Okay, so maybe you’re not an attractive celebrity who has to worry about your cloud storage account being targeted and compromised, and about those naughty selfies you took being exposed to a voyeuristic public. Apple has since informed us that based on their investigations, these particular accounts were compromised by “a very targeted attack on user names, passwords and security questions, a practice that has become all too common.” Setting aside all opinions about whether capturing those kinds of images in the first place is a good idea, and whether perpetual privacy of anything we store or post in the cloud is a reasonable expectation, let’s use this high-profile case as yet another reminder that we need to be smarter about our online passwords.
On second thought, we’ve all read about best practices for passwords so many times already – perhaps we’ve all become a bit numb to the topic. So instead, let’s try turning this around – see my ongoing series of “Screwtape Security” blogs for background – and highlight four ways you can be a dum-dum about your online passwords.
Without question, we need to choose passwords that are easy for us to remember. So why not just use “123456”, “qwerty”, or “password”?
Here are the top 30 passwords from when LinkedIn was breached, a couple of years ago. Whether you are inclined towards the positive (god, angel, love, jesus, iloveyou, princess), the negative (dragon, killer, devil), sports (michael, jordan, soccer), the numeric (1245, 12345, 123456, 654321, 1234567), the vulgar (f*, b*, d*), or the site-related (link, work, job, connect, career) … there are plenty of popular choices you can make.
If you’re like most people, you probably have a hard time remembering how many different online accounts you actually have, let alone remembering a unique password for every one of them. Why go through all that hassle – why not just use the same password for every account.
Sure, that means that if your password for one account is compromised, you will be vulnerable at every other account – but hey, how likely really is it that attackers attempt to use the same credentials to access other sites, as they did in the breach at Club Nintendo.
You’ve been using “Smoke17” as your password – your own little personal homage to your blazing speed and your uniform number in fast-pitch softball – for the last 30 years. If something’s not broken, why fix it? It’s not like anyone would be able to learn those bits of information about you, over all that time.
If the online account forces you to change your password, just settle on a couple of favorites and rotate back-and-forth between them as required.
Most accounts today provide us with the convenience of self-service password resets, based on knowing the answers to “security questions” … and who could possibly know or discover information such as the name of your first school, your mother’s maiden name, your father’s middle name, or the make and model of your first car?
This way, as long as you have access to your email account, you can just answer these questions to receive an email with a new password for all of your other online accounts. Just make sure that you keep your email account password simple and easy to remember, and you’ll be all set!
We could go on, but that’s more than enough for busy non-celebrities like ourselves to handle at one time. Recommendations by Apple and others are just so tedious, and we have a lot of selfies to post and important thoughts to Tweet. Besides, these are the types of things that only happen to other people.
For more on the topic of IT security, read the Aberdeen report Insider Threat: Three Activities to Worry About, Five Ways They’re Allowed to Happen – and What Enterprises Can Do About It