Shared publicly  - 
 
I'm on vacation and after reading all about how Mathew Honan got hacked (thanks Apple for giving the hacker access! Read about that here: http://www.macrumors.com/2012/08/05/apple-support-allowed-hacker-access-to-reporters-icloud-account/ ) I'm working on making my security better. I've done what +DeWitt Clinton recommends (turning on two-step verification) but I also changed all my passwords. Here's what I do. 

1. I use a passphrase. I come up with something like this: "Bill Gates Loves XXXX in 2012 XXXXX." So that turns into a password like this: $BGlAi2012A (I add a symbol like dollar sign just to make the password harder to figure out) That kind of password just can't be guessed and it is different for every service, so if one gets hacked the hackers can't get into the others. I use a passphrase because that way I never have to write down my passwords and I don't need to rely on a third-party service to keep my passwords. If you have a better methodology I'd love to hear it.

2. I change my passwords every three months. Mostly because Rackspace forces me to, but also this makes sure that I'm OK, even if some service gets hacked and my passwords get shared. 

3. I try to minimize the amount of cross-service dependencies. I regularly go to Facebook's dependency list and remove apps I no longer use https://www.facebook.com/settings/?tab=applications I do the same on Twitter and Google.

4. I only use security questions that you can't find the answers to online. That minimizes the amount of social hacking that should be possible, like what Mathew's hacker used to get through Apple's security on the phone.

How do you protect your systems from getting hacked?
 
Google 2-Step Verification

If you do only one thing today, please enable 2-step verification on your Google account. We have a Getting Started guide here:

 http://support.google.com/accounts/bin/answer.py?answer=180744

And step by step instructions for setting up SMS here: 

 http://support.google.com/accounts/bin/answer.py?answer=185839

Then download the app for your Android, iOS, or other smartphone here:

 http://support.google.com/accounts/bin/answer.py?answer=1066447

How it works

2-step verification works by requiring both your password, which only you know, and a one-time secret number generated by your phone, which only you have, the first time you access your Google account from a new machine or device.

So while you might have your password stolen someday, or you might lose your phone, it's very unlikely both would ever happen at the same time. Unless you wrote down your password on the back of your phone.  But you wouldn't do that, now would you?  : )

It's easy!

A few minutes today means you won't ever have to worry about someone getting into your email or your other personal data again. I've enabled 2-step verification on all of my Google accounts and I sleep much better at night for having done it.

Today's the perfect day to enable 2-step verification, too.  My heart goes out to Mathew Honan after he lost his password to hackers last night [1,2].  Now, like thousands of others who hear his story, he will no doubt be setting up 2-step verification on all of his accounts right away.

It's for you!

Keeping personal accounts safe is something that everyone wants, not just famous journalists or computer geeks.  While it doesn't happen every day, sometimes anyone, even you or me, can make a mistake and accidentally let a password fall into the wrong hands.  So why not take just a moment today and make sure that even if it does happen to you, your data will still be safe and secure forever.

Let us know in the comments once you've set everything up!

[1] http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard
[2] http://gizmodo.com/5931828
118
40
Mahei Foliaki's profile photoAlexander Falk's profile photoOscar Gómez (gomezoscar)'s profile photoBenai Dickinson's profile photo
83 comments
 
2 Step Verification is a pain in the ass on Google. Facebook has it right. Simple SMS verification, while Google makes it overly complicated PER app.  I agree with its use, they could just learn from Facebook on how to do it simply where it's not beneficial only for geeks, but for common users.
 
Seriously scary stuff. I have psychotic jumbled passwords taught to me by my last job. The pass phrase is brilliant.
 
Setup Lastpass, use it on all devices and create a “good unique password” for every site.
 
I have an irrelevant answer to security questions. Otherwise similar.
 
Google's two-step verification is godlike. I <3 it. I also use passphrases for some things, and a complicated set of passwords for others. You can occasionally be even more brutal by stringing otherwise unrelated passphrases that youv'e memorized together into an even longer password for something else. Same with passwords. I tier my passwords from highest to lowest security. High security ones are unique, only used for one place, etc. Low security passwords I use on every bloody site on the Internet, because I couldn't care less if somebody got into them. And even then, I don't make it easy.
 
+Lamarr Wilson You can do a one-step, one-time (per machine) verification with Google over SMS if you want.  This works for whole devices like Android phones as well, though there are some legacy apps that require an app specific password when setting them up the first time (we do this for your safety).  I agree that it's a few minutes to set up, but it's definitely not just for geeks!
 
