Wednesday, June 8, 2011

Safety first

A few days ago, Ravelry announced that its user database had been breached. The hackers got encrypted passwords that they could potentially (given enough time, computing power, and determination) decode the passwords. Ravelry's owners and programmers forced everyone to change their Ravelry passwords, and advised them to change passwords as well on any other site where they might have used the same password.

I've written about internet security before, but I'm certainly no fanatic about it. Like most frequent users of online services, however, I've gradually become aware that the practices that seemed just fine when the 'net was young and one's user accounts were in the single digits are now profoundly unhealthy. In particular, the problem of the "usual password" has become acute.

I have a usual password. I'll bet you do, too. It's something meaningful only to me. I stick a number or two on the end sometimes (usually only if the site forces me to have a password of a certain length). Whenever I'm creating an account to buy one thing, or to get access to something free, or to try out a service, I use it. Usually I give a fleeting thought to whether my profile contains sensitive information, but only in the cases of banks and insurance and such do I feel the need to be extra careful and have a unique password.

Ravelry was one of those places where I used the standard password. It was just yarn and projects and chat, after all -- no credit cards or social security numbers. But the break-in revealed how foolish it is to use a site-by-site judgment. If a hacker can get that password in one place, he can crack all the places where you've used it. That goes double if, like many of us, you have a standard username that you use all over the internet (it just so happens that my Rav username is unique).

Once you start thinking about the amount of information that might be found when you put all those sites together, it's overwhelming. My cavalier attitude toward keeping my financials "extra safe" with unique passwords isn't enough.

Thank goodness I've been a user of LastPass for some time now -- that has enabled me to have unique random passwords for a lot of my sites. But I ran their security check program after the Rav break-in and was stunned to find that I had dozens of sites with my standard password. Dozens. The list went on and on.

As of yesterday, I changed every single one to a random string, stored in LastPass. I kept my e-mail login meaningful only to me, using a phrase with substitutions and transpositions; I want to be able to store that one in my biological memory bank, since it's what I'll need to access the "forget password" processes of all the other sites if I can't get to my LastPass vault for some reason.

I've been lucky rather than secure. I'm still not inconveniencing myself unduly with the 2-factor authentication schemes and the like that are available, but at least I've gotten myself to the point that I should have reached several years ago. Without password management tools, though, keeping track of strong, unique passwords for every login would be inconceivable. With such software, it becomes simply a matter of overcoming inertia and complacency to do what's right.

No comments: