On Passwords, Backups, and Your Inevitable Hacking

Comments

1
Here's my question about the Google two-step: Isn't it a big bet on the idea that no one will ever be able to hack Google and then, if you're two-stepping, get your e-mail plus the bonus of the phone numbers you provided?

Though I guess at that point you're already pretty screwed...
2
@1 - Perhaps, but it's a reasonably bet that Google's services are pretty secure, but even allowing that nothing is completely secure, and they're a big target, it's just extra security for your account. If your account is compromised by some internal or system-wide hack of Google's data, it wouldn't be any worse than if you didn't have it turned on.
3
Windows has it's own backup utility, it's in the control panel and it's called "Backup and Restore"
4
The chance of someone hacking Google's 2-step are so remote that it's best not to worry about it. First they need your user name and password. So they'd somehow have to hack Google to get that. Once they hack Google they'd have to deal with the encryption Google uses and the ways in which Google anonymizes the user/data relationship. Then they'd have to find some flaw in the authenticator algorithm. If they found a flaw they could conceivably generate the 2-step password. The chances of both of those things occurring though aren't very likely.

This is the one time where having bad customer service is a plus. It was the stellar customer service that both Apple and Amazon give that made it possible to social engineer an exploit. Just try contacting Google, speaking to a person, and getting them to reset a password in this way. It's unlikely to happen. I don't even know how to get a person at Google, and I use their services for almost everything. The lesson to learn is that the person is the weak link more often than the computer.
5
@3 - Thanks, added to the post.
6
1Password is the bomb diggity. I don't have to know a single one of the kajillion-hexadecimajigger passwords I've had it generate for me, just the one secret word that unlocks everything, which nobody could ever guess unless they saw that one Afterschool Special that lingers so in my mind.
7
A password manager is a must. I use Keepass because it's multiplatform and sync's up well with dropbox.
8
Analog decays gracefully, digital decays completely.
9
1. "If your data is not backed up, it is already gone." - B.

2. Xkcd on good password strength.

3. Never NEVER NEVER use the same passwords for: Email, Facebook, Banking, & Work. Also, write them down and keep that paper in a safe location at home.

I personally use Steganos 'LockNote' as my account/password keeper file.
11
@9 beat me by 1 minute.
12
I read the articles on Macrumors about the hacking.

I write down my passwords down on paper. That's my password manager.
13
Truth! Thanks for the reminder.

What really worries me, what really keeps me up at night, is the thought of someone breaking into my Slog account. Forget my bank account and medical records. This is what really matters!
14
Never trust the Internets. The tubes are full of spambots that hate science.
15
@10 the sucky password in that comic isn't random. Using a random generator would be more secure, no?
16
@15 for the I Am Spam and SLOG has not Cancelled me Yet win. Seems like when I post that the spam goes bye bye.
17
@9 & 10 - XKCD is right, of course, except that it still doesn't scale when you have to remember passwords for 300 different websites and services. I wish 1Password would generate those kinds of passwords, though, instead of only the gibberish kind.

Still this whole thing shows that the strength of your password is only 1 piece of the puzzle, and only protects against guessing and brute-force. There are other ways to be compromised.
18
Dont back up to Apples Cloud storage, its apparently easy to call up Apple Tech Support and pretend to be, lets say a Wired staff member and say you need to reset the password. Next thing you know, iphone, ipad and everything on the cloud is wiped clean.

So it doesn't matter if you have complicated passwords, or even password managers, just have to keep calling Apple Support and find a gullible/new rep.
19
@16 ...I'm confused. Thank you?
20
I like LastPass because it integrates will all browsers, cross platform too. And it does random password generation. It also has a smartphone app, but the iPhone one does not integrate with Safari (the rules of the App Store prevent it) but you can still access your passes and copy/paste or use the built in browser in a pinch.

Only problem was they were compromised a year ago or so, but they have implemented 2 step authentication several different ways since then. I use the Google Authenticator app on my iPhone. You can also use a USB Key or a printed out grid of numbers (kinda old school WWII style but it works if you don't have a smartphone).
21
@20 - Yeah, LastPass sounds good. 1Password has all of those features too (and works with Safari), but no 2-step auth.
22
@18 - Backing up to iCloud doesn't open you up to having your devices wiped remotely, that's a separate feature (Find My iPhone/Find My Mac) that you have to specifically enable.
23
good discussion of Google's two-factor auth: https://news.ycombinator.com/item?id=434…
24
Mozy by VMware has an awesome backup and share service. Very reliable, good customer service, good prices, long term stable company. http://mozy.com. 2GB free, 50GB for $6/month. I highly recommend it.
25
I just realized the crappiest website that has my shit is thestranger.com. Fuck.
26
@15 Yeah, I was lazy enough not to re-read a comic strip I posted. Sorry, I was up all night trying to download ph…

You're right - random passwords would be more secure than the first technique, though near impossible to remember.
27
@15 & 26 - Random is better *at the same length*, yes, but few people make 30-40 character random passwords. Using several actual words tends to result in more characters, which is more secure.
28
You can minimize your chances of being hacked as well by choosing to use a website or service that has the proper Firewall or IPS rules. Articles like this always make people think they are solely alone in being hacked. It takes more than one to have party.
29
Forgot to add, you can learn all about ways to prevent hacking and secure your site at http://www.ntobjectives.com.
30
Anthony, your take on this is dead-on. If Mat had bothered to back up his stuff, this whole event would have been a simple PITA, instead of a major disaster. Good passwords are good, better passwords are better, but anyone who does not have at least one backup of their data is a fool. My own personal regimen is two backups using TimeMachine, one on site and a second sitting in my desk at work. These two disks trade places every six months or so, allowing for at worst a six month old backup if the house burns down...

Mat is not the only guy whose kids will have no baby pictures of themselves because of a catastrophic failure, coupled with a non-existent backup strategy. Most will be simple HD failures, and could have been easily recovered with a $100 USB drive and a very modest amount of effort.

Backups - Just Do It.