacy and safety
of late due to the NSA scandals and to the Target store data theft and now the
Ebay incident. I've happened to read a
couple of technical articles on on-line security and thought you might be
interested in what some experts are saying about what works and what doesn't.
If you really, seriously, need to communicate securely
online then there are some very advanced things you need to do that might
actually foil the NSA to say nothing of your spouse. However, for most of us, three simple rules
can substantially lower the risk of problems.
1. Don't reuse passwords. This is the single most important thing you
should do. The way many security
problems arise is that somebody steals a file of user ids and passwords. Since we typically use our email address as a
user id and use the same password on many sites, once a thief has a file they
just try the userid / password combination on a variety of sites and exploit
whatever success they have. It's hard to
memorize a vast list of passwords, but at a minimum you should do the
following:
Recommendation: Have
distinct passwords for your primary email accounts, online banking and credit
cards and never use any of those passwords any place else.
Following that rule insulates you from most of the bad
consequences of most of the security breaches.
2. Use long but not complex passwords. A fad has developed for password with special
characters (like "%") and complex rules about having numbers and
upper and lower case letters. This is
usually counter-productive.
"$" and "A" are equally obscure to a computer. And the more complex our password has to be
the more likely we are to reuse them or to put them on sticky notes by our
monitor or in a little book, thus creating a far more serious security
issue. You might get away with this at home, unless
you live inside the Lifetime Channel, in which case they will be stolen by
someone no one will believe would do it.
On the other hand, longer passwords are harder to crack by
brute force methods. So
"Koiningsburg979" is a better password than either "Dog99"
or "$z*f8)k"
There is one exception to this and it involves passwords
formed from common whole words. If your
password is "FriedGreenTomatos" or "LucklessPedestrian" it
can be subject to a "dictionary attack" where the hacker systematically
runs through the dictionary trying every combination of common words. This is why some companies limit how many
times you can flub your password before having to pay penance by dealing with
their voice mail system (one might suggest this limit could be much higher than
3, however).
Unless you have access to truly high value accounts (the
controls for a nuclear power plant, or the American Idol voting) you are very
unlikely to be the victim of this sort of attack.
Recommendation:
Use longer passwords formed from some combination of easy to remember words and
numbers. Consider words that are names
or places or not very common.
3. Change your security questions. Those well-loved security questions about
your first pet, first love or mother's maiden name have become insecure. With all the stuff we dump onto Facebook and
other social media, it isn't going to be that hard to find out those facts
about many of us. So choose more obscure
security questions if given a choice "State you first got arrested
in" or something like that. Or
start gaming the answers - for example, add "123" to the end of every
answer so that your hometown is now "Edina123" and not
"Edina."
While these three rules are not going to prevent a
concentrated attack against you as a specific target they will dramatically
reduce your risk of being caught up in some massive theft of data we regularly
hear about.
And if you really do want to be completely secure
online? Get a computer (with cash) that
has never, never been on the Internet at all, disable all the connectivity it
has, reformat the hard drive, overwrite the unused file space multiple times,
print out your correspondence on a printer you bought with cash on paper you've
only handled with gloves on and mail letters from random locations that have no
surveillance cameras. That should work.
But to be completely serious: Do Not Reuse Your Passwords (to key accounts) – just please do that
and you are likely to be safe for years.
No comments:
Post a Comment