Tuesday 17 September 2019

Twitter's timely password prompt

Twitter told users to change their passwords after an internal leak.
Twitter told users to change their passwords after an internal leak.
Adrian Weckler

Adrian Weckler

Last week, Twitter did us a favour.

It messed up its internal systems, exposing lots of our passwords internally in the company.

None were accessed by outsiders, the company said.

Still, we were all advised to change them.

This applies to about a million people in Ireland.

Leaving aside the slightly ham-fisted way the company's chief technical officer went about announcing it ("We are sharing this information to help people make an informed decision about their account security… we didn't have to, but believe it's the right thing to do," he said, before apologising for the remark later on), it's a timely reminder that most of us are lazy and negligent about our passwords.

We leave them in place for years.

This includes me. Against all advice, I have used the same password for a couple of different services for over a year. I justify it by telling myself that the services I use such repetition for aren't critical, or don't contain important information that could financially hurt if exposed.

That is pretty stupid reasoning though. It's complacent and ignores the overwhelming likelihood that I'll be caught.

Indeed, I know that I have been.

An occasional contact emailed me some months ago to tell me that he had seen my email address in a stolen database.

He even read out the password attached to it. As it happens, this was an old password that I no longer use. Nevertheless, it reminded me that the more online services I use, the greater the certainty that one or more of them will be compromised in any 12-month period.

(A quick check reminded me that I have logins and passwords for over 50 services that I use regularly or occasionally, from social media, email and news services to banking apps and utilities.

I suspect most people reading this have similar figures racked up.)

Most research on password usage suggests that people use the same password, or a variation of the same password, for most of the online services they use.

This means that if a database is accessed by a hacker, there's a good chance that many of those passwords will open lots more doors.

Hackers know this, which is why stolen databases continue to attract good prices on the Dark Web and other places.

An investigation I did last year into criminal activity on the Dark Web showed quite a lot of this sort of material up for sale, as prevalent as weapons or drugs.

Assuming you're like me, what should you do?

There are a couple of possible approaches for those of us who don't have photographic memories.

The best one is to use a password manager, such as LastPass or Dashlane. In essence, these act as a secure password filter for all your accounts.

They generate long, hard-to-guess passwords and the only password you need to remember is the master one you use for the password manager service itself.

The only catch is that they cost you a couple of euro per month if you want them to work across different devices which, in an era of switching between phones, laptops and tablets, you will.

The other quibble about password managers is that they're not really that simple to set up, especially from a phone.

They use a lot of jargon and assume you understand preliminary prompts such as "add form fill profile" (which is one of the first things you see on LastPass and which many people may need to Google).

However, if you figure all of this out, it's the best way to manage your passwords and probably worth the €2 or €3 a month. An alternative method is to try and remember a phrase with several words, placing at least one or two capitals, numbers or punctuation points in it.

For example, you might have a formula that involves a sentence such as 'my first dog's name was Sooty'.

Perhaps you take the first letter of each of those words, add a number or capital in, and then vary it to the service you're using ('M1dnwSooty_FBook').

This isn't as secure as a password manager, but at least means you're varying your password for each service.

If you decide not to bother with any of this, you're not being very clever.

Don't take too much comfort, either, from the introduction of the EU's new data protection law (the General Data Protection Regulation) later this month.

That contains some new strictures on companies (of all sizes, not just big corporations) being required to inform you if your personal data has been breached.

But from a security point of view, that's about it. Once your password is exposed, you need to assume that it's out in the wild and that it will form part of repeated battering rams roaming the internet for years to come.

As for me, I've signed up for one of the password managers (LastPass).

So far, it's not a great experience, with some functions (such as "user manual") just not working between smartphones and browsers.

But I'm willing to stick with it for now to secure the passwords. (LastPass gives you a 30-day free premium trial, after which you can decide whether the hassle is worth it or to switch to an alternative such as Dashlane.)

But even here, I know that it will take some time to capture all of the services I use.

I'm just hoping that none of my passwords pop up in stolen databases on the Dark Web, or anywhere else, in the meantime.

So take advantage of Twitter's misstep last week.

Start changing your password system. Today is a good day to do this: download one of the password managers and see whether it suits you.

Sunday Indo Business

Also in Business