Ad 1) A passphrase is a good solution, but depending on how many accounts you use, you will quickly come to a point where you cannot remember each and every passphrase.

Password Managers are a solutions for this, although creating a single point of failure. If you use one locally on your main computer you do not need to rely on third party services.

KeePass is an open source password manager which I can recommend: http://keepass.info/
 
1.  Your memory is better than mine so I just use a password manager to create unique and powerful passwords.  

2.The passwords are always at the very strong level (12 characters or greater) so I only change them about once per year.  

3.  I need to look into this.  Do you think 2-step verification will become the standard in the near future due to all the hacks that have happened lately?  I recently told a friend that my phone is now much more valuable to me than my wallet.

4.  I've never really liked security questions because if they can't be looked up via direct or indirect means (finding out my mom's maiden name via a relative or relation on Facebook), the answer might change (favorite movie has and will continue to change).
 
+Frank Innerhofer-Oberperfler I tend to be very iffy of password managers, not only for single-point-of-failure, but sometimes I can't be sure they aren't sending my passwords anywhere themselves. Most password managers on Android have network permissions, for example. Some of the popular ones are cloud services, which means they are sending your password off somewhere. I just don't trust that stuff.
 
I use a combination of letters (small & caps), symbols, numbers.. and 8-10 chars long.. but only thing I don't do is change every 3 months, and have put my passwords in groups, eg. emails, social network a/c, etc.
 
This is completely insecure if someone steals your mobile device (who is going to generate a huge passcode and keep it with them at all times). Try an easy product like It's Me Security > http://www.itsmesecurity.com < which uses operators and is easy to remember.
 
+Jake Weisz I think that both LastPass and 1PassWord give you control (meaning the connecting cloud services such as Dropbox) can't access your password, only the blob of encoded text.
 
+Jake Weisz I agree with you. And for that reason I do not use a password manager on mobile devices and no cloud based password services.
 
I completely and strongly second +Chuck Boschen on lastpass.com - very secure, very user-friendly, I started using it for security reasons but after 6 mons I love it just as much for convenience and it's a boon on mobile too.
 
I use lastpass for most websites, The password on lastpass is more than 32 characters including spaces etc.

Work and private is totally seperated, laptop is fully encrypted, no need therefor for remote wiping. Password changed every 60 days.

Removed all posibility for remote wiping of my private phone , and important files on dropbox are encrypted and stored on two other locations.

So i use extensive encryption and redundancy for important filed. Plus a daily back up.
 
You can lie on those security questions.  "What high school did you graduate from?"  Edna Grace Pickering  "Who is your maternal grandmother?"  Amy Pond of Dr Who. 

the problem with that approach is remembering what you really put since you put a fake person in for high school etc.  I have forgotten question answers...
 
+David Eckard Exactly. In the two to five years until you actually need those, you'll forget how you were trying to be clever at the time. ;)
 
I am little paranoid by using mast password sites.. have heard about them and how they work but will need to dig in more.
 
Lastpass offers multifactor authentication and it is quite easy to use. No hassle. Works on all devices - 12.00 per year. I don't work for them, but I have evaluated this product and it is one of the best.
 
LastPass is secure until LastPass itself goes down or has a breach, did we forget the last scare they had? That made me pull out and manage my OWN passwords.
 
What do you think about services like Lastpass?
 
+Lamarr Wilson Does LassPass offer the ability to save your security blob in the cloud via Dropbox or other service?  I'm using 1Password like this.
 
+Lamarr Wilson Don't sell yourself short.  I'm taking the easy way out and using a manager.  You guys are doing the geek stuff manually.  Yikes!
 
Simply Install Lastpass and allow it to scan for passwords that are duplicates and/or unsafe and follow the steps they suggest. If  you doubt Lastpass is safe watch Steve Gibsons in-depth analysis of Lastpass.

While no system is 100% (at least theoretically) safe - Lastpass makes life far easier than the steps you describe. If you have passwords on say 50-100sites I cannot fathom changing each one every three months. Not only is that unnecessary it can open you up to attacks unwittingly.

Lastly, have an 'alias' account for assorted linking of services & apps. that is never tied to your main acct(s). I maintain the richness of linking services on an account that is virtually completely walled off from my main account (barring a few instances where this is not worth the steps (nor time) to anonymize e.g. IPs, MAC Adr., etc.)  Utilizing the main acct. only for important, and limited, data e.g. banking, online purchasing etc.
 
