Trusting others to protect you in a world where everything is connected.

The weekend before I wrote this post, Mat Honan, an otherwise savvy computer user and author, had his digital life erased. Why, did the hacker(s) target him you ask? According to Mat, “He said the hack was simply a grab for my three-character Twitter handle.” Really? So it’s just not possible to figure out why anyone might choose to hijack your identity. You just have to make the effort to protect yourself and not rely on third parties’ policies and people to do it for you.

So what was the outcome of Mat’s ID theft? He lost access to his iCloud & Google accounts. His iPhone, iPad and MacBook Air systems were remotely wiped. The most publicly damaging effect was that Mat’s Twitter account was hacked, which gave the hacker access to the Gizmodo Twitter account (the two were linked) which allowed for some very hateful tweets before it was suspended to protect it. For Mat, the most damaging loss were all the photos of his 1 year old daughter. Like every one of us at some point in our lives, he didn’t have a backup of an important piece of information.

First, in fairness to Mat, the method used by the hackers is an end-run around 2 companies’ security and policies. So, it is unreasonable to expect him to have known in advance of the possibility. I commend Mat for sharing his experiences online. It is very hard to be public about events like this, but he gives us all the ability to learn more about how to protect ourselves. One take-away from Mat’s experience is this:

Create compartments out of your online existence and keep them separate.

A place for everything…

Image: Fellowes

What does this mean? Well, nearly every site we visit giving us the opportunity to link our online identities together. On the surface, this feels like a great time saver and a real convenience. And in a perfect world, that is exactly what it is. But until this world is perfect, the reality is  that whenever we let one company have access to another part of our online existence, we open up a new opportunity for a hacker to exploit and steal our online identity.

“So,” you ask, “how am I supposed to keep all the parts of my online life separate?” It sounds complicated, but it can be simpler that you expect. There are four basic principles to keeping yourself safe online.

TL;DR version:

  1. Don’t connect accounts together unless you really need to.
  2. Setup an e-mail account that is only for recovering passwords with a username you don’t use anywhere.
  3. Try not to reuse passwords. If you must, have at least 3 with each one more secure to protect you on different sites.
  4. Optional: Choose a good password utility to create and store passwords for you.

For the details and explanations of how and why to do the above steps, read on…

1. Limit linking your accounts to just the accounts and sites that you must use.

When a site like TripIt asks if you want to use your Google account to login, your first thought is “Why shouldn’t I? That’s so much easier than creating one more login to go with the 80 I already have.”

For every opportunity like this, you have to look at each site and ask yourself these questions:

  1. What benefit do I really get by letting this site have access to my FaceBook/Twitter/Google/etc. account?
  2. Do I trust the operators of this site enough to grant them permission to use my FB/T/G account?
  3. What is the risk to me (or my family or my business) if this site screws up and my account is compromised?
  4. Do the benefits of linking my accounts to this site outweigh the risks?

You can go through all 4 of these questions in less than 5 seconds. In many cases, you decide that, yes, it is worth it to give them your other account info. If that’s the case, great! Whenever possible, grant access through one of the sites above. Why? Because sites like FaceBook, Twitter and Google never give another site your username and password. Like the bouncer at an exclusive club, they put the site “On The List” of people allowed in.

This is a Very Good Thing, because if you ever decide that you don’t want to give a site access to your account, you just revoke it at Twitter or FaceBook or Google and that site is cut off right then and there from your account. You don’t have to go and change your Gmail password to cut off one site and then update your password with every other site that you still want to have access to your Gmail account.

2. Setup a separate e-mail account that you only use for account recovery.

It is very likely that you use the same username in many places. Maybe the same one everywhere if it’s unique enough. Why? Because nobody (me included) wants to remember 150 different usernames. Plus, in today’s online world, your online identity is becoming your brand, meaning that when people can recognize you on a user forum somewhere, you are automatically granted credit for the reputation you’ve worked hard to build elsewhere on the internet.

In Mat’s case, his username was identical on two sites, even though one company obscured most of the e-mail address. So the hackers were able to guess (correctly) the address and reset his password without him seeing any e-mail that the password had been changed. This is what gave the hackers the head start in ruining Mat’s online life.

