Initial investigation into the recent hack of celebrity accounts seem to indicate that the perpetrators used a brute force attack with perhaps a bit of social engineering thrown in.. This should be a wake up call for anyone with a digital life and particularly anyone with an eCommerce site.
A brute force attack relies on computer repeatedly attempting to login to accounts. As computers get more powerful they can cycle through tens of thousands of attempts an hour. Since a shocking number of internet users actually use passwords like "12345" and "password" this is actually easier than it seems. This is like someone going door to door in the dark of night and checking under the mat or a plant pot for keys and walking in.
Social engineering is also helped by social media and our tendency to share everything. If you are already in the public eye then your limited privacy is already greatly reduced. It doesn't take long on social media or Google to discover the name of your pet, where you were born or your mothers maiden name. When these are used as responses to security questions, suddenly you are not so secure.
Yes, remembering a zillion passwords is a pain but it is less painful than someone hacking into your personal or professional life so here are a few tips.
- Use strong passwords: You know the drill: uppercase, lower case, letters, numbers, symbols.
- Change them regularly: Our office network forces all staff to change their passwords regularly and prevents us from re-using passwords we have used in the last few periods. Most web services won't be that fussy (yet) but you should still make it a habit. Change it monthly (and don't use the name of the month as the password) or when we switch to or from daylight savings time.
- Use different passwords for different services: Yep. One password for everything is a huge risk. If you can't keep them all straight don't even try. Create random strings and then when you come back use the "forgot password" feature. I do this for services I rarely use.
- Lie: Yep. Don't use the city you were born in as the answer to the security question, substitute something else. This can cause problems of course so there is no need to go too off base and you likely want to be consistent if you use this answer on more than one service. Rather than listing where you were born, use where one of your parents was born.
- Protect your devices: Everyone should password protect their phones, tablets, and computers. I am not sure if this is even an optional setting anymore and if it is, it shouldn't be. Do you really need to use the "remember me" function on all those web sites you visit regularly? For many people, if someone compromises a web device, they will have almost unfettered access to your internet life.