+Lamarr Wilson You are right nothing is 100%. However, if there is a breach at Lastpass you data is still safe if you have a good password on your file. Since, Lastpass does not have your key, the bad guys would have to break their encryption - which is not likely in the next 20 years.
 
Oh and one more thing I do.. I use a relatively easier password compared to my regular more complicated ones whenever I signup for something new or like forums etc. then if I find myself using that site or forum more often or when giving out more info., I change the password to something more complicated
 
Has any analysis been done on Google Authenticator?  
 
Listen any type of password like that is too easy. Your original sentence would have been better before you condensed it. Hackers nowadays use programs to run through and guess every possible character and length, sentences are more secure for sure
 
I store all my passwords in a encrypted Keepass file located on google drive. Im using a strong password like the one +Robert Scoble uses. keepass is free on Android, Windows and Linux etc
Im also trying to minimize how many sites im on. Thats why i use google services if i can.
 
1- Don't save your important passwords on the browser. Because passwords are not encrypted. Detail: http://www.quora.com/Google-Chrome/Why-does-Google-Chrome-allow-you-to-show-saved-passwords/answer/Glen-Murphy

2- Don't use illegal applications. If you give any permission to malicious software, your password's algorithm and strenght does not important anymore.

3- Use fake (secondary) Gmail (or another) account for suspicious mobile applications.

4-  Most important one: Think twice about connecting to public network. If you have to... Create secondary OS user account and only allow SSL required apps on this account, don't give rw permission to your important directories and use this account on the public networks. Only login SSL supported websites and use SSL supported mobile apps when you are connected to public network.
 
oh and btw. All my computers have truevrypt system partition and you'll need a strong password to boot.
 
This all seems like a massive hassle from a user experience.  Even in this video Google spends 3 and a half minutes trying to educate users on how to have more secure access and at the end of the day they are telling us to fold up a piece of paper with codes on it and stick it in our wallets.  Come on guys...that's a FAIL (and embarrassing considering it's 2012).  Elon Musk just launched a viable space program and an electric car into production weeks apart, and you are telling me that a folded piece of paper in my wallet is Google's best suggestion for security?!?  That is not a serious response to a real problem.

Let's face it...   Security blows...  from that farce Macrovison/Rovi to that borderline fraud Symantec to even simple authentication techniques such as what you have described above.

Take the online storage market for instance (e.g. Google Drive, Dropbox, SugarSync, etc.)...  Makes obvious sense to use such a service, but how can consumer sign up for such a service when at the end of the day their cherished data/files/etc are only a lost phone or simple password break away from being accessed.
 
I use 2-factor authentication for Google (gmail) and I use LastPass with 2-factor authentication to manage all my passwords.  I let LastPass generate random 12-character passwords whenever I need a new one.    
 
I just use LastPass to randomize each and every website/service I use... if one gets hacked even with the password, the other 300 are still safe :) 1Password and Keepass are good too, if you prefer the non-cloud method.
Edit: another advantage of a generated password is that you can create passwords with all the demands of that particular service. Some require a max of 16 digits (when possible, I use 20), others only allow letters/numbers, others demand at least one special digit etc... I set them once and never think about them again!
Oh and my master password for LastPass is super strong of course... for that I used +Robert Scoble's method he describes above.
 
LastPass lets you download your passwords in an encrypted file—which you can then store wherever you want—and use LastPass Pocket to decrypt those passwords later. So its cloud-based nature isn't a problem.
For those who don't trust password managers, and can't remember stupidly complex passwords, this isn't a bad solution: http://xkcd.com/936/
 
+John Cregan Actually, having a piece of paper is one of the most secure things you can do. If you lose it accidentally, chances of the person finding it knowing what it represents is low. And deliberately getting a piece of paper off someone's person is incredibly hard. Few things are as secure as your wallet.
 
Lastpass with Google's 2-step verification is a solid solution. All stored passwords are encrypted with a (long) key that only I know, and they are decrypted only on my local device. Lastpass also makes it simple to create complex passwords that are unique to each of your sites.
 
In all of the amazing technology we possess these days, why can't we use voice detection tech? Surely that would be easy, and it wouldn't need to be perfect, it would just have to be able to ascertain if there is person on the other line is UNLIKELY to be the account owner. If it is, then additional manual verification would take place. This would also serve to alert the normally un-alert customer care rep, that hey, this guy might not be who he says he is.
 
+Jeremiah Townsend I give incorrect information when prompted with security questions.. No one says you have to give accurate answers.
 
all my passwords are unique and generated by a password manager.(between 12 - 32 characters) i use a strong passpfrase for the pwd manager that I change often..
 
