The story of how Mat Honan’s accounts were hacked has been floating around for several days now. It’s an unfortunate combination of unpreparedness, social engineering, lax personal security and worst of all, lax corporate security.
It’s definitely worth a read because there are more than likely several parallels from which we can all learn. Mat has offered himself as a cautionary tale, so take advantage of his experience to shore up your own security.
To their credit, Amazon has changed the policy that allowed account changes by phone, and Apple has suspended the reset-by-phone process, both of which were used to gain access to Mat’s accounts. You better believe his high Intertubes profile led to those swiftly taken actions. Thanks for that Mat, we owe you one.
One of the bigger lessons Mat gives is to use 2-factor authentication wherever you can. Google offers this for their accounts, and today, I finally enabled it, years after Matt Topper (@topperge) encouraged me to do so. Better late than never, right?
I already use 1Password to keep my passwords strong and unique, so 2-factor authentication seemed like excess. It’s not; you really should have both.
And yes, they’re both super inconvenient, but you get used to taking extra steps. Once you’ve made the plunge, you begin to wonder how you ever lived without them.
It’s definitely worth the annoyance to be safer. No one is ever completely safe, yet another reason not to make enemies on the internets. A motivated hacker can burn you to the ground in hours, so be nice because you never know who’s on the other end of your flames.
One final note, some sites have taken security too far by preventing pasting into password fields by blocking the onpaste event. This is highly irritating and usually represents a bogus sense of security, as evidenced by the sadly ill-conceived password schemes of some of these sites.
Anyway, this prevents 1Password for working effectively. Thankfully, there’s a handy way to strip this out using a bookmarklet.
Do you use a password vault and/or strong password generator? Do you practice unique passwords? If not, why not?
Find the comments.
Lesse:
– unique passwords? Check.
– password vault? Check.
– strong password generator? No bloody way!
Don’t get me wrong here. I use strong passwords. But never from a generator!
“Th151sn074553cur3” as “1afraseBemLonganumalinguaQueninguemfala”, I can guarantee that: tested it with many crackers and none can break mine in any usable time.
It’s not the contents in l33tspeak that make a password strong nowadays.
It’s its length.
Pure and simple.
Good point also made by Randall Munroe, at least the length bit, if not the l33tspeak bit:
http://xkcd.com/936/
I keep mine long too, sometimes too long for the site, looking at you LinkedIn and a couple other egregious sites. I don’t mind the generator. I guess I like picturing myself under duress and being able to beat the lie detector:
“I’m telling you. I don’t know the password.”
🙂
Not unique passwords, no generator or vault. I just have too many accounts now to recall unique passwords. I do aim for strong passwords though – symbols, numbers, upper/lower case, made up words. That said, I had my Yahoo! account hacked recently and I was pretty shocked given the strength of the password.
Too many account is exactly why I got 1Password to keep them straight and unique. If you had an account hacked, it was probably a reused password.