There are nude photos of you being posted on a website without your permission! Well, that’s what Jennifer Lawrence (and a host of other celebs) learned yesterday. Poor folks. They never meant for those pictures to be public. And you probably never mean for those personal emails you wrote, or pictures you took, or private Facebook messages you drunk-typed at two in the morning, to be made public either. So I thought I’d write a few posts about how to prevent just that thing from happening. And while I’m at it, I’ll talk about protecting them from failure as well. It’ll probably take me a few posts, but I needed something to blog about.
The first thing I want to talk about is how to keep someone from being able to access your account just because they got ahold of your password. How many stories have you read of someone hacking an entire password database? Passwords are typically sent and stored in an encrypted format, so just because someone hacked blabla.com doesn’t mean your blabla.com password is known — but it could be. (I don’t want to go into details, but suffice it to say that there are a number of scenarios where someone could steal your password without your consent or knowledge, and yes — even if you’re using SSL.) So let’s talk about how to protect your account from being accessed by a “black hat” even if they get access to your password. The secret is something called two-factor authentication, or TFA for short.
If you have an ATM card, you’ve been using TFA for years. It involves pairing something you have (the ATM card) with something you know (your PIN). This is different than how most people access common Internetsites; they use only something they know (e.g. their password). If someone else gets your password, then poof — all bets are off. However, what if your password only worked if it was used on a device that you physically own? In other words, what if your device only worked if it was used on your laptop or mobile phone? Then the black hat would need to steal both your laptop and your mobile phone to get access to your data. And if you were a user of a big site that got hacked, you would probably want to change your password, but at least you would know that you didn’t hacked before you changed it.
Just ask the former owners of codespaces.com if they wished they had used two-factor authentication. If they had, the hacker would not have been able to gain access to their entire infrastructure and destroy their entire company — and the backups of said company — in a few keystrokes. It’s not a perfect system, but it’s better than single-factor authentication.
You won’t like the limits that this places on your digital lifestyle. If you find yourself wanting to access Facebook from a friend’s phone, for example, you won’t be able to do so without jumping through a hoop or two. Security always makes things harder to do; it’s kind of the point. But IMO, TFA is a very minor tradeoff to make in order to help keep your private data private.
Here is a great article on how to enable TFA on several popular Internet services. If it doesn’t cover your favorite service, just google “servicename two-factor authentication.” If your favorite site doesn’t support TFA, then maybe you should find a different site.
Later blog posts will talk about best practices for passwords, encrypting data at rest and in flight, and — of course — backing all this stuff up.