Closing The Holes in my Digital Security
A little over three months ago I wrote a post on here called Overhauling My Digital Life, and in it I talked in some detail about two specific things I did to protect my data and my digital identity: enabling two-factor authentication everywhere I could, and signing up for an online file storage service for backup purposes.
These are both smart things to do and four months ago I wasn’t doing them. Doing smart things is, well, smart – but it’s probably secondary to what I’m going to write about today: how I’ve stopped doing two specific things that were just flat-out dumb. One of these has the potential to be a huge gotcha if, like me, you hadn’t taken a high enough level holistic view of your online security, so read on!
How many different online services do you use where you’re required to sign in with a username and password? I wouldn’t be surprised if it’s in the hundreds for some of you reading this.
How many different passwords do you have? I wouldn’t be surprised if it was less than five, because I have some research findings from 2012 that tell me that’s the case: 54% of internet users have five passwords or less.
You see what I’m getting at here, right? Everyone is reusing the same password across multiple sites, even though we all probably already know that’s a bad idea. For example, Google is probably (I would like to think) tech-savvy enough to avoid the majority of hacking attempts and, even if somebody did manage to gain access to their servers I strongly suspect personal information like that is fairly well encrypted. Good. Can the same be said of that obscure forum on model aircraft you signed up for that one time because you wanted to ask a single question about the particular shade of red the RCAF painted their T-33’s in the mid-60s?
(Side note: I found some lively discussion on my off the wall example topic, if not a definitive answer, here).
Anyway, my point here is that if you use the same password on multiple sites and just one of those sites suffers a breach of security, then the attacker has your password and that’s that. The chain is only as strong as its weakest link.
But you knew that already, right? And you’re smart (like me!) so you use a different password for each site. Here’s the problem: I don’t know of a human being that can remember hundreds of genuinely different passwords. You probably cut the same corner I did – instead of remembering a common password, you remember a common pattern then somehow plug the name of the site you’re on into that pattern. Genius! Instant unique password.
Here’s the thing: this technique won’t cut it in this day and age. As the general populous becomes more savvy about this kind of stuff, password crackers have to keep up – and keep up they do.
What good is a password you can’t remember? Well, more than you’d think. Personally I’ve downloaded a piece of software called KeePass. It (or variants of it) is available for windows, linux, MacOS, Android, iPhone and others, and it stores a database of all my unique passwords. It has a built-in password generator for the creation of completely random and unique strong passwords, and it even has functions that will type them for me into the login page of a particular website.
Alternatives are available (LastPass is a popular one), but I chose KeePass specifically because it doesn’t store all my passwords in the cloud somewhere. The downside to this is that I’ve had to come up with a way to keep my password database synchronized across my devices on my own, but the upside is that there’s no online account storing every password I have that itself could potentially be hacked into.
There’s no perfect system here, but in my mind the bottom line is this: if your credentials are in the top 10% of the hardest for an attacker to figure out, it’s fairly likely that they won’t expend the effort on you. Once upon a time using a password pattern put you there, but today it doesn’t. You need to evolve.
Your Email at Your Own Domain
As the cliché I sprouted a few paragraphs above says, a chain is only as strong as its weakest link. When it comes to passwords, there’s little doubt that your email account is a huge metaphorical pair of bolt cutters.
I may have taken the analogy too far, but my point is that if somebody has access to your email account then they can probably go and hit the “reset password” link on any number of sites and gain access to your other accounts. Two-factor authentication is an essential addition to your email account for this reason, gmail and outlook.com both offer it, and if your provider doesn’t you should probably think about switching.
My primary email account is powered by gmail, and I’ve had two-factor authentication enabled there since just before I wrote my original article on it in April.
But there’s a problem.
My email address is not an @gmail.com one, it’s a custom one at my own domain. It looks great on my business cards, but it introduces another link in the chain, and I’m fairly sure that link is weaker than Google. In my case, that link is godaddy. If somebody were to gain access to my godaddy account, they could change my email configuration entirely, directing my mail away from the gmail server that usually handles it and pointing it somewhere else entirely. Worse, at the time of writing godaddy only supports two-factor authentication for customers in the U.S.
Wired.com has a great article on this very subject that goes into detail about how writer Mat Honan’s digital life was held ransom until he relinquished his attractive twitter handle: How Apple and Amazon Security Flaws Led to My Epic Hacking.
I’ve signed up for a secondary email address at outlook.com, using their standard @outlook.com suffix. I give my outlook email address to computers, and my gmail-powered custom email address to people. Aside from the added security, the secondary benefit here is that virtually all the spam I get ends up in my outlook mailbox, which I only ever sign in to if I need to reset a password somewhere.