Fungible Convictions

I was about to post this in a Facebook comment, but it’s too long. It’s part of showing some friends ways to choose strong, memorable passwords and security questions (and answers) in light of the mind-blowing “How Apple and Amazon Security Flaws Led to My Epic Hacking” article by Mat Honan. The upshot of the article is how bad guys can exploit how security practices differ across sites:

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.

Here are my tips:

Turn on 2-step verification for your Google account (https://www.google.com/settings/security). It takes about 10 seconds each time you do it. It texts you a unique code to type in each time you log into a new computer — but it means someone can only get into your account if they have both your password and, physically, your cell phone.

Facebook offers the same thing. Thanks to the wife for pointing that out to me: https://www.facebook.com/settings?tab=security.

For your security question answers, don’t use something in the public record or that you might have mentioned online somewhere. No maiden names, no street you grew up on, no pet names. Security questions tend to consist of easy-to-find stuff. Think about it. I can find out a person’s high school mascot by visiting a person’s Facebook profile, and if it’s public, I can see their school. If it’s not public, I can see their hometown and slowly start guessing local mascots. I’d target people from small towns with few schools. The name of the street they grew up on is often public record. Their age when they got married, had a kid, etc. is as easy as checking photo upload dates on Flickr, Facebook, or Shapfish.

There are sites that let you choose your own questions, and why more sites don’t do that, I don’t know. The fewer degrees of logical separate you have, the better; the more degrees of logical separation the attacker has, the better. For example, often there’s a piece of obscure information that, for one reason or another, has always stuck with you. So that’s a great question-and-answer pair to use. Consider “What nickname did S. give her car?” It’s easy to remember — you only need two steps of logic to remember it:

1. Who do you know that nicknamed their car?
2. Of those, whose name starts with the letter s?

But it takes many burdensome steps for the attacker to guess it, a few being:

1. Who does the target know whose name starts with s?
2. Of those (say, ten), what cars have they owned?
3. Of those (say, 30 cars), what were their makes, models, model years, colors, and features that might suggest a particular nickname?
4. Can I guess this correctly before I get locked out?

Likewise, a popular self-generated security question, tied to an object in your physical possession, can exploit the inherent complexity of books: “What are the first twenty characters on page 118 of my dictionary?” (But that assumes you’re near your dictionary or remember the letters.) The humorous part about that is that rule we’ve all heard, “Don’t use words from the dictionary,” so if you’re a stickler for that — and want something that doesn’t require a physical object at-hand — a great mnemonic device is to choose a memorable sentence and turn their first letters and punctuation into a password. “Art Monk, Redskins receiver, played in Super Bowl XXVI” becomes “AM,Rr,piSBXXVI”.

Some sites give the option to turn off email as a way to do password recovery, which is awesome. If an attacker has accessed your email account, he can change your account’s password and then start checking through your emails to see what sites you use…and then start resetting those passwords. So if you turn off email for password recovery and only use text messaging, to reset a password, the bad guy would have to have your cell phone in-hand.

Other things to think about…

Stolen passwords are a commodity. Bad guys will figure them out and offer a preview to other bad guys, who then buy them in bulk. Changing passwords regularly can take advantage of the lag between stolen passwords and sold passwords. (A while back, I turned off Google Search History and Googled an old password…it showed up in a plain text file of other passwords. Lesson learned.)

Of course, changing passwords often can be a pain, so I suggest programs like KeePassX. It lets you store your login information for any site you need to (or it can generate one for you). You then save it in a password-protected, encrypted file…but here’s the fun part. You can disguise that file as any file-type or file-size you want. So within the tens of thousands of files on your computer, there’s a single obscure password-protected, say, .mp3 that looks just like any other .mp3, that you’ve named a real song name, say, “Sonic Youth – Teenage Riot”. More brilliance: KeyPassX asks for your master password for every file it’s asked to open. Every file a bad guy tries to open is presented with the same dialog box as the actual password-holding file. The only way for an attacker to get to your password is through a threat of physical harm, which is a weakness of any system for keeping secrets. (Hm, though I guess a keylogger might do the trick.)

My only frustration with tools like KeePassX is syncing it across devices, since passwords are saved in files and a change to one file on one computer doesn’t change another file on another computer. So it’s worth thinking through a secure way to keep the file in an accessible location online, still mixed in with a large number of other files.

I’ve written a lot here, but all those tips are in fact quite easy to follow. The remaining, perhaps biggest weakness of security questions and passwords are, however, at the other end. I encourage you — at every opportunity — to yell at Apple, Facebook, your banks, everybody to coordinate, adopt, and keep improving best practices. The 19 year old who accessed Mat Honan’s accounts and wiped his computer of every important file in his life, every photo of his daughter, did it because the companies we trust don’t care to work with each other. Strong, memorable security questions and passwords don’t scupper every attack if the service at the other end doesn’t do its job.