Not long after I began writing about cybersecurity, I became a paranoid
caricature of my former self. It’s hard to maintain peace of mind when
hackers remind me every day, all day, just how easy it is to steal my
personal data
Within weeks, I set up unique, complex passwords for every Web site,
enabled two-step authentication for my e-mail accounts, and even covered
up my computer’s Web camera with a piece of masking tape — a precaution
that invited ridicule from friends and co-workers who suggested it was
time to get my head checked.
But recent episodes offered vindication. I removed the webcam tape —
after a friend convinced me that it was a little much — only to see its
light turn green a few days later, suggesting someone was in my computer
and watching. More recently, I received a text message from Google with
the two-step verification code for my Gmail account. That’s the string
of numbers Google sends after you correctly enter the password to your
Gmail account, and it serves as a second password. (Do sign up for it.) The
only problem was that I was not trying to get into my Gmail account. I
was nowhere near a computer. Apparently, somebody else was.
It is absurdly easy to get hacked. All it takes is clicking on one
malicious link or attachment. Companies’ computer systems are attacked
every day by hackers looking for passwords to sell on auctionlike black
market sites where a single password can fetch $20. Hackers regularly
exploit tools like John the Ripper, a free password-cracking program
that use lists of commonly used passwords from breached sites and can
test millions of passwords per second.
Chances are, most people will get hacked at some point in their
lifetime. The best they can do is delay the inevitable by avoiding
suspicious links, even from friends, and manage their passwords.
Unfortunately, good password hygiene is like flossing — you know it’s
important, but it takes effort. How do you possibly come up with
different, hard-to-crack passwords for every single news, social
network, e-commerce, banking, corporate and e-mail account and still
remember them all
To answer that question, I called two of the most (justifiably) paranoid
people I know, Jeremiah Grossman and Paul Kocher, to find out how they
keep their information safe. Mr. Grossman was the first hacker to
demonstrate how easily somebody can break into a computer’s webcam and
microphone through a Web browser. He is now chief technology officer at
WhiteHat Security, an Internet and network security firm, where he is
frequently targeted by cybercriminals. Mr. Kocher, a well-known
cryptographer, gained notice for clever hacks on security systems. He
now runs Cryptography Research, a security firm that specializes in
keeping systems hacker-resistant. Here were their tips:
FORGET THE DICTIONARY If your password can be found in a
dictionary, you might as well not have one. “The worst passwords are
dictionary words or a small number of insertions or changes to words
that are in the dictionary,” said Mr. Kocher. Hackers will often test
passwords from a dictionary or aggregated from breaches. If your
password is not in that set, hackers will typically move on.
NEVER USE THE SAME PASSWORD TWICE People tend to use
the same password across multiple sites, a fact hackers regularly
exploit. While cracking into someone’s professional profile on LinkedIn
might not have dire consequences, hackers will use that password to
crack into, say, someone’s e-mail, bank, or brokerage account where more
valuable financial and personal data is stored.
COME UP WITH A PASSPHRASE The longer your password, the
longer it will take to crack. A password should ideally be 14
characters or more in length if you want to make it uncrackable by an
attacker in less than 24 hours. Because longer passwords tend to be
harder to remember, consider a passphrase, such as a favorite movie
quote, song lyric, or poem, and string together only the first one or
two letters of each word in the sentence.
OR JUST JAM ON YOUR KEYBOARD For sensitive accounts,
Mr. Grossman says that instead of a passphrase, he will randomly jam on
his keyboard, intermittently hitting the Shift and Alt keys, and copy
the result into a text file which he stores on an encrypted,
password-protected USB drive. “That way, if someone puts a gun to my
head and demands to know my password, I can honestly say I don’t know
it.”
STORE YOUR PASSWORDS SECURELY Do not store your
passwords in your in-box or on your desktop. If malware infects your
computer, you’re toast. Mr. Grossman stores his password file on an
encrypted USB drive for which he has a long, complex password that he
has memorized. He copies and pastes those passwords into accounts so
that, in the event an attacker installs keystroke logging software on
his computer, they cannot record the keystrokes to his password. Mr.
Kocher takes a more old-fashioned approach: He keeps password hints, not
the actual passwords, on a scrap of paper in his wallet. “I try to keep
my most sensitive information off the Internet completely,” Mr. Kocher
said.
A PASSWORD MANAGER? MAYBE Password-protection software
lets you store all your usernames and passwords in one place. Some
programs will even create strong passwords for you and automatically log
you in to sites as long as you provide one master password. LastPass, SplashData and AgileBits
offer password management software for Windows, Macs and mobile
devices. But consider yourself warned: Mr. Kocher said he did not use
the software because even with encryption, it still lived on the
computer itself. “If someone steals my computer, I’ve lost my
passwords.” Mr. Grossman said he did not trust the software because he
didn’t write it. Indeed, at a security conference in Amsterdam earlier
this year, hackers demonstrated how easily the cryptography used by many popular mobile password managers could be cracked.
IGNORE SECURITY QUESTIONS There is a limited set of
answers to questions like “What is your favorite color?” and most
answers to questions like “What middle school did you attend?” can be
found on the Internet. Hackers use that information to reset your
password and take control of your account. Earlier this year, a hacker claimed he was able to crack into Mitt Romney’s
Hotmail and Dropbox accounts using the name of his favorite pet. A
better approach would be to enter a password hint that has nothing to do
with the question itself. For example, if the security question asks
for the name of the hospital in which you were born, your answer might
be: “Your favorite song lyric.”
USE DIFFERENT BROWSERS Mr. Grossman makes a point of
using different Web browsers for different activities. “Pick one browser
for ‘promiscuous’ browsing: online forums, news sites, blogs — anything
you don’t consider important,” he said. “When you’re online banking or
checking e-mail, fire up a secondary Web browser, then shut it down.”
That way, if your browser catches an infection when you accidentally
stumble on an X-rated site, your bank account is not necessarily
compromised. As for which browser to use for which activities, a study
last year by Accuvant Labs of Web browsers — including Mozilla Firefox,
Google Chrome and Microsoft Internet Explorer — found that Chrome was
the least susceptible to attacks.
SHARE CAUTIOUSLY “You are your e-mail address and your
password,” Mr. Kocher emphasized. Whenever possible, he will not
register for online accounts using his real e-mail address. Instead he
will use “throwaway” e-mail addresses, like those offered by 10minutemail.com.
Users register and confirm an online account, which self-destructs 10
minutes later. Mr. Grossman said he often warned people to treat
anything they typed or shared online as public record.
“At some point, you will get hacked — it’s only a matter of time,”
warned Mr. Grossman. “If that’s unacceptable to you, don’t put it
online.”
-----
This post originally by Nicole Perlroth for The New York Times