The Twitter Hacking Incident: Four Tips for Making Your Webmail Secure
You may have heard the news that some internal business documents of Twitter were posted to the Web after a hacker was able to compromise the accounts of a founder, his wife, and other employees (but maybe not in that order). Allegedly, the hacker used the common tools for recovering a forgotten password on Web-based e-mail. If true, this would be the same method that was used to hack Sarah Palin's Yahoo Mail account during the 2008 Presidential campaign.
The role of Web-based e-mail has expanded to include document storage, note taking, mobile communication, photo sharing, chat, and task management among other activities. The blog you're reading right now is composed and published mostly through e-mails to the Posterous platform. A well developed example of this approach is blogger Steve Rubel who uses Gmail as the engine of his lifestreaming workflow. Webmail is portable, flexible, and convenient.
Obviously, I'm not arguing here that you should ditch consumer webmail, nor am I addressing all aspects of online security. (Whenever human beings are involved, security is not an absolute science.) Instead, I'd like to share some tips and rules of thumb that will reduce your risk while preserving the benefits you get from webmail.
1. Don't let hackers build a bridge from your consumer webmail messages to your workplace systems.
If you have any business passwords in your personal mailbox, delete them. Don't use your personal e-mail account as a way to transfer files that you'll need off-site for business. Take them on a USB drive or a laptop. If your company has something like a SharePoint site, use it.
2. Use a "strong password" for your consumer webmail and home computer account.
I say this while admitting that the username/password method is not truly strong in comparison to other methods like biometric authentication or Windows Cardspace (which is only supported by Hotmail right now). However, you should make this password more difficult than a common word plus a number. Microsoft has some password recommendations and a tool for checking the complexity of your password.
3. Your "secret" password recovery answer should be ridiculously hard.
Many web services offer you the chance to set up a secret question and answer that is required to reset a lost password. The problem is that many of these questions and answers can be easily guessed after a few searches for family names, birthdays, or places. Password recovery tools make a poor assumption that anyone should be able to recover a password from anywhere. Do you really need that feature? For the vast majority of us, we could stand to wait until we get physically back to our home-base computer where our recovery question answer is stored.
To beef up your security, I'm going to recommend something that sounds strange. Whatever the preset recovery question options are, disregard the plain meaning of them and enter an answer that is a ridiculously long phrase of utter nonsense, consisting of numbers, special symbols, and upper/lower case combination. You can even make your answer phrase 100 characters long if permitted, or up to the maximum length. It's essential that you can copy that answer exactly so that you can store it somewhere else, either as a file on your home desktop/laptop or on a piece of paper (gasp!) in your home filing system. Remember, your everyday e-mail password should be a memorable, strong password and your personal computer should likewise have a strong password. The secret question & answer are a separate option that many services offer for recovery of your regular password. The recovery answer is the one that should be near impossible to remember or decipher.
If that sounds like too much work, just remember that there's a reason your workplace and Google Apps rely on human beings to reset passwords rather than automated recovery tools. Take a moment to update your recovery preferences and secondary e-mail accounts with the recommendations above. (Gmail's tool is here.)
4. Don't reuse your webmail password as you register for accounts on other online services.
Personally, I've had a good experience using Roboform as my password manager. This browser toolbar add-on will generate strong passwords for every site where you register, saving them for future use. Be sure to use its "master password" option to encrypt the passkey files for all your sites. This means you will have one password to remember, even if you have 100 different site passwords.
Note for Gmail users: Enable SSL encryption on your account.
This feature is at the bottom of your "Settings" page and it forces Gmail to encrypt messages as they are transmitted between your browser and Google. This setting may slow Gmail down a bit and it will interfere with some Gmail related services like iGoogle, but it's more secure.
Update: Techcrunch's Anatomony of The Twitter Attack validates my recommendations. Their post was compiled after direct communication with the hacker. I don't know that his methods were totally laid bare, but there's enough there to suggest that it is accurate. It's worth your time to read how it happened.
Share your webmail security tips in the comments section below.
Related reading
Comments [0]