Hacked or to be Hacked

Nicole Perlroth:

Chances are, most people will get hacked at some point in their lifetime. The best they can do is delay the inevitable by avoiding suspicious links, even from friends, and manage their passwords. Unfortunately, good password hygiene is like flossing — you know it’s important, but it takes effort. How do you possibly come up with different, hard-to-crack passwords for every single news, social network, e-commerce, banking, corporate and e-mail account and still remember them all?

To answer that question, I called two of the most (justifiably) paranoid people I know, Jeremiah Grossman and Paul Kocher, to find out how they keep their information safe. Mr. Grossman was the first hacker to demonstrate how easily somebody can break into a computer’s webcam and microphone through a Web browser. He is now chief technology officer at WhiteHat Security, an Internet and network security firm, where he is frequently targeted by cybercriminals. Mr. Kocher, a well-known cryptographer, gained notice for clever hacks on security systems. He now runs Cryptography Research, a security firm that specializes in keeping systems hacker-resistant. Here were their tips:

FORGET THE DICTIONARY

NEVER USE THE SAME PASSWORD TWICE

COME UP WITH A PASSPHRASE

OR JUST JAM ON YOUR KEYBOARD

STORE YOUR PASSWORDS SECURELY

A PASSWORD MANAGER? MAYBE

IGNORE SECURITY QUESTIONS

USE DIFFERENT BROWSERS

SHARE CAUTIOUSLY

“At some point, you will get hacked — it’s only a matter of time,” warned Mr. Grossman. “If that’s unacceptable to you, don’t put it online.”

About Scot McKnight

Scot McKnight is a recognized authority on the New Testament, early Christianity, and the historical Jesus. McKnight, author of more than fifty books, is the Professor of New Testament at Northern Seminary in Lombard, IL.

  • Joe Canner

    I saw this article yesterday and found it very enlightening but also very depressing. It used to be that all you had to worry about was whether the online shopping site you were using employed encryption technology. And, if you were worried about credit card security you could always use the telephone or the shopping mall.

    These days, every e-commerce site wants you to create an account and much business that used to happen by mail or telephone now happens online (e.g., employer HR resources, insurance company statements, banking and investment records, etc.). In other words, it’s almost impossible to opt-out any more (even if you wanted to). I’m sure this is good advice, but with the proliferation of sites requiring usernames and passwords, the organizational skills required to heed the advice are significant.

  • David P

    Was worried about this a few years ago and did the following:

    1) Set up two step authentication for my gmail account
    2) Started using Lastpass to create and store passwords

    Much safer overall.

  • David Philpott

    Biggest thing is to use two-step authentication for Google and Microsoft accounts.

  • Jon G

    I created a pneumonic device that changes with every site.

    So I remember a sentence with a proper name and a number, break it into abbreviated letters and throw the first letter of whichever website I’m on in one particular spot.

    So it would look like this:
    “Bob Clarke is my 6th cousin” = “BCim6thc”
    And on Amazon it would be “aBCim6thc”

    As long as you remember the sentence and where you are going to add the specific site letter, it should give you an easy to remember, yet hard to hack password…

  • Nicholas

    It would be funny if the link from your twitter was a hack… you would have got us all!

  • scotmcknight

    Pneumonics … a nice charismatic edition of mnemonics.

  • EricW

    Interesting password-creation tip: http://www.jjmelo.com/blog/the-best-password-remembering-tip-youll-ever-encounter/

    Very similar to @4 Jon G’s mnemonic method.

  • jon

    A couple of great solutions for password management:

    1password : agilebits.com/onepassword – available for mac, PC, iOS, and Android
    LastPass : lastpass.com – available for all platforms, a lower monthly payment rather than single purchase.

    Everyone should be using some sort of password generator/manager. There’s no excuse for bad password hygiene with programs like these

  • AJG

    I used to use LastPass, but I now use KeePass which is cross-platform and open-source. Any of these choices is great, though. Nowadays when I try to generate a twenty-character password, I find that many websites are the culprits for bad security as they often limit passwords to fewer characters.

  • TomH

    You all will love passfault.com…..the “try it” tab….last one I tried took a supercomputer 32 centuries to hack….fun

  • Klasie Kraalogies

    Being able to speak another, minor language, and use that for passwords and security questions helps a lot….

  • phil_style

    It is VERY VERY easy to come up with unique and different passwords for ALL websites that only you can remember. All you need to do is come up with a formula and use it for all passwords.

    For example:
    website name _ birthday in reverse _ type of website

    So, for the bank it might be:

    BOM_NAJ77_bank
    (bank of america, january 1977, bank
    And for facebook it would be

    FB_NAJ77_socnet
    (facebook, january 1977, social network)

    Then you could add another forumla,
    All websites from A to M the password is reversed.

    Something like that.
    All you need to do is remember the formula you come up with, and then you should never forget any more passwords ever again.

  • Josh T.

    I started using the portable version of KeePass a little over a week ago. So far I like it. I had been accumulating a bunch of new passwords due to job sites, job applications and resume submissions (makes an annoying process that much more irritating), so I thought it would be helpful. Of course, I wouldn’t want to lose my KeePass database and stuff, so I sync it to a cloud storage location. It also allows you to export to HTML if you really want a textual record/hard copy, and you can export the site links to Windows favorites.

    Phil #12: The concern I would have with the example you give is if someone got hold of one of those accounts’ password, it wouldn’t take much trial-and-error to break into other accounts, given the repeating code in the middle and the clearly logical abbreviations at either end.

  • Pat

    And here’s something else to watch out for: an e-mail from a friend inviting you to see pictures at Zoosk. I had heard of Zoosk before but didn’t know it was a dating site until I went to the site and signed up. Apparently, this friend’s e-mail has been hijacked as he is an older, married gentleman in his mid to late 70s and not given to such sites. l immediately disabled the account I set up when I realized what it was.


CLOSE | X

HIDE | X