Here's my question about the Google two-step: Isn't it a big bet on the idea that no one will ever be able to hack Google and then, if you're two-stepping, get your e-mail plus the bonus of the phone numbers you provided?
Though I guess at that point you're already pretty screwed...
@1 - Perhaps, but it's a reasonably bet that Google's services are pretty secure, but even allowing that nothing is completely secure, and they're a big target, it's just extra security for your account. If your account is compromised by some internal or system-wide hack of Google's data, it wouldn't be any worse than if you didn't have it turned on.
The chance of someone hacking Google's 2-step are so remote that it's best not to worry about it. First they need your user name and password. So they'd somehow have to hack Google to get that. Once they hack Google they'd have to deal with the encryption Google uses and the ways in which Google anonymizes the user/data relationship. Then they'd have to find some flaw in the authenticator algorithm. If they found a flaw they could conceivably generate the 2-step password. The chances of both of those things occurring though aren't very likely.
This is the one time where having bad customer service is a plus. It was the stellar customer service that both Apple and Amazon give that made it possible to social engineer an exploit. Just try contacting Google, speaking to a person, and getting them to reset a password in this way. It's unlikely to happen. I don't even know how to get a person at Google, and I use their services for almost everything. The lesson to learn is that the person is the weak link more often than the computer.
1Password is the bomb diggity. I don't have to know a single one of the kajillion-hexadecimajigger passwords I've had it generate for me, just the one secret word that unlocks everything, which nobody could ever guess unless they saw that one Afterschool Special that lingers so in my mind.
3. Never NEVER NEVER use the same passwords for: Email, Facebook, Banking, & Work. Also, write them down and keep that paper in a safe location at home.
What really worries me, what really keeps me up at night, is the thought of someone breaking into my Slog account. Forget my bank account and medical records. This is what really matters!
@9 & 10 - XKCD is right, of course, except that it still doesn't scale when you have to remember passwords for 300 different websites and services. I wish 1Password would generate those kinds of passwords, though, instead of only the gibberish kind.
Still this whole thing shows that the strength of your password is only 1 piece of the puzzle, and only protects against guessing and brute-force. There are other ways to be compromised.
Dont back up to Apples Cloud storage, its apparently easy to call up Apple Tech Support and pretend to be, lets say a Wired staff member and say you need to reset the password. Next thing you know, iphone, ipad and everything on the cloud is wiped clean.
So it doesn't matter if you have complicated passwords, or even password managers, just have to keep calling Apple Support and find a gullible/new rep.
I like LastPass because it integrates will all browsers, cross platform too. And it does random password generation. It also has a smartphone app, but the iPhone one does not integrate with Safari (the rules of the App Store prevent it) but you can still access your passes and copy/paste or use the built in browser in a pinch.
Only problem was they were compromised a year ago or so, but they have implemented 2 step authentication several different ways since then. I use the Google Authenticator app on my iPhone. You can also use a USB Key or a printed out grid of numbers (kinda old school WWII style but it works if you don't have a smartphone).
@18 - Backing up to iCloud doesn't open you up to having your devices wiped remotely, that's a separate feature (Find My iPhone/Find My Mac) that you have to specifically enable.
Mozy by VMware has an awesome backup and share service. Very reliable, good customer service, good prices, long term stable company. http://mozy.com. 2GB free, 50GB for $6/month. I highly recommend it.
@15 & 26 - Random is better *at the same length*, yes, but few people make 30-40 character random passwords. Using several actual words tends to result in more characters, which is more secure.
You can minimize your chances of being hacked as well by choosing to use a website or service that has the proper Firewall or IPS rules. Articles like this always make people think they are solely alone in being hacked. It takes more than one to have party.
Anthony, your take on this is dead-on. If Mat had bothered to back up his stuff, this whole event would have been a simple PITA, instead of a major disaster. Good passwords are good, better passwords are better, but anyone who does not have at least one backup of their data is a fool. My own personal regimen is two backups using TimeMachine, one on site and a second sitting in my desk at work. These two disks trade places every six months or so, allowing for at worst a six month old backup if the house burns down...
Mat is not the only guy whose kids will have no baby pictures of themselves because of a catastrophic failure, coupled with a non-existent backup strategy. Most will be simple HD failures, and could have been easily recovered with a $100 USB drive and a very modest amount of effort.
Though I guess at that point you're already pretty screwed...
This is the one time where having bad customer service is a plus. It was the stellar customer service that both Apple and Amazon give that made it possible to social engineer an exploit. Just try contacting Google, speaking to a person, and getting them to reset a password in this way. It's unlikely to happen. I don't even know how to get a person at Google, and I use their services for almost everything. The lesson to learn is that the person is the weak link more often than the computer.
2. Xkcd on good password strength.
3. Never NEVER NEVER use the same passwords for: Email, Facebook, Banking, & Work. Also, write them down and keep that paper in a safe location at home.
I personally use Steganos 'LockNote' as my account/password keeper file.
I write down my passwords down on paper. That's my password manager.
What really worries me, what really keeps me up at night, is the thought of someone breaking into my Slog account. Forget my bank account and medical records. This is what really matters!
Still this whole thing shows that the strength of your password is only 1 piece of the puzzle, and only protects against guessing and brute-force. There are other ways to be compromised.
So it doesn't matter if you have complicated passwords, or even password managers, just have to keep calling Apple Support and find a gullible/new rep.
Only problem was they were compromised a year ago or so, but they have implemented 2 step authentication several different ways since then. I use the Google Authenticator app on my iPhone. You can also use a USB Key or a printed out grid of numbers (kinda old school WWII style but it works if you don't have a smartphone).
You're right - random passwords would be more secure than the first technique, though near impossible to remember.
Mat is not the only guy whose kids will have no baby pictures of themselves because of a catastrophic failure, coupled with a non-existent backup strategy. Most will be simple HD failures, and could have been easily recovered with a $100 USB drive and a very modest amount of effort.
Backups - Just Do It.