A View from Christopher Mims
Why the Internet Is Fundamentally Less Secure than It Used to Be
Your passwords are stored on more sites than ever—too bad you’ve never bothered to change them.
Your company’s data is only as secure as the weakest security of the most fly-by-night website to which anyone in your organization has ever given their password.
Think about that for a moment: One of your summer interns used the same password on your company intranet as they use on the hacked-together open source message board on which they swap stories with their friends about how awesome it was to do whippets around the campfire at last year’s Bonnaroo.
That’s why leaks of user data and passwords like the kind that are happening with increasing frequency are so devastating – no security system can protect a web application from a user who has the keys required to get in. (Aside: That’s not entirely true; two-factor authentication systems can, but they’re not common.)
One way to make your web identities more secure – there’s no such thing as actually securing them – is simply to acknowledge that there are entire classes of websites for which you should simply pretend that your password is already public. Think of anything short of your bank and your email service provider as compromised-in-advance. (Although even your bank may be compromised already.)
The more often you re-use a password, the less secure that password is. (Unless you’re using a system like 1password, which can generate and remember a new, significantly-more-secure-than-average password for each site.)
That’s why last December I outlined my own system for attempting to keep my logins secure. Since then I’ve simplified it: you need only memorize three passwords. Enforcing this personally can help keep your data secure; making it a company-wide policy to force users to periodically update their accounts with unique, strong passwords is an important part of keeping an entire network secure.
1. All sites other than your email account and anyplace that stores your bank or credit card information get a throwaway password. Facebook, Twitter, the billion other sites that require a login – forget it; they’re toast. Would it kill you to have these accounts hacked? If the answer is no, these are the sites that are among the 97 percent or so of sites you use that will all be secured by the same password.
2. Sites with your credit card or bank information get a unique, secure password that you use on no other sites. Here are some tips on creating a secure password.
3. Your email account gets a totally unique, secure password used on no other sites. God only knows what’s in your Gmail. Enough sensitive data to bury your online life forever. Make sure the only way to ever give an attacker access to this email is by going in the front door – through Google’s security – and not by simply punching in a password they found elsewhere, on a less-secure site. Accessing Gmail with a password that was re-used on other, compromised sites is the most common way that Gmail is “hacked.”
Also: learn how to recognize phishing attacks. This is the other most common way that users give up access to their email accounts.