Mat Honan is a writer for the Tech website WIRED and he got hacked. Hard.
Being hacked always sucks, many people have experienced it with their first e-mail accounts, but in his case it went further than just sending some spam e-mails.
The hackers probably used a brute-force attack to get his password for his iCloud account and reset the password and deleted the confirmation e-mail about the reset.
The backup email address on my Gmail account is that same .mac email address as my iCloud account. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
5:00; PM, they remote wiped my iPhone
5:01; PM, they remote wiped my iPad
5:05; they remote wiped my MacBook Air.
By doing this, the hackers made sure he had no way of stopping or fighting against this attack. They also gained acces to his Twitter account; this probably was the target of the attack. (Ooh and Honan forget something most people forget, he hadn’t made a backup of his computer… He had lost all his work and photos; photos from his little girl when growing up; all gone.)
Honan’s password was only 7 digits long; he created it a few years ago, when that was thought safe, but in this day and age, it isn’t anymore.
Use better passwords
When’s the last time you changed your passwords? Or looked at all those old services that use your old and (probably) weak passwords? For most people; the answer is never.
This means that you probably still use your passwords that you created when you were ten years old and created your first .hotmail account. This probably also means that your newer passwords are based on this password, or are created in the same way.
When your passwords is one of the following, there pretty easy to crack for someone who wants acces to your accounts. (translate to your language)
Your partner, child, or pet’s name; possibly followed by a 0 or 1
123 or 1234 or 123456
your city, college or sports team name.
Date of birth – yours, your partner’s or child’s.
If your password isn’t one of these, but is fairly simple and less then 10 characters, think of this:
Password dictionaries are commonly available (if you look for it), as is the software to use and brute-force acces an account. The biggest limitation is the computing power required, but that cost les than 28 cents per minute for 400.000 passwords a second (This means a hacker can try 24 million passwords for just 28 cents and in just one minute.).
A few years ago, people started using symbol substitutions in their passwords. “@” for an “a” and “3″ for a “e”; but is this really stopping hackers from finding your password? Probably not.
In the Password dictionaries, that hacker use, you’ll find many of them like: “S0cc3rRul3s” and “0lymp1cG0ld”. So hackers have heard of this trick and this will only add a few minutes to the hacking proces (and just a couple of cents). So it’s not what you would call “Secure”.
The bottomline is; if your password(s) conforms to a recognisable pattern, it will be likely that it’s in a Password dictionary or that it’s guessable with information that can be found online.
Don’t reuse your passwords
Just in case it isn’t clear; if your e-mail account gets hacked, it isn’t exactly ideal. However, if your credentials (your e-mail adress and password) are reused on other sites and services like your social networks, financial institutions or other (backup) e-mail accounts; it can pretty quickly get really scary. It could damage your reputation, get you fired from your job, but also empty your wallet.
We all reuse usernames — and often your username is your e-mail address, so there’s little choice there — and it’s a very simple task of matching your username to your other, already hacked, password. To protect yourself against this simple action of matching your username and hacked password; you should use a totally different one for each and every online service.
Also, remember that your e-mail account is probably the most important account you have. Why? Simple; with acces to your e-mail account, hackers will be able to reset almost all of your passwords for all online services. They just have to visit the service, say: “I forgot my password„ and they’re done. Acces granted. This is bad.
Some tips on passwords
So I’ve been rambling on about passwords and that you need strong passwords, but how do you make a good and strong password? Well here are some tips for making passwords you can remember, but are very strong:
- Passwords should be longer than ten characters and include a mix of uppercase, lowercase and special characters.
- Your password should never be a name, a slang word, or any word in the dictionary. It should never include part of your name or your email address.
- Use passphrases instead of passwords. Even if you’re limited on the number of characters you can use, turn a long phrase into a jumbled short one. “I love walnuts! But I’m allergic to them” can become “Ilw!BImatt”.
- To make it easier to remember which password you use for which site, you could use the site’s name or function inside your password; “Damn, I hope nobody sees these awfull photos on Facebook!” could be your passphrase for your Facebook account; this can become “D,IhnstapoFb!”.
- Use a different password for every single site you access
If you don’t want to remember (or can’t) all of your passwords, there are ways of securely saving these. I’ll talk about them in a bit.
Strong Password recovery options are neccessary
Even if your passwords are different on all of the services you use; it doesn’t matter if your e-mail is hacked or your recovery options are simple to crack.**
Most security questions tend to be fairly simple to find the answers to; like: “What is my mother’s maiden name?” or “What was the name of my first pet?”. All of your friends can probably answer these question and so can your “Facebook *Friends“.
So what can you do about this? Because we have no way of choosing better security questions… Well the Answer is pretty easy actually; just lie.
So what should be your answer? Well the best answer is Random Symbols, but it can be anything as long as it is not the truth.
To help you remember
There are many ways to remember your passwords; writing them on a piece of paper…, saving them in a excel file…, having a millions post-its with all your different passwords on them…. or you can use a “Password Manager“.
Since you have (or at least should have) different passwords for every service and site and don’t want to reset them everytime you visit them, you should have a way of remembering these passwords. This is where the Password Manager comes in; it’s a comprimise between using a few “simple„ passwords you can remember and using many very complex passwords which you will forget.
1Password | iOS & OSX
1Password is a Mac-centric password manager with support for syncing to your iPhone and iPad through the 1Password mobile suite. Not only can you organize and sync passwords, but also software licenses and files—great for storing things like scanned copies of your important documents when traveling. 1Password supports customization of login icons and thumbnails, integration with Evernote and Safari, and a tag-based system for easy login organization. While this is completely irrelevant to the quality of a good password manager insofar as the security of the passwords is concerned, it’s worth noting that 1Password sports the most attractive and polished user interface of any password manager we’ve reviewed.
OSX $39,95 iOS $9,99
LastPass | OSX, Windows, Linux, Mobile
LastPass is one of the newest password managers on the market but it has quickly gained a following for ease of use, hiccup-free integration across operating systems, browsers, and mobile platforms, and an extremely reasonable premium-model that costs only a $1 a month. Because LastPass is available for every major operating system and phone platform it’s difficult to imagine a combination of operating system, web browser, and phone it doesn’t cover, meaning you’ll use your password manager more. LastPass has gone to extraordinary lengths to cover the bases when it comes to running a web-connected password management service including the ability to use two-layer authentication and setting up one-time use passwords for those times you want to access your online password database but you’re not sure if the connection you’re on is really secure.
$1 / month
KeePass | OSX, Windows, Linux, Mobile
If you’re extra paranoid about security it’s tough to go wrong with an open-source solution knowing that you (or the concerned community) can pore over the code. KeePass is open-source, free, and available for everything from a portable Windows installation to an implementation for iPhones, PocketPCs, and Android phones. KeePass supports a variety of features including automatic password generation, field and icon customization, secure notes, and login and password entry through clipboard copying, drag and drop, or auto fill-in. KeePass supports a wide range of import and export formats as well as printing for hard copy backup or secure offline storage.
I hope this will help some people who have never thought about this.
I’m waiting for a time that our passwords become obsolete.