Insecurity, Part One
The big story after Labor Day (in Entertainment) was hacking of celebrities. Because it involved Apple’s iCloud, it made all the news shows. All this coverage revealed the bigger problem.
It was apparent from their questions that many of the news people didn’t really understand the extent of the danger. I guess talking heads are really more celebrity than reporter.
High profile people are by definition too busy to bother with technical details or to seek a deeper understanding of the technology they depend on. But in the end their behavior is very much like any teenager or ordinary uninformed user.
When users want access to their data (including clouds) they’re faced with three barriers: User Name, Password, and Security Questions. These are not what they seem, e.g., passwords aren’t words.
A User Name, if you’re a celebrity, should never be your name. This makes hacking as easy as accessing you on Twitter or Facebook. Don’t use anything like a name, because you can only use it once. That’s right; one User Name for each account.
Here’s your first clue: Whatever you use to get past these three barriers at one site, don’t use the same information at any other site. Ever. Each site must have its own set of security keys.
“Wait a minute!” I hear you shouting, “How am I going to remember all that?” You shouldn’t. None of these, User Name, Password, or Security Questions, belong in your memory.
There was a time way back when all we had was one email account. Today, everybody has too many online accounts to try to remember all the access codes. Clue number two: You have a computer. It has a better memory than you do. Why not use it?
How? You can create a file with the access codes for each account. Protect it with a password (e.g., Zip files can do this). Don’t give it an obvious name or put it in an obvious place. Yes, this means every time you want access you must open this file.
Another method is to get a program that does all this for you. Such programs also generate random passwords. Speaking of passwords, never use a real (or disguised) word. Hackers can automatically run dictionaries comparing everything like a word.
They can, that is, if the site lets them. Apparently Apple did. Instead of adhering to the three tries and you’re out that’s been an industry standard for many decades, they allowed multiple attempts. Apple made a big deal of saying they’ve now fixed this.
My question is, How did they allow it in the first place? If the guardians of our data are going to be this careless in protecting our data, why trust their services? I wonder who else ignores the three-strike rule? We should go to all our sites and test each one.
Another question, the one that drives me nuts is when their Security Question asks for my mother’s maiden name. Clue number three: never give an answer someone could look up.
Why bother with real answers, anyway? Since you need your security file for User Name and Password, it also has the answers to your Security Questions. So as long as you give the same answer—any crazy answer—it’s valid. Clue number four: Lie.
Next week’s Part Two will give you even more to worry about. And more helpful clues.