In case you missed it, former Gizmodo contributor @Mat Honan’s Twitter, email, and iCloud accounts were all hacked a few days ago, leading to @Gizmodo‘s Twitter also being under the hacker’s control. Mat noted on Twitter that while he had originally believed the hackers had guessed or hacked his password, he later found out that they actually called Apple tech support claiming to be him and got his password reset. After that, they used “forgot my password” links on Twitter and other sites to have password reset emails sent to his iCloud email address, which they now controlled. Then they used Find My iPhone to remote-wipe his computer, iPhone, and iPads. He didn’t bother keeping a backup of his computer and lost several years’ worth of data.
I’m going to teach you how to learn from his mistakes avoid becoming the next Mat Honan.
Cracks are wack
The first line of defense against losing control of your account is a secure password. Some people have really, REALLY bad passwords. They use a pet’s name, or a family member’s name, or a favorite team. Those things are incredibly easy to guess. Other people use common passwords like “1234567890” or “password”. These types of passwords are incredibly insecure and many people will try guessing them first when trying to access your account.
Even if you have what you think is a fairly secure password, you may still be at risk of having your password cracked. Password crackers are pieces of software that systematically guess passwords until they find one that works. It’s kind of like trying every key on the keyring until one unlocks the door.
The thing about password crackers is the longer your password is, and the more random characters you use, the harder it is to guess. Crackers will start guessing short passwords and work their way up to longer ones. Each character you add to your password exponentially increases the amount of time it will take a cracker to break into your account.
But how do you choose a secure password? And how do you remember it later? Personally, I use 1Password (iPhone/iPad, Mac). 1Password is a system that stores your passwords locally on your computer in a file that is locked down with another password.
Here’s how it works. You use the password generator in 1Password to create a super-secure password. They can be up to 50 characters long and contain a customizable number of letters and symbols. These passwords will take forever to crack. Of course, you can’t be expected to memorize several passwords of that length (remember to use a different password for each site, no matter how secure). To help you, 1Password’s database is protected with a master password. This master password can be as short as you want it to be, although choosing a secure password for this is recommended. Of course, DON’T use a password created by the 1Password generator for this. It has to be something you can remember.
Then whenever you need to login to a website, use the 1Password plugin for your browser. You type your master password into the browser extension and it automatically inserts your super-secure password and username into the website for you. That means you can have a secure password on the server that’s hard to crack while using just the master password to login. This helps protect against cracking software and keeps your data secure.
Remember one thing, though: just because your password is secure doesn’t mean the server is secure. Hackers can still break into the server and steal a database of passwords. If that happens, they’ll have your super-secure password. That’s why it’s important to use a different password for each website, and to change them as soon as you learn of a breach. It’s recommended that you change your password every few weeks for additional security.
Also remember that protecting your iCloud account with a secure password usually means your iTunes and App Store accounts have the same password. While it can be annoying to have to copy and paste your secure password from the 1Password app into iTunes or the iOS App Store, the security is worth the trouble.
Dishonesty is the best policy
Now we only have one problem. If someone wants to gain access to your account, they could always just answer your security questions and reset your password. Some sites don’t require you to have access to your email account to reset your password, meaning even if the hacker can’t get into your email, they can still get into other accounts.
This is exactly what happened to Mat Honan. The hackers contacted Apple support, pretended to be him, correctly answered all of his security questions, and had Apple reset his password. How do you avoid this? It’s not as hard as you may think.
First let’s look at some common security questions:
• What was the name of your first pet?
• Who was your favorite teacher?
• What city was your mother born in?
• What is your mother’s maiden name?
• What street did you grow up on?
• Who is your favorite musician?
What do you notice about these questions? They’re all pretty easy. In fact, just about anyone could answer some of these questions! Your first pet? I bet anyone who’s ever been to your house could answer that. Favorite teacher? You’ve probably mentioned them a few times. Mother’s maiden name? Anyone who has ever heard your grandparents’ full names could figure that out! These are not secure questions! No wonder poor Mat’s account was compromised!
The solution to this little security issue is simple though.
Did you know my mother was born in the town of Colt M1911? I bet you also didn’t know that my favorite teacher was named Polywag!
Do those answers make sense? No. Colt M1911 is a handgun, and Polywag is a Pokémon. My mother was not born in a handgun and I was never educated by a Pokémon. But you’d never, ever guess those as the answers to my security questions, would you?
See, the thing about security questions is the site will never know if you’re being honest. As long as you know the answer they’re expecting, it can be anything you want. Of course, the trick is remembering the answers.
Make sure that the answers aren’t easy to guess. Don’t use your favorite teacher’s name as your first pet’s name. Don’t use anything meaningful to you at all. Someone can guess all of those.
You can use something close to a meaningful item, though. For example, grab a map and find your mother’s birthplace. Now go two towns west and four north. The town you land on is your first pet’s name. If you’re afraid you’ll forget that location, simply remember that you started at your mother’s birthplace (or wherever you started) and then write down “two west, four north” on a pice of paper. Of course, this works best if you start from a city no one would think of, rather than your mother’s birthplace.
If Mat Honan had used fake answers to his security questions on his Apple ID, his account would likely have never been compromised.
Be very careful logging into any website from a public computer, or any computer that isn’t yours. Hackers can install a piece of software called a keylogger onto a public computer. This software records each keypress and sends them to the hacker. That means when you type in your password, the hacker can see what you just typed, and now has access to your account. If you need to access a web service in public, it’s usually a safer bet to use your smartphone rather than a public computer.
Also watch out for free Wi-Fi in public. While it may seem like a great offer, it could be a network created or monitored by people intercepting network traffic and hijacking session cookies. Basically that means any website you log into they would automatically be logged into as well (there are exceptions to this, but I won’t get into them here, since my point is to be on your guard).
Free Wi-Fi and public computers are like free candy from a stranger. They may seem fairly harmless, but as soon as you let your guard down, they’re going to shove you into a white van with no windows and drive right out of the state, and you’ll never be heard from again. Or they might steal your Twitter password. Or your banking information. Don’t take the bait.
Some people are now switching to other email services besides iCloud, enabling two-step authentication on their Google accounts, and criticizing Apple for what happened to Mat Honan. The fact is, there’s nothing Apple could have—or should have—done differently. The hacker identified himself has Mat and correctly answered Mat’s security questions using answers Mat himself chose. Mat was the one who didn’t keep a backup of his computer. The only person to blame here is Mat, unfortunately. I believe even he realizes that now.
Moving away from iCloud doesn’t really solve anything, and while two-step authentication is a great security feature, it doesn’t do much to stop what happened to Mat. You can’t rely on a system to protect you because systems can be compromised. The only way to make sure you stay safe is to be smart, be cautious, and be safe. Keep backups of your computer. Make sure you always use a secure password. Falsify your security answers.
Being on the Internet doesn’t have to be a scary thing. Many people will go their whole lives without ever being hacked. But like any other activity, going online does pose some risks. No matter how unlikely you think it is that you’ll ever be targeted, you should take steps you protect yourself and your information. The bad guys don’t go after people who are prepared for them. Be prepared.