What Users Can Learn From the Attack on Twitter

After reading this article, The Anatomy Of The Twitter Attack today, it occurred to me that the measures I use to protect my passwords might prove helpful to others. In a nutshell, the article outlines how the security of the Twitter server was attacked by a hacker who first compromised a single employee. Set aside for a moment the potential implications for the security breech of a big company, and consider what this might mean to you personally.

The first step of this attack was to gather personal information about Twitter employees. Using nothing more sophisticated than web search, any determined hacker can track down a ton of information on any person who posts on the web. We tend to put a lot of information out there in casual conversation. I often talk about where I live, where I work, my kids, where my husband works, Mom's home town (she's from Roatan, Honduras). I've mentioned where my daughter works, and on thursday had a discussion about my dog that included pictures, name and breed. Everybody knows how old I am, and on my birthday, I twittered "it's my birthday". So if anyone is collecting information about me, my dog's name or my birthday would be piss-poor passwords, now wouldn't they?

That's why using personal information as a password is a bad idea, and that's my first level of security. For most of the websites, I'm not really worried about security. Let's face it, what would really happen if someone compromised my Twitter account or my Photobucket? The inherent danger there is for people who use the same passwords on every account. Trust me, you might guess my password for photobucket, but you'll need FBI equipment to figure out the passoword to my bank account. And if the FBI is looking into my bank account, I've got bigger problems than a security breach.

Another level of security is in how I store my passwords. My memory is sketchy at best. Mom calls it CRS (can't remember shit) syndrome. I have to write them down. Most people keep a file on their desktop called "Passwords". I keep a file in a folder calld "Recipes" called "Holiday Fruitcake"...because nobody is ever going to open that.

Inside the fruitcake file, I use two levels of security. For accounts that need low-level security (just to stop people from insulting my friends, no financial information online), I use a simple word/number combination and vary the case. I use the same hard-to-guess word but a different number.

In the file, it looks like this:

heLiotroPe

Twitter123gmail

Yahoo456yahoo

Facebook789gmail

This documents the web site, the password (for Twitter, it would be heLiotroPe123) and the username (my gmail email address). Needless to say, these are not my actual passwords, it's just the system I use. Note the odd placement of uppercase letters. That, too, makes your password harder to guess.

For banking information or any account where I use my credit card, I use a completely different method. I make up a random string of numbers and letters (plus special characters if allowed) and encrypt them within a longer string. It looks like this:

ss872WCHz7&45ku7djT1v8967Gls5xP

Given that string, how long would it take you to figure out that it's the login info for a Wachovia bank account, and the password is ku7djT1v89? Here's the anatomy:

ss872WCHz7&45ku7djT1v8967Gls5xP

username - ss refers to my usual username, sherisaid

website - the minimum combination of letters it will take me to recognize what it is, in this example, Wachovia.

parameters - the password itself goes between a recognizable string, usually numerical, like 45 and 67. It might also be symbols !@ and #$ or a word, like cO and rE.

When I travel, this information is stored in a password protected file on a flash drive. A password protected flash drive would be better, but I haven't invested in one yet. I use one of my impossible passwords and write it down on a card that I keep in the glove box of my car, because I might lose the flash drive, but the chances of losing both my car AND my flash drive are pretty darn high.

Another thing I would never do is store my passwords for easy login. Unless, again, it is very low risk. One high risk account that very few people think about is email, because once someone has access to your email, they can send password requests to all your accounts. Think about it...you get updates and mail from the websites you belong to, and they are often stored online. That tells a hacker where to look, and if he's in your email, chances are he already has your password to everything. My solution to this issue is to register financial accounts with an account I use only for that purpose. I don't send mail from this account, and I download the mail I received and remove a copy from the server. That narrows possible email spies to the people inside my house, unless someone actually steals my computer.

Here's a list of the 500 most common passwords. None of mine are on this list. I'll bet half the people who will read this are using a password in the top ten. If so, you're hacker-meat.