Strong Passwords Aren't Enough: How To Ensure Exploits Never Happen To You

Former Gizmodo writer Mat Honan lived every tech geek's worst nightmare when he got hacked last weekend. All his accounts were compromised and his computers were wiped with no backup. The scary part is that no "real" hacking was involved — all it took was a few support calls to Apple and Amazon and nearly all his most important accounts were compromised. Here's everything you need to do now to keep this from happening to you.

What Happened

The person who hacked Mat's accounts didn't need to crack any passwords to get in. Instead, he used social engineering, manipulating both Apple tech support and Amazon into believing they were Mat (something that's easier than you might imagine). Apple and Amazon only require limited, easily accessible information, including billing address, email and the last four digits of a credit card (which sounds more difficult to access than it was) before allowing anyone to change or reset user accounts. Once the hacker had access to Mat's iCloud account, he was able to get into Mat's Gmail and other accounts, not to mention wipe his iPhone, iPad and Mac, setting a PIN that kept Mat from recovering any of that data.

What happened to Mat was awful, but we should all take this as a cautionary tale to not only set up good security and backups, but to take heed of security flaws in services like iCloud. Here's what you should do right now to protect yourself from a similar incident.

Audit Your Insecure Services (Like iCloud)

The biggest problem in Mat's breach was that there were some serious security flaws in Apple and Amazon that let the intruder right into his accounts. In his Wired piece on the hack, Mat details some of the things you can do to avoid a similar issue with iCloud. Namely, you should create a separate Apple ID for your iCloud account, turn off remote wipe for your computers, and don't attach your home address to anything public, like your personal domain name.

Takeaway lesson: Some services, like iCloud, don't have the security features they should have. As such, make sure you don't give them too much power, and don't connect them with your secure accounts like Gmail — one weak link in the chain can bring everything crashing down.

Use Strong, Separate Passwords for Every Account

While it may not have helped Mat, everyone should still have a good password system set up. We've shown you how easy it is to hack a weak password, and if you use the same one everywhere — or even easy-to-crack variations — you're screwed. Remembering 100 different passwords can seem tough, but it's OK if you don't know them off the top of your head — in fact, it's more secure. Use a tool like LastPass (or one of these alternatives) to keep your passwords easily accessible from any of your machines, no matter how long or complex they are (multi-word phrases are actually the best password you can have).

Takeaway lesson: If you haven't updated your passwords in a while, take some time to audit and update your passwords now to get it all done in one fell swoop.

Enable Two-Factor Authentication to Ensure No One Gets In

Mat didn't have his passwords "hacked" in the traditional sense of the word, so even with strong passwords, his accounts still would have been compromised. However, two-factor authentication could have stopped the whole thing from happening. Two-factor auth requires something you know (your password) and something you have (your phone), so when an intruder types in your password, she won't be let in unless she also types in a code sent to or generated by your phone, which only you have.

Takeaway lesson: Set up two-factor authentication on every account you can, like Google, Facebook and other high-profile services. It's one of the best ways to protect yourself against any kind of breach.

Strengthen Your Password Recovery Options

Even if your passwords are different across all services, you're done for if a hacker gets into your email. With access to your email, they can reset your password on any other service you want, which is why you should consider using a non-primary email address for password resets and other recovery options. Setting up a Gmail or Outlook account is free, and you can have as many as you want, so set up a new email address and change all your recovery options to go to that mailbox instead — if someone ever gets into your email, you'll be glad you did.

You should also make sure your security questions aren't easy for someone to answer. Anyone can figure out your pet's name or high school mascot, so those won't keep you safe. Instead, strengthen your security questions by adding extra words, picking out key words in the question, or shifting your hand on the keyboard. That way, they'll truly become questions only you know how to answer.

Takeaway lesson: One of your biggest security flaws is probably in your password recovery method. Make sure your security questions aren't easily answerable, and that your password resets go to a separate account designed for resets only.

Back Up Your Data

By far the worst factor in Mat's breach was that he didn't have any of his data backed up. He lost a year and a half worth of photos, emails and documents when his computer was wiped with no way to get it back. You've heard us say it a billion times, but if you haven't started backing up your data, let this be a wake up call: data loss can happen at any time for any reason, and you don't want to be kicking yourself down the road. Take 30 minutes and set up a program like Crashplan, our favorite backup app for Windows, Mac and Linux. When you're done, you can just set it and forget it, and you'll have that backup in case anything ever goes wrong.

If you don't back up to the cloud (or you want a local backup as well), check out these recommendations from our friends at the Wirecutter. They have picks for external drives, cheap network drives and full NAS solutions for all your home backup needs.

Takeaway lesson: Seriously, guys, back up your data. It only takes a few minutes to set up, and it'll make sure you never lose your most important files.


Comments

    This [almost] same story is constantly repeated, and it is always followed up with the same advice [see above]. How many people will heed this advise is very questionable - maybe 5%. It's not until they fall victim to a breach that they will realise the error of their ways. Security is a process, not a product, but most people find that it is just to much trouble - seperate [strong] passwords and backing up are just not in their vocabulary. If "I didn't think it would happen to me" was a facebook page it would have many sadder, but wiser followers.

      the amount of times i have had people come to me with busted laptops etc pleading for their data back only to have me tell them its too late... One really unfortunate time was a lady at work who got her laptop stolen and she thought she had it all saved onto an external HDD but when i plugged it in the HDD was empty except the bloatware that came with the HDD.

        Let me guess: the external HDD had a 'quick backup' button, so she was just pressing that without realising she first needed to install software on the pc?

        Those buttons probably caused as much data loss as they prevented.

    Don’t settle for anything less the Two-factor authentication. I have two-step authentication on my email and I like the extra security it offers. You just telesign into your account and it’s good to go. I'm hoping that more companies start to offer this awesome functionality. In reality this should be a prerequisite to any system that wants to promote itself as being secure. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection.

    Comodo Internet Premium goes ballistic when you start to install KeePass, doesn't recommend it at all!

    when are we going to get biometric logins for the important stuff (banking etc)? I am quite happy to surrender my fingerprint for the extra security. (please don't give me some BS telling me how easy it is to defeat, unless you personally have done it.)

Join the discussion!

Trending Stories Right Now