I'm not sure why folks here think stronger passwords are the answer to this (everyone recommending 1Password and password managers). Both Matthew Prince and Mathew Honan had very strong passwords. That's not what the issue is.
 
+John Fitzmaurice Yup, that's the way to do it.  I also use a lot of "nots".  For example:  Favourite TV show == Not Cheers
 
+Sriram Krishnan His Apple password was only 7 characters which is unsat for an account that is connected to so much power (credit card and wiping ability).
 
tiered password system.  one unique password for email, second level password is anything that has to do with credit card, purchases, or personal that is not the first, and a third password that is used for forums, boards, chats, general use.
 
Nobody seems to know http://www.RoboForm.com, the original password manager.  I've been using it for many many years (8?).  Auto-sync my encrypted password files via DropBox so all machines are up-to-date.  No password data in the cloud.
 
+Robert Scoble You won't regret it :) My family and I have used it for 2 years now, don't know how I ever survived without it...
 
Someday we'll just round up all the bad people and put them on an island with no power. Then we won't have to worry about passwords.
 
This all reminds me of a scene in the movie, Clear and Present Danger when Harrison Ford’s character Jack Ryan, asks a CIA tech geek to figure out the password to the deputy director’s computer. “Birthday… anniversary… wife’s name…” Ryan rolls his eyes and turns to leave when the tech geek says “Wife’s name backwards… got it!” Ryan turns to his friend and says, “I’ve gotta change my password!”

Those were the good old days!
 
+Robert Scoble LastPass is kinda lazy. :) Managing your own passwords using the system you outlined works vs. relying on an App or a website that COULD go down at any time.
 
+Robert Scoble & +Lamarr Wilson have you tried 2 step verification on Windows mobile? I reviewed a phone a couple months ago and could not log into Facebook or gmail via apps because they did not allow for 2 step verification...
 
For security questions, I have "wrong" answers that I use across all my accounts. For example, for my mother's maiden name, I use a random name that isn't her maiden name. I know that answer though and use it for all my major accounts. 
 
Re #2: Changing you password every two months

This adds almost no security (and possibly reduces it) in this case. When you change a password you're just betting that your old password was about to be compromised and that your new password isn't.

If someone has stolen the old password hashes and gets your old password, using your system it's easy to guess the new password.

I bet there are desks at Rackspace where you can find a post-it with the password written down as constantly changing it makes it way harder to remember. 
 
Most of us will never be specifically targeted, so doing anything at all makes us amazingly more secure. The top 50 passwords are used by a disturbingly large number of people. You don't have to run faster than the bear, just faster than the other picnickers. 
 
since I don't have any Apple products, I was curious about how iCloud works. I went over to the site and when it asked to: "Download the iCloud Control Panel", I stopped right there. Other than downloading Chrome, I never come across anything like that from Google.
 
+Jeremiah Townsend - You asked if Authenticator had been analysed. It's open source. The concept is that the seed for the mobile Authenticator application is shared once and then used as a seed / shared key on an algorithm that uses timestamps to generate the access codes. Network access is only used to sync the device's clock on demand (a prior version didn't even offer network access).
Such a system, when combined with a strong password is extremely difficult to defeat, provided the shared key stays secret. In effect, if the timestamp is rotated frequently enough, it should approach a one time pad in terms of security.
Such a system was used by CIA field operations teams 30 years ago for secure communications (and may still be in use today, though with better/faster hardware).
It would be non trivial to defeat, provided it is applied as designed.
 
Out of curiosity, +Robert Scoble, would an enterprise iPad or MacBook be vulnerable to the same social engineering via Apple tech support? They use iCloud like everyone else, correct? I would think this is just one more thing that points to Apple lacking a secure operating system. One where calling tech support can get you access to remotely wiping a device.
 
IMHO you're doing it wrong if you have to remember more than one password, and that password is not long with good entropy (20+ chars). FWIW, I use open source keepass (plus variant for ipad), added to dropbox under (svn) version control. Also never had issues with Google's 2 factor authentication, it rocks.
 
The biggest problem with Google's two-factor authentication is the creation of its corresponding app-specific passwords (APS). APS greatly reduces the security of the two-factor system.

To understand what I mean, say someone manages to steal your APS. All he has to do is to use an Android 4 device and log in with your APS. Then launch the Android 4 stock browser and go into your Google account. The browser will be very 'helpful' by logging into your Google account automatically for you.

Now, the hacker can access your Google account!
 
