Time to Change Your Passwords!

It’s probably fair to say that most New Year’s resolutions are not tech-related, but the incidents of hacker activity that seem to be hitting closer to home every day probably warrant a few, especially when it comes to passwords and PIN codes.

While you’re clearing the decks and getting reorganized for a new year, consider whether any of the following are true for you:

  • Your online passwords for websites and your email are all the same
  • Your online passwords haven’t been changed recently, if ever.
  • Your online passwords are short and simple (just letters and numbers)
  • Your ATM card PIN code is the same one you had last year at this time.
  • The answers to your security questions (e.g. “Where did you go to high school?”) are easily guessed or googled.
  • Your online accounts are all linked to a single email address.
  • If you can answer ‘Yes’ to any of the above, let me very politely suggest that you are at this very moment exposing yourself to very real and unnecessary risk.

Death of the Simple Password

Most people will agree with the first three bullet points without too much persuasion. It’s pretty obvious that simple passwords are easily guessed by hackers with fast hardware and sophisticated cracking programs. And if all your passwords are all alike, you’ve made their job of invading and owning your world so much easier. Good passwords follow these rules:

  • At least 8 characters in length.
  • Include a mixture of upper and lower case letters and numbers.
  • For websites that allow them, include special characters like !?_()[], etc.
  • No common dictionary words or terms (love, letmein, 123456, qwerty, abc123, 111111, baseball, etc.)
  • No family names, names of your pets, or birthdays.
The usual mental roadblock to following these rules is a fear that the passwords will be difficult to remember. Thankfully, there are good tools available to help with that (see below), and if you are just a little bit creative you can take words or short phrases that are meaningful to you and just dice them up a bit.  For example, “I love to ski” might become “1L0v32SkeE”.

PINned Down

Unfortunately, there’s not much you can do with the PIN codes on your bank and credit cards except use different ones for each card and occasionally change them. Even twice a year would be better than zero.

Beyond the Password

The danger of simple security questions and linked accounts are a bit less obvious, so let’s look at two short examples to illustrate:

David Pogue is a technical writer for the New York Times. Hackers successfully used his security questions to gain access to his digital world. The questions were:

  1. What was your first car?
  2. What is your favorite model of car?
  3. Where were you on January 1, 2000?

To answer to the first two questions, the hackers merely used Google. They found a blog post David wrote that answered both questions. Regarding the question about Jan 1, they simply guessed “party”, a very logical guess for New Year’s Eve. With that they were in, and by the time they were finished, they had even locked David out of his kitchen iMac.

The problem with linking all of your accounts to a single email address can been seen in the much publicized case of Matt Honan. The salient point from his own personal account was this:

It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions [to gain access to my account].

Essentially, the hacker convinced an Apple customer support person to give him access to Matt’s iCloud email account without answering the security questions. Once inside, it was a simple matter to lock him out by changing his password and then request password resets from his various other online accounts (Twitter, gmail, etc.), all of which all flowed back to his iCloud email address. At that point it was over.

OK, I’m convinced, but what can I do?

The best defense is to be a hard-to-hit moving target, meaning, use multiple complex passwords, and change them frequently. Also, make your security questions are obscure enough that they can’t be easily guessed or googled. These things are very easy to do, but unfortuantely they’re also very easy not to do. Indeed, the reaction I get most often to this is “that’s too much hassle”. Relatively speaking, however, I think we can all agree that it’s a lot less hassle than being hacked. Moreover, there are tools to help you manage it. I use 1Password. It’s expensive, but it’s worth every penny, and it runs on every device you are likely to own, be it Windows, Mac, iOS, or Android.

So while you’re cleaning house for the new year, why not beef up your security. You’re worth it!