As you may remember, over a month ago a hacker was able to gain access to hundreds of confidential documents from Twitter. The incident was covered heavily on tech blogs and TechCrunch wrote a very interesting post describing the “anatomy” of the Twitter attack. I found the post to be extremely insightful and I’m quite impressed with the social engineering that the hacker used to carry out the attack. So impressed actually, that I’ve really taken some time to evaluate my personal situation with regard to online security and have take some extra precautions.
I want to highlight some of the less obvious, but highly important, aspects to smart online account management. I’m not going to cover topics like “how to create a secure password” or “why you shouldn’t keep your passwords on a post-it note on your monitor”. Hopefully most of you are aware of these basic principals, and if not, there’s plenty of help on the web.
After doing some research and thinking a lot about this topic, I’ve determined that the most important aspect of online security is your email account. You can think of your email account (”Gmail” from now on…) as the front door to your online accounts. Think about it, Gmail knows about all of the accounts you have, most of the usernames, and sometimes even the passwords of these accounts. When you forget your password on a website, Gmail gets the link to reset it. Basically, it’s the central point of communication for all of your accounts on the web. If a hacker is able to gain control of your Gmail account, they can quickly determine what other accounts you have and request that your password be reset. In just a few minutes, the hacker can control many of your accounts and effectively steal your identity.
It’s very important to make sure that your email account has a very secure and completely unique password. Don’t use this password for anything else. Additionally, make sure that your security questions are equally secure. (More about this in a minute…) If you forget your Gmail password, there is a feature which lets you receive a password reset link via SMS message to your phone. It might be a good idea to turn on this option as the only “password recovery option” for your account. In the case of the Twitter attack, the compromised Gmail account had a secondary hotmail email account which the Gmail “forgot password” email was sent to. This hotmail account was easily compromised and the hacker was able to reset the users Gmail password. It’s probably a good idea to rely only on SMS as a recovery option, or better yet, never forget this password!
Secondly, your password is only as secure as your security questions. You know, questions like: “What’s your dogs name?”, “What’s your favorite book?”, “What’s your favorite color?”. With the popularity of Facebook, Twitter, and other social networks continuing to grow, it’s becoming easier and easier to find out this information. If it’s out there, Google can find it. Try to keep this in mind when you are filling out these security questions. If possible, create your own questions that only you know the answer to. Unfortunately, not all websites provide tricky security questions for you to answer. Hopefully websites will start to realize how these questions are often anti-security and improve them.
Last but not least, it’s a good idea to use different usernames and passwords for different accounts. As a bare minimum, I recommend using a username for important things like credit cards, banks, and loans that is different than the username you use for Twitter or Flickr. Ideally, it’s a good idea to pick a completely random username to use for these important accounts. It’s also a good idea to have a different password for these accounts, too. The more unique passwords you can remember, the more secure you will be. It’s very convenient to have a single username and password for everything, but if a hacker is able to get into just one of these accounts, the rest can be easily compromised as well.
I know this has been a lengthy post but hopefully it has started to get you thinking about your online security. It’s very easy to take online security lightly, and maybe you have been doing it for years without a problem. While this might be true, it only takes one unlucky situation and you can quickly find yourself in a big, scary mess.