Setup an e-mail account with completely different username (and password) than what you use everywhere else. Use only this account on your Google or Twitter or Facebook account or any site where they offer a “secondary e-mail” account for password recovery.

Don’t set up an alternate e-mail address on this account, but make sure that the password you use is secure and unforgettable. If it’s available, use two-factor authentication. This method of login requires not just your password, but also a piece of information that you have on you. Google’s page does a good job of explaining the process.

Why do this? Because you’ve just made a compartment for recovering your passwords that can stop a hacker from getting all the way into your digital existence. Here’s how this protects you:

A hacker gets into your account on a site where you are janedoe@gmail.com, they want to change the password on your Gmail account, but they know they without you noticing because Google has a security feature where you will get a mail at your alternate e-mail address tipping you off immediately that your password was changed. So they want to hack into the alternate account too before they hijack your gmail account. Most sites will obscure part of the alternate e-mail address, but if your alternate shows as j*****e@me.com, the hacker only has to try janedoe@me.com with the password they’ve already successfully used and they have a good probability of getting in (I reuse certain passwords, and I’d guess most of us do).

But if you use a completely unrelated login and password, the hacker will see something like r*****v@icloud.com. What chance do they have of guessing your login now and hacking your alternate account? Nearly none, because you don’t use this account for anything but password recovery, there won’t be a trail on the internet where you’ve posted messages to a user forum or photos on Flickr.

3. Try not to reuse passwords.

Easy, right? Just create a new password for every site you visit. That’s not reality. I can’t remember 580 different passwords and it’s a rare person who can commit more than 10 highly secure passwords to memory. (Yes, I know you’re the exception. Congratulations on that, but the rest of us humans need a way to cope).

A suggestion is to think about a way to break up your passwords into compartments. One possible way of dividing your passwords up is this:

  1. The site made you create a password, but it’s only to track that you logged in. (Low risk)
  2. The site has postings on it that are attributed to you. Someone masquerading as you could make you look bad (Medium risk).
  3. The site has access to your financial information or bills. Someone could steal your money or ID. (High Risk)

So if you divide up your online life this way, you would create a minimum of 3 passwords, one for each type of risk.

If anyone hacks the low risk password, all they can do is read the longer version of the stories on some news sites. No big deal otherwise. The password should still be good (not the name of your dog), but you use it only on low risk web sites.

The same goes for the medium and high risk sites, but you put in more effort to make the passwords much harder to guess or crack. After all, these passwords are protecting your reputation and your money.

How to create good passwords has already been covered on the internet before. I encourage you to read one of these articles and see if you want to keep your current passwords or not.

4. Optional: Choose a good password utility to create and store passwords for you.

Regardless of whether you’re a Windows, Mac or Linux user, there are several very good password utilities out there that can help you create, store and remember your passwords.

The primary advantage of these utilities is that they are the “virtual post-it note” for all your passwords. They make it very easy to save your passwords in a secured place on your computer. They are also a quick reference for when you’ve forgotten a password.

The things to look for in a Password Utility are:

  1. Does it secure all your password data with a password (seems obvious)
  2. Does it work with your browser to automatically save new passwords (saves a lot of copy/paste)
  3. Does it let you back up your password data to another file (still secured by a password)
  4. Does it help you create good passwords and show you how secure a password you’re using is?
  5. Bonus: Does it allow you to save your passwords to a website so that you can get to them when you’re not at your computer?

The most useful feature is working with your existing browsers to catch new passwords for you and putting them into the file. This is a real time saver and it makes it much more likely that you’ll use the utility.

The most necessary features are keeping your passwords in a secured file and helping you create strong passwords.

Where to go from here

Mat’s experience wasn’t unique and though the hackers real purpose was just to cause him significant grief, the outcome could have been even worse. Viruses spread under your name, money drained from your bank accounts are options that come to mind.

Protecting yourself online isn’t too difficult. It just takes some basic preparation to make it difficult for a hacker to get into your online existence.

I hope you use the the tools and techniques in this article for doing exactly that.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: