It’s Internet Safety Awareness Day
Note: This is an older post, imported from DnA’s older blog.
Other Note: I think the title of this post can be sung to “it’s peanut butter jelly time!”
OK, it’s not the most exciting of days. The people behind ISAD are presumably also behind “Wash Your Recycling Before You Recycle It Day” and “Remember to Brush Your Teeth Day”. That doesn’t mean it’s not important, and, I have to admit, I probably care about Internet Safety far more than I should. I’m Billy, I’m DnA’s IT Guy, I make sure this website keeps running and I fix things when they break. I’m also a part of DnA’s Communication Team, so I thought I’d put my Communication hat on and write about Internet Safety, specifically passwords. I’m going to talk about the cool AT we have at our fingertips for dealing with passwords, and I’m afraid I’m also going to talk about why they’re important and why you should care. Here goes.
What Are Passwords?
Sorry for starting with a patronising question but I think it’s useful to talk about what passwords are and what they’re used for. Passwords are secrets that only you should know, the idea is that if only Person A knows the password then when a stranger types the password into a computer, that stranger must be Person A. This means that the computer can safely share Person A’s data (emails, telephone numbers, bank details, etc.) with the stranger and Person A can be happy that Person B can’t get access to that data.
That’s the key thing to keep in mind with passwords. They’re not just annoying barriers to your Facebook feed, they’re the only thing stopping the bad guy from reading your private messages.
What Makes a Good Password?
I think this topic has been done to death and most people are aware that they should use letters and numbers and symbols and the password should be long and it should be random and you shouldn’t re-use them and you should change them regularly and…
I’m not going to cover that stuff, instead I’m going to talk about the things you want your password to protect you from. Thinking about Internet Safety in this way is how I decide about my password choice, hopefully you’ll find it useful too.
I like to think about two kinds of “attack” on my passwords and on my accounts. The first is the kind of attack where a bad guy is targeting me individually and really wants to steal my stuff. This could be an attempt at identity theft, or someone could have stolen my phone and wants to learn my PIN, maybe I’ve annoyed someone online and I’m beingdoxed. This kind of attack is usually personal and low-resourced. The attacker doesn’t have a data center full of super computers behind them, they’re not going to be able to spend weeks running expensive hacks against my password. However, they are going to really care about breaking my security. They might try for a very long time and try lots of different things to win. They’ll start looking at my Facebook account, then GMail, then Amazon, they’ll find an old MySpace account or that weird ticket site I had to sign up to for the 1D tour.
If I want to feel safe against this kind of attack I need to make sure my password isn’t guessable. I shouldn’t use my dog’s name (or my mother’s maiden name), even if I do D1SguI$3 it. The attacker knows this information about me and can use it to beat me. I don’t want to re-use passwords because I’m giving the attacker an easy win; guess my Facebook password and get access to my GMail account too.
The second kind of attack is an attack against the company, against GMail, or Adobe, or Sony. In this attack the bad guys are well-resourced and will spend hundreds of thousands of pounds on getting super computers to crack passwords and gain access to accounts. Here the attackers are not targeting me, they’re trying to hack everybody. The fancy computers will probably spend less than a millisecond on my password because they’re trying to crack millions of passwords. Attackers do this so they can get easy access to lots of credit card numbers, lots of real email addresses, lots of real data on real human beings. They’re looking for the easy wins; which accounts have the same “password123” password, and which accounts have email addresses that use the same password.
If I want to protect against this kind of attack I want to make sure my password is unique, that nobody else with an account at this company is using the same password as me. Also, I want to make it hard for attackers to guess what other accounts I might have with other companies.
What Cool AT Can I Use?
OK, so now we’ve covered the risks and we’re all really worried about being hacked. What can we use to make it all easy? With each of these tools, think about how it increases security and what trade-offs it has. Most of the time an increase in security comes with an increased PITA, or even a decreased security elsewhere. Think of the scenarios above and which cases you’re concerned about.
There are loads of these, Wikipedia has a nice long list.
These cool bits of software will generate massive, random passwords made of gibberish and will help you remember them all. You simply go to facebook.com and paste what you’re told into the password box. You can easily have a super strong password unique to every site you sign up to and you never have to worry about remembering them.
This is great for a company hack because your password is almost guaranteed to be unique across all their accounts. It’s good for an individual attack because each password is different and each is very hard to guess. The downside? If your attacker has access to your computer (let’s say they stole it) they probably have all of your passwords. Also, it can be hard to get access to them on the go. I always get frustrated when I have to sign in to Facebook on my mobile because it’s very hard to type 64 characters of gobbledygook into the app.
Temporary or Unique Email Addresses
Sometimes you just have to sign up to a dodgy looking website, and sometimes you want to sign up for a day or so and then forget about it. You can use temporary email accounts for this, here’s a bunch to explore: Shark Lasers, Guerrilla Mail, or Mailinator.
These services let you sign up for a limited use email account that you don’t have to worry about getting hacked. So what if the next Adobe breach reveals your email address? You only used it for that one time you signed up to the Creative Cloud free trial.
A similar idea, and one I really like, is to use a unique email addresses for each account you create. If an attacker gets a list of usernames and passwords from a company breach, not only am I making sure to use a unique password, but now I’m also using a different email address. The address that I use ot log in to Facebook is now not the same as the one I use to log into EBay.
GMail let you do this really easily by adding “+account” to your username. For example, my GMail account is firstname.lastname@example.org, if I signed up to the Wagon Wheel mailing listI could use the email address email@example.com. Any emails sent to this address still go straight to me and now I’m using a unique email address and unique password for each account.
This is kind of the new kid on the block, 2-factor auth. If you use online banking you may have been given a little dongle that generates random numbers for you. This is your second factor. The first factor is your password, it’s something that only you know. The second factor is something that only you have. Adding a second factor to your security makes it a lot harder for attacks to be successful. Attacks against the company are very unlikely to hack your account if you have it and personal attacks would require a rather thorough investigation of your belongings.
There are only a few web sites will let you use 2-factor auth, Google, and Dropbox for instance but it’s a growing area and more sites are sure to start using it soon. Probably the most well known 2 factor piece of technology at the moment is the Google Authenticator. It’s not tied to Google services, I use it for lots of services, mainly my Dropbox account.
Just remember to always carry your towel with you and you’ll be fine. Make decisions on your passwords and password technologies based on what trade-offs you want to make regarding security. If you have any questions, or if you spot a mistake I’ve made, let me know by emailing me on billy+ISADPost@dnamatters.co.uk or messaging me from the site.
Thanks for reading :)