Tuesday, April 23, 2013

What's My Password, Again?

Spring cleaning doesn't stop with my apartment. After I clean the physical world, I clean up my digital world, too. And that means, in part, new passwords for my critical accounts. I pick several strong* passwords and make sure (user name, password) pairs are different for all my important accounts.

But, boy, is it ever a hassle.

What's Your Favorite Color?

Even if I had completely random strings for passwords for every single account that I changed every month instead of every year, I still wouldn't feel totally safe. Why? I don't believe that sites secured with passwords are actually secure if they ask basic security questions to "recover" your account in the event you forget your password. Then your account is only as secure as your mother's maiden name and favorite color. And given the amount of publicly available information and stuff people post about themselves on Facebook, that means the account isn't really secure at all. With a little guessing, anyone could answer those questions! To solve this problem I try to do two things:
1) Write my own security question.
2) If I can't write my own security question, I make up a ridiculous or completely unrelated answer to the posed question. Q: "What's your favorite color?" A: "Live long and prosper."

You get the idea. Sure, I may forget my password and also the answers to the security questions, but really, if there isn't a chance that you can lock yourself out of an account permanently, then is the account really secured at all?

Think I'm paranoid? The NSA actually recommends this (see page 6):
To prevent an attacker from leveraging personal information about yourself to answer challenge questions, consider providing a false answer to a fact-based question, assuming the response is unique and memorable.
While I am on board with good password management, and do other things like encrypt my home wireless signal, use anti-virus software and firewalls, and am careful about which websites I visit, I still don't follow all the best practices.

Why? Because, man, is it ever a pain.

What's the Worst that Could Happen?

This is the question computer scientists usually ask, and sometimes it's a question worth pondering.

Here's an account of a Wired editor being hacked and all his data deleted, just because the hackers were attracted to his three letter Twitter handle.

How can you prevent this? You can't, 100%. But following the best practices linked to above gets you a lot of the way there. Here's Lifehacker on undertaking those costly security measures: have good password security, utilize two-device verification, and regularly maintain good backups. 

Actually, you should have a backup system no matter what because digital devices have a high failure rate even without the help of hackers. I think the half life of a hard drive is only on the order of 5 years. And remember the golden rule of backups: If your data isn't in at least two places at the same time, then it's not backed up.

But ultimately, you have to weigh the costs and benefits yourself about what level of security is worth having on line and off and how much and how often to backup and secure digital and physical files. The benefits of security is high, but so are the costs.

What's Likely to Happen? Is all This Security Stuff Worth It?

Microsoft published a good article on this topic a few years ago. If you want to know about common attacks on passwords, details about phishing and the total uselessness of "certificates" read the article.

The main result: "Most security advice simply offers a poor cost-benefit tradeoff to users and is rejected."

They are trying to get across the idea that worst case harm is not the same as expected harm. Really bad things can happen to you online, but they usually don't, so when users ignore security advice, they do it not because they are lazy, but because, boy, is it ever costly. But getting hacked and losing your data is a pain, too, so the question is really, Is it worth it to you?


* Strong passwords contains upper and lowercase letters, numbers, and symbols, and many people recommend passwords be at least 8 characters long (but the NSA recommends at least 10).

No comments:

Post a Comment