On the subject of passwords...

A very public internet figure was hacked. In the end it turned out not be a flaw in his passwords, but actually a social hack worked against Apple, which in a way is worse than the kind of password-cracking we typically mean when we speak of hacking. The full story is here.

But reading about the episode made clear some of the weaknesses of the casual way many of us link accounts and use the same or similar passwords and the basic vulnerabilities that are introduced in the new ways available to control our data. Following are some simple concepts to help govern how to approach security with a bit more cognizance of the weaknesses:

1. Use unique passwords for each online service - Of course we've all heard this one before, however when you add in Twitter, Facebook, Google, Tumblr and all the other options out there, it becomes clear that the online "you" is multi-faceted and it's going to be easier to deal with a single account being hacked instead of all of "you" at once.

2. Passwords to be created by 3rd party utilities - There are many available schemes for creating complex or memorable passwords, but when it comes right down to it you may come up with a good that you then use to violates #1, above. Your passwords protect not only your ability to use your account but also that account's very existence; imagine your entire accumulated identity being systematically wiped out at each service. Deleting an account is simple enough, but recovering it may or may not even be possible. Your passwords should be unique, appropriately complex and handled in a way that still gives you needed access. Applications like 1Password from AgileBits Software make this tolerably easy.

3. Linked Accounts add potential danger - It's very convenient to link your Flickr account to your Tumblr, Facebook and Twitter accounts, but that linking means unfettered access to those other accounts. Consider these links carefully and perioidically confirm that the the linkages you want are the only ones active.

4. AppleID passwords have become very powerful - Once only needed for iTunes purchases, your AppleID can now be used to secure your hardware purchases at Apple and where they ship, the contents of all of your devices, even a password reset on your Mac OS X account on your computer. A malicious hacker with your AppleID password can buy a computer, remotely wipe your iPhone and computer or reset your password on your computer if they have access to it. Your AppleID password should be strong and reliable and the answers to the questions used to secure it should be completely unguessable. Since Apple permits you to set the answers to the questions they offer, consider whether an answer to the question "What was your first car?" could be found elsewhere might be better answerd with "Schwinn Cruiser" or even complete nonsense.

5. A password management application is critical - You're going to forget passwords, or if you don't have something to manage passwords you won't use good ones or a proper variety. A password management application takes the burden off you. 1Password can be configured to store your passwords in an encrypted file in your Dropbox account which allows you to have it available on all your devices, while keeping it encrypted.

6. Password archive to be stored - Now that you have your passwords stored using a password management application you can store the encrypted archive of passwords someplace safe that is not on your machine. A last resort method to recover your history.

7. Make a complete backup and keep it disconncted - One of the great things about iCloud and device management is the ability to remotely wipe a device that has gotten out of your control (stolen or lost). That's fantastic! But you need a backup that is safe and available to you. Where will that backup live and how often will it get updated? This is determined by your tolerance for lost data. Some people need this daily, while others think monthly is better for them. Whatever works for you is fine, but do it.

Solutions Consulting - 310-838-5224 or benlevy@rockinbeat.com