Mat Honan, the Wired writer who got seriously hacked a few months ago, tells us why passwords won’t protect our stuff anymore. Yes, let’s read this one before bed, Chuck.
Now. It’s a scary piece, designed to scare and successful at doing that. Note should be made that Mr. Honan has a reason to be pessimistic, and also that your chances of being singled out are…I have no idea.
The main points are important, though. No matter how complicated and intricate your password(s) may be, they are only as secure as your ability to retrieve or change them. And right there is the crux: There’s a low common denominator, since it’s not just tech-savvy, security-conscious types who bank online and pay their bills. It’s also Grandpa.
There are couple of gaping holes in this security, as Honan points out. The first one is that big companies get hacked, and lists of user names and passwords get disseminated online. You may be a little nobody in Nobody, USA, but your info – email@example.com, password &@hD(72!^LkB@ — suddenly pops up on a list somewhere, which of course you don’t know about because you don’t realize that T-Mobile has been hacked. Some teenager in Somewhere, USA starts taking that user name and plugging it and the password into various places, Facebook, Gmail, Verizon, Bank of America. Now we’re talking fun. Because we use the same passwords.
The more serious gap here, though, is old-fashioned human interaction. Again, we have to consider Grandpa. He’s lost his password. Can’t remember it. Can’t remember lots of things these days. So he calls the customer service line to get a reset. The customer service people want to help Grandpa. They ask for verifying information. Maybe a Social Security number, or portion. Maybe the last four digits of a credit card. Maybe some security questions, mother’s maiden name, etc. And once verified, they send him a reset code to the email on file.
This is not Grandpa. This is a 15-year-old. He knows the security question answers because he took a minute to do a quick Google. The credit card and SSN? It can be done, too. And he’s already hacked the email account. Ready to roll.
Honan suggests a new model is crucial, one he hasn’t figured out yet but has suggestions about. In the meantime, though, we can do some hole closing. Security questions? What’s your mother’s maiden name? Hint: Don’t make it her maiden name. Maybe your dog’s name. Maybe a character from your favorite movie. Maybe answer every single security question with this same, unrelated and nonsensical answer, so you remember. Not the maiden name.
Secondly, it might be a good idea to have an email account devoted to password resets, if that’s possible (I don’t see that option on a lot of my sites). Or else just use this second email for your dealings with online sites that are important. The ones you give money to, or have your money. An email address that will never be listed on Facebook or Twitter or LinkedIn. It might be tricky, since usernames are often email accounts, but dig down.
Finally, when dual authentication is available (Gmail and Facebook have it), in which when you log into your account from a different IP address, a code is sent to your phone, use it.
Try harder. Work the system.
And think of Grandpa. He’s always going to be the weak link.