The story of how Mat Honan’s accounts were hacked has been floating around for several days now. It’s an unfortunate combination of unpreparedness, social engineering, lax personal security and worst of all, lax corporate security.
It’s definitely worth a read because there are more than likely several parallels from which we can all learn. Mat has offered himself as a cautionary tale, so take advantage of his experience to shore up your own security.
To their credit, Amazon has changed the policy that allowed account changes by phone, and Apple has suspended the reset-by-phone process, both of which were used to gain access to Mat’s accounts. You better believe his high Intertubes profile led to those swiftly taken actions. Thanks for that Mat, we owe you one.
One of the bigger lessons Mat gives is to use 2-factor authentication wherever you can. Google offers this for their accounts, and today, I finally enabled it, years after Matt Topper (@topperge) encouraged me to do so. Better late than never, right?
I already use 1Password to keep my passwords strong and unique, so 2-factor authentication seemed like excess. It’s not; you really should have both.
And yes, they’re both super inconvenient, but you get used to taking extra steps. Once you’ve made the plunge, you begin to wonder how you ever lived without them.
It’s definitely worth the annoyance to be safer. No one is ever completely safe, yet another reason not to make enemies on the internets. A motivated hacker can burn you to the ground in hours, so be nice because you never know who’s on the other end of your flames.
One final note, some sites have taken security too far by preventing pasting into password fields by blocking the onpaste event. This is highly irritating and usually represents a bogus sense of security, as evidenced by the sadly ill-conceived password schemes of some of these sites.
Anyway, this prevents 1Password for working effectively. Thankfully, there’s a handy way to strip this out using a bookmarklet.
Do you use a password vault and/or strong password generator? Do you practice unique passwords? If not, why not?
Find the comments.