Today, my dad’s Gmail password was compromised. Google received a login request with his information from Tsentralnyy rayon, Voronezh, Voronezh Oblast, Russia.
This immediately made me think of an article in The Atlantic by James Fallows, a reporter who got a taste of how important password security is when his wife’s Gmail account was hacked. The hacker changed the reporter’s wife’s (Deb’s) password so that she couldn’t log back in, and then the hacker sent an email–from her gmail address–to everyone in her contact list. The email, purportedly from Deb, informed her closest friends and family that she had gone on a quick trip to Madrid, gotten mugged, and was stranded in an embassy without any identification or money. It continued:
I need you to lend me some Money to sort my self out of this predicament, i will pay back once i get this over with because i need to make a last minute flight.
They had no way of knowing how many people fell for this and sent money. If that were the end of the story, it would be tragic. But James writes poignantly about the impact this had beyond the sleepless night answering phone calls and trying to change credit card numbers:
Six years’ worth of correspondence and everything that went with it were gone. All the notes, interviews, recollections, and attached photos from our years of traveling through China. All the correspondence with and about her father in the last years of his life. The planning for our sons’ weddings; the exchanges she’d had with subjects, editors, and readers of her recent book; the accounting information for her projects; the travel arrangements and appointments she had for tomorrow and next week and next month; much of the incidental-expense data for the income-tax return I was about to file—all of this had been erased.
As a result of his experience, Fallows has three suggestions he strongly advises everyone take immediately.
- Start using a password manager like LastPass to generate and store passwords like
- Stop re-using passwords across multiple sites!
- Enable Google’s two-step verification, which will call your phone with a code to enter every time you log in.
At the time I read this article (Oct. 2011) I knew it was good advice, but I wasn’t ready to put in the effort required. I told myself that I would get around to improving my security when I had time. I did make marginal efforts to increase the length of some of my passwords, but I didn’t really get around to it until I received this email:
Hey there Brenton. You have a weird password.
I just thought you wanted to know, You got hacked.
Yeah, that was my actual password. There was also a link to a page on my website that he had created. With a sick feeling I realized that I had re-used this password for my Gmail and my website, and now both were compromised. In fact, this was my "secure" password that I used on my "important" sites that I thought weren't likely to get hacked. I actually replied to the email and asked the hacker how he did it. He said that I had "signed up to some other website, that was vulnerable to an SQL injection." To this day I'm not sure which account it was that got compromised, but only a week later news broke of the LinkedIn breach. I had a LinkedIn account, and I used that password for it. Was mine one of the 8 million accounts affected? Did I get hacked because I trusted LinkedIn? Or was it my own website that got hacked? Or was it some other site? I don't know. But on that day I stopped re-using passwords. And I enabled Google two-step verification.
I was lucky: my account was compromised by someone just trying to verify that a hack on another site was successful. My dad was lucky too. Google blocked the login from Russia as suspicious. Had the hacker been in California, or used a proxy to make it look like they were in California, I might be wondering why my dad made a quick trip to Madrid.
The First Problem
The first problem of password security isn't bad password strategies, weak tools, or lax site requirements. What we all discovered is that the first problem of password security is apathy. At the conclusion of the Atlantic article, James Fallows was sharing his password safety strategies with a security expert, who remarked "I see that you’ve got it! … The zeal of the convert. People in the business think about the risks all the time, but normal people don’t, until they’ve gotten a taste of the consequences of failure."
If you're like most people, at this point you will say to yourself "man, it would really suck if my account got hacked" and then you won't do anything. Because it isn't real to you. You probably have a number of friends who have had some sort of account hacked, but it still isn't real to you. And it probably won't be real to you until it's too late.
The Second Problem
So what is the second problem of password security? It's this:
That is a password. I went to a movie night at a friend's house and we all watched as she logged into her media streaming service with that password. "Wow, that's a super secure password!" one person said. "I know! I'm kind of paranoid ever since my Facebook account got hacked" she replied. But the truth is that her password is terrible. All numeric-only passwords under 14 digits have already been exhaustively cracked. There is a difference between is "difficult for me" and a password that is "difficult for computers." We tend to think these are the same, and since writing numbers out like that is a pain in the butt, we think we're safe.
The second problem of password security is common sense. Unfortunately, common sense can only take you so far with your password, and at some point, common sense will work against you and make you create a really annoying to type password that is amazingly easy to crack.
The problem is that password security is counter-intuitive, which means that common sense is actually just ignorance. But the good news is that once you've overcome apathy, just a little education goes a long way. If you're willing to, you can secure your sites online, and it takes less effort than shredding all of your mail or covering your PIN pad at the bank ATM. Because common sense is wrong when it says that a secure password is a pain. You can have the best of both worlds: a simple-for-humans password that is also difficult-for-computers. It just takes the willingness to learn.