Securing your online identity

by: Joseph Ruscio | posted: July 16th, 2009

This week a widely publicized security breach occurred at media darling Twitter. The cracker made off with a slew of internal company documents, most of which are now easily located at your technology news site of choice. It’s somewhat of a tempest in a teapot, given that most of the secret documents reveal such salacious details such as Twitter’s desire to make money and grow. Shocking, I know.

What should should concern the average net denizen (you, me, etc), is the attack vector used to compromise Twitter. In a similar fashion to what befell Sarah Palin during the last election, the cracker managed to compromise a personal web-based email account of a handful of Twitter employees or their family (Gmail in this case, Yahoo for Sarah Palin). After gaining access to Gmail accounts, the cracker was able to both access other online accounts, any attached documents, or Google Docs repositories.

You see, almost any website you log into will gladly email you everything you need to access your account through a simple click of the “Forgot my password” button. So even assuming you have a unique, strong password set on every account (and lets be honest, you don’t), once a cracker gains access to your favorite email account, its game over.

And what industrial strength security mechanism do email providers use to protect your online achilles heel? Some simple question that’s ridiculously susceptible to attacks. (What’s your mother’s maiden name? What town did you go to high school in? What kind of car do you drive?) So while IANASE (I Am Not A Security Expert), and you need to take responsibility for securing your identity online, there are a few simple things you can do to drastically increase your safety.

Even if you’re not going to use a unique, random password for each account (and you should), at least secure your online email accounts or any Single Sign-on (e.g. OpenID) with a unique, random password. Furthermore, if you have the opportunity to select your own security question (Gmail at least permits this), you should use a question along the lines of “What is the answer to my security question?” and supply as that answer a highly-randomized, secure password that you record and store somewhere safe. FYI, a post-it note affixed to your monitor is not such a safe location. Alternatively you could just answer one of the silly questions with your random password.

(For those looking for more ubiquitous protection, 1Password is a highly-touted, secure password manager that seamlessly integrates with your web-browser to maintain a full set of unique, bulletproof passwords.)