Matt’s horror tale of being hacked and losing a massive amount of data has reminded me once again to review my security procedures. Both at work and privately, online systems for which I have access have been breached recently and although nothing catastrophic has happened to any of the websites I maintain, or to any of my personal information, I have stepped up my password procedures.
The first step is an easy one: if you’re using a system which allows for a two-stage authentication – such as the one documented here for Google (Gmail, Drive etc.) – turn it on. If you use Google’s services with any regularity, then you’ll be amazed to realise just how much personal data you make available there. Just think how much information you send and receive via email: be it your billing address, personal information such as birthdays, or even the order confirmation emails you receive which sometimes (insecurely) quote the last four digits of your credit card number.
Secondly, don’t use Cloud services to store your passwords in unencoded format. If a hacker breaks just the password for your Cloud service, then he has access to all of your secure information and to all of the services you use online… and even offline.
Remember the film “Ghost“? In that film – even back in 1990 – the lead male protagonist has a little printed book of special codes to access highly sensitive information. This is a precursor to the modern technique employed by (for example) Swiss banks, whereby the regular username and password are extended by a third level of security: a printed list of extra security codes, without which even knowing both password and username for a system is still pointless. Without the knowledge of how to use the codes, the list is useless. Without the list of codes, the username and password combination doesn’t get you access to the system.
I’ve added this technique to my password procedure; many of the systems I now control have new passwords, which are formed of complex, randomly-generated codes stored digitally. They’re then extended by a written list of codes kept separately, which are also generated randomly and equally complex. Without any written or stored cross-reference between the two, there is no way that anyone can match the two lists together to get the actual 16 digit mixed passwords, and codes for systems which are critically sensitive even have more complex 24-digit passwords. More typing, for sure, but a very secure system.