Wednesday, February 22, 2012

Hacked!

James Fallows' wife's gmail account was hacked and back in November he wrote a long piece about the experience. Hacked!. It's a good read and he sums up with a few bits of advice. The first is to choose strong passwords, I won't bother quoting that here, but here are two others.

"I asked my experts how many passwords they personally used. The highest I heard was ‘about a dozen.’ The lowest was four, and the norm was five or six. They all stressed that they managed their passwords and sites in different categories. In my own case, there are five sites whose security really matters to me: my main e‑mail account, two credit-card sites, a banking account, and an investment firm. Each has its own, good password, never used anywhere else. Next are the sites I’d just as soon not have compromised: airline-mileage accounts, Amazon and Barnes & Noble, various message boards and memberships. I have two or three semi-strong passwords I use among all of them. If you hacked one of them you might hack the others, but I don’t really care. Then there is everything else, the thicket of annoying little logins we all deal with. I have one or two passwords for them too. By making it easy to deal with unimportant accounts, I can concentrate on protecting the ones that matter."

"if you use Gmail, please use Google’s new “two-step verification” system. In practice this means that to log into your account from any place other than your own computer, you have to enter an additional code, from Google, shown on your mobile phone. On your own computer, you enter a code only once every 30 days. This is not an airtight solution, but it can thwart nearly all of the remote attacks that affect Gmail thousands of times a day. Even though the hacker in Lagos has your password, if he doesn’t have your cell phone, he can’t get in. In case you’ve missed the point: if you use Gmail, use this system. Also, make sure the recovery information for your account—a backup e-mail address or cell phone where you can receive password-reset information—is current. Google uses these to verify that you are the real owner."

Do any of you gmail users use this?

1 comment:

Ryan said...

I've been using the two-step verification on Gmail for 5 or 6 weeks. Not too onerous - the SMS pops up almost immediately on my phone and I type in the six digit number on my laptop. I don't even have to unlock my phone to do it because the SMS is short enough to read in the iPhone alert.