On April 13th, Deborah Fallows’ Google Mail account was hacked. The intruders sent a panicked note under her name to everyone in her contacts and asked them to wire money to help her leave Spain. That’s annoying. Then they deleted everything in her account. For many of us, that would be devastating.
After the hacking, her husband, the journalist James Fallows, spent months looking into online security. The resulting article, which appeared in last month’s Atlantic, contains a couple of tips that everyone who stores important information online should know: passwords you think are strong are not necessarily strong, and even if they are strong, they’re only as strong as the weakest account they’re linked to.
We tend to assume that hackers will try and guess our passwords. They’ll try “password” and then “1234” and then “pa$$w0rd” and so on. As Fallows says, that’s not how it goes these days.
“Guessing less often involves social engineering — trying your birthday or your hometown or your relatives’ names — than ‘brute-force attacks,’ in which a hacker’s computer tries every word or combination of words in existence, in a variety of languages, to see if it finds a match,” writes Fallows. “Several of the people I spoke with pointed out that brute-force attacks have recently become much more effective, as hackers have taken advantage of the powers of new computer-graphics chips, which can handle certain kinds of computations even more quickly, and with more parallel processes running simultaneously, than a computer’s central processing chip can.”
So a strong password today is not one that’s hard for a human to guess but one that’s hard for a computer to crack. The point is made nicely in this XKCD cartoon:
Kind nerds have even constructed an XKCD password generator to help you come up with a better password according to these rules.
But even a good password won’t do much for you if it’s attached to weak sites. If you’re using the same password for everything, one way a hacker can break into your files is to get access to a weak site’s internal databases and then plug the e-mails and passwords he finds there into stronger, more valuable sites like Gmail, or Wells Fargo. “If you have ever used the same password in more than one place, you have reduced your overall safety record to whichever site had the lowest amount of protection,” said Michael Jones, Google’s “Chief Technology Advocate.”
That implies that you probably want different passwords for your highest-value sites. Gmail, for instance. And your bank account.
In the article, Fallows has further advice on how to manage these passwords, in addition to thoughts on increasing your online security far beyond what I’ve outlined here. Forty minutes of reading and password reworking now could save you a lot of trouble later.