July 21st, 2009 → 9:30 am @ Stuart // No Comments
Recently a story hit the news of a breach of security at Twitter – a hacker going by the name of ‘Hacker Croll’ managed to gain access to the google mail account of a Twitter employee and from there into a lot of other online accounts, gaining accessing to hundreds of confidential company documents.
Now that the dust has settled on the attack, I think it brings an important message to light – just how secure is all of the information we trust to online services such as google mail, google apps and of course social networking sites such as Facebook and MySpace?
Of course, we already know that we should use different passwords for each account that we use online, but in reality, how many of us actually do that? Creating secure passwords isn’t difficult of course, there are a range of sites out there that do exactly that for you such as www.goodpassword.com, and if you use Firefox you can even get a plugin that does this for you – SecurePassword Generator. The problem of course comes in attempting to remember them all – and this is the reason that so many people just end up using the same password for everything.
To get around this, why not try using a secure password manager to hold all of your information. I personally use the excellent 1Password to secure my information on my mac and across to my iPhone, but if you’re on windows there are some great alternatives such as the open-source KeePass. Both of these tools (and many others) allow you to secure all of your security info such as usernames, passwords and other private data while still keeping it very much to hand. There’s really no reason to resort to the one password for everything route.
Of course, this is only part of the problem. The main cause of the security breach at Twitter was that the employee concerned had used a hotmail account as his ’secondary’ email account – the account to which google mail send password reminders if you get locked out of your mail account. In this case, due to Hotmail’s policy of removing accounts after several months of activity, the hacker was able to guess at the employee’s hotmail email address, discover that it was in fact now removed, and simply set it up as a new account again. Once he’s done that it was a simple case of sending the google mail password reminder to this account and he was in. Frightening, eh?
Personally, I think in this case Hotmail has to shoulder some of the burden. Email accounts are, whether we like it or not, unique entities that we use to authorise a great deal of our online lives. Simply removing these after a period of inactivity and allowing someone else to set them up again is not a good idea at all and should absolutely not be allowed.
But of course, it’s not the only problem. The internet was not created to be used in the way that it now is, and that does cause a lot of issues. We will continue to have issues of this nature until we have a single point of authorisation for all our internet activity. While there is some movement toward this (OpenID as an example), even if we did somehow manage to get this used across the web we’d still have an issue similar to the ‘using one password for everything’ if someone managed to break into our openid account.
So, is there a solution? Well there is, but it relies upon two things that will most likely never happen.
Not just unlikely – this will absolutely never happen. And even if it did, you still have issues. Unless the organisation responsible for the accounts uses a physical method similar to banks (card reader), you’re still likely to have accounts broken into. And implementing a physical method just makes it more difficult for people to use internet services – there would be a lot of people against that.
So in the meantime, we have to make do the best we can. We must ensure we don’t use the same password or username, don’t use the same old security questions (and I’m thinking mother’s maiden name here) and try to secure our data in the best way that we can. Thankfully as internet use increases, more and more tools that enable us to manage the myriad of identities we have appear. We just need to make sure we use them!
Reference material:
TechCrunch article on the Twitter Breach