Tech Blog

Anyone notice that Twitter had a wee problem with hackers last night? Okay, technically it was their DNS records that were compromised and not Twitter itself, but the effect was the same-Twitter went down and a very non-Twitter message was posted in its place. Given that the hack didn't involve the DNS system, but rather Twitter's account on the service, it's time again to talk about best practices for not getting hacked and some advice on what to do if your GMail account is hacked.
Passwords. People, you choose lousy passwords. A friend of mine uses the same stupid, lousy password for all his services. All. Of. Them. That is unless I sent him a password, in which case they often look like this: d@D866uye[iWayF because I use 1Password to generate new passwords. All long, all random, and all pretty much unguessable. Okay, fine they are also completely unmemorable, but this is where my 1Password master password comes into play. That password unlocks all the others. That password is not written down. It's not random, but it's pretty good and easy for my to remember. Wait, if they get that password, they get all of them right? Right. That's where the login password for my Mac comes in. It's longer, more complex, and also not written down. You'd have a really tough time getting into my unlocked Mac then into the 1Password file. No, this isn't a challenge. While 1Password is the Mac app of choice, Roboform and PassPack are great choices for PC folks.
What makes a good password? Here are my rules:
    

• No words (in any language) that are written "normally"

    

• No names (pets, kids, spouse, etc)

    

• No dates like birthdays or anniversaries. These are way too easy to find out.

    

• Don't use the same password, no matter how great it is, for all services.

    

• Use words strung together with characters swapped out. For example if you wanted to use hotchocolate as a password, you swap o with 0, a with @, e with 3, and maybe l with 1 (I usually reserve 1 for "i" though). So now you'd have h0tch0c0l@t3 which is a great start.

    

• Use additional "shift" characters like !, @, #, S, * and numbers. I avoid %, ^, (, ), and ? because they are often not allowed in the password strings.

    

• Use a phrase, and follow the above to 2 rules above. Say you want to use ilovehotchocolate! as a password you transform it to 1l0v3h0tch0c0l@t3! which is pretty darn good.

Why all these rules? Because a lot of account hacks are based on brute force, dictionary attacks. The attackers pick a target username and just start throwing potential passwords at it. You can guess what happens if you use a word from the dictionary without modifying it. Wait, you say, everyone knows about these substitutions you just told us...yes they do, which is why a phrase is better. After a while most systems will lock out attempts to gain access after a certain number of failed password attempts, so if it isn't an easy password, the attacker will be locked out before they get to substitutions. Yes, it's a numbers game of low hanging fruit. You just have to make a password hard enough for all but the most determined hacker to just give up and move on.
What if your account is hacked? First, you're allowed a few moments of panic, then snap out of it and get going with fixing the problem. For the case of Gmail, Amit Agarwal (who is a well respected and well read geek like me) had his Gmail account hacked and he details how he got it back and how to prevent it from happening .... For other accounts, my advice is to call them on the phone and be ready to have a lot of info on hand to back up your claims that you are you. Obviously if your email, as well as a site has been hacked, using email verification is going to be problematic, so having back up email accounts is key. Let's make that essential.
If you're wondering how good (or bad) your password is, I found a couple online password checkers that you can use to assess your choices. This one from Microsoft is simple and easy for anyone to use.
If you're also wondering if I've ever been tempted to punish friends who don't listen to my password advice (especially if they deal with sensitive or mission critical systems) and change their passwords on them-you bet. And I still might.

 

Update: As I suspected, it looks as if lax email password security was, again, at the root of Twitter's recent hack. So if you haven't updated your email password yet ... just do it now!