After seeing another flurry of hacked/cracked Twitter accounts in my timeline (receiving DMs about something somewhere that somebody was supposedly saying about me, or seeing announcements that a hack/crack had occurred) I’m figuring that there’s a lot of folks out there who simply don’t understand how vulnerable their passwords can be, and who obviously haven’t been reading Mat Honan over the last few months in Wired.
You have a secret that can ruin your life.
It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you. [...] Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.
This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.The age of the password is over. We just haven’t realized it yet.
Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. [...] This summer I learned how to get into, well, everything. [...] Think of the dilemma this way: Any password-reset system that will be acceptable to a 65-year-old user will fall in seconds to a 14-year-old hacker. [...]
The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. [...] The other thing that’s clear about our future password system is which trade-off—convenience or privacy—we’ll need to make. [...] We need to make that trade-off, and eventually we will. [...]
That shift will involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. It sounds creepy. But the alternative is chaos and theft and yet more pleas from “friends” in London who have just been mugged. Times have changed. We’ve entrusted everything we have to a fundamentally broken system. The first step is to acknowledge that fact. The second is to fix it.
If you are like most people, and you mostly don’t think about passwords again once you’ve chosen one, and you re-use it for lots of daisy-chained accounts? You’re making it even easier for what happened to Mat to happen to you.
Security considerations regarding social engineering are more reasons on top of the fundamental privacy reasons why I don’t mention family members’ names, pet names or other background information when I blog, why I limit my use of cloud-services for precious personal data like family photos, why I’ve learnt to encrypt the portions of the my hard drives where I want to keep my secrets and several more defensive blocks plus layers of redundant backups. If you’re interested in learning more about how to improve the security of your own online accounts after reading Mat’s article in full, check out some of the basics being taught in CryptoParty workshops (if not in a city near you, they’ve made lots of information available online).