Best explanation of using passwords was done by Steve Gibson. He also did some deep testing of LastPass and recommends it highly. The xkcd post shared above was generated after seeing Steve's post.   https://www.grc.com/haystack.htm
 
+Terence Kam I will concede that ASPs (Application Specific Passwords) are something of a weakness within what Google labels as part of its two factor authentication system. Basically, the user is relying on the application to appropriately store and protect those long passwords.

On the other hand, those ASPs may be revoked at any time (I actually changed out a batch earlier this month) and so, as soon as you noticed the device upon which one was stored was missing, you could revoke the password. Also, the use of ASPs are not mandatory (though I will concede that in practice, for some applications, they might as well be).

Barring an improvement on the usability side (the introduction of an open source library on Google's part, perhaps, that incorporates the entry of the verification code for applications like Thunderbird, etc) I would suggest that Google find some way of tagging those passwords to specific MAC addresses or device IDs (or perhaps even application IDs). The window would be closed a bit further, but not all the way.

Ideally, all applications would be two factor authentication compatible but until a) doing that is reasonably inexpensive and b) client applications developers take security seriously, it won't happen.

Security is a balance and as someone pointed out either in this thread or another that I read, these days, at the civilian, consumer level (in most cases) it's only necessary to be more secure than the next person over. If you're being specifically targeted, by a large multinational company or a state security agency operating at the national level, there's not too much you can do about that, anyway. 
 
+Tyr nan Noght - Google's implementation of two factor implementation is pretty straightforward. OpenID (which Google, Facebook and many others implement) is a good solution for folks who don't want to have several different passwords across multiple services.

As for using any form of two factor authentication and people with limited technical inclination, as was the case 30 years ago, computer literacy is an evolving standard. If entering a password and a six digit numeric code is too much for folks to do, then there's not a whole lot - at the moment - I or anyone else can do to help them.

The best I can say, as someone who does development, is to wait for better solutions. There are a lot of bright people working on these issues and in particular the idea of seamless authentication. Perhaps a few more years and computers will have keys like cars do.
 
I hope that someone is coming up with some alternatives to password authentication. Password is one of those things that has not changed basically over the past 50 years. Decades ago, people used passwords to authenticate. Today, people are still using passwords.

I read that Apple is buying a security firm called Authentec. I hope this acquisition will bring authentication to a whole new level.
 
+Tyr nan Noght - I would suggest that your grandfather wait a bit, or perhaps have you manage his passwords? But seriously.... If the account is of no importance, then the security would naturally reflect that.

+Terence Kam - Not Apple bashing here, but hopefully any innovation the Apple people come up with respect to authentication they would not keep entirely to themselves (i.e. with a patent, for example). And there are plenty of alternate forms of strong authentication, particularly in the biometric area...But there are no good standards to allow interoperation between methods and hardware (or good, universal libraries)...At least that I'm aware of today (but I haven't looked in a while).
 
+Matt Harmon Unfortunately, I expect Apple to keep it to themselves. I hope that they will surprise me by unusual acts of generosity. :-)
Adam T
 
I think the two step authentication that google has is pretty easy & not a pain at all!  I've used it for awhile now. The bigger pain would be to have all my data wiped, stolen, or accessed by someone else. 
 
+Robert Scoble The most infuriating thing to me about all this is probably two or so years ago I went through a mess of chat representatives to finally a phone number, to two days later finally getting to someone in apples fraud prevention department, and outlined how this EXACT same thing allowed someone into my account...TWICE.

And the hole still exists.

Pathetic.
 
Oh and I ended up going the lastpass route with the AWESOME +YubiKey for my verification, and soon will be using the YubiKey NEO with NFC to eliminate the mobile gap in security.
 
+Robert Scoble haven't got through all comments so I'm not sure if someone said this already: Why convert your pass phrase to a password when the pass phrase is longer? Brute forcing will get the password first and made up pass phrases are not in password dictionaries?
 
Sorry, no '?' intended at the end and I cannot edit my comment from the mobile app (AFAIK).
 
+Pedro J. Pérez - On Android devices, you can long press on the comment and one of the options should be "Edit this comment." (I do it all the time.)
 
Sorry +Robert Scoble, but your method of picking passwords isn't good enough for today's GPUs. Length is more important than complexity. This method http://xkcd.com/936/ recommended by xkcd is way better for people to use. And yes, LastPass is definitely a good product for managing your passwords. It doesn't matter if their servers go down since your passwords are synced locally to your devices. You can never lose access to them as long as you know your master password and have them synced on multiple devices.
Add a comment...