This is one of several posts I'm planning on doing that is going to cover a little bit about maintaining privacy online, because it is becoming ever more clear to me that more and more people are failing to give two short craps about either covering their tracks or just protecting their privacy. I'm going to cover some of the basics in crypto, passwords, programs to use and common sense, because as someone once said: "common sense isn't all that common".
Firstly, I guess we should address why you should be caring about this. I'd suggest looking to issues such as the recent Sarah Palin email debacle or the coming of Phorm to the UK or to the fact that you wouldn't walk down the street with all your contact details on the back of your coat. Or maybe you would. I'm suggesting that this isn't such a great idea, though.
Google yourself. Do you turn up on the first page? Maybe even the first hit? Why? I'm not going to suggest that this is necessarily a bad thing. Maybe you're the Prime Minister. Maybe you are an Astronaut. If, however, you're a private citizen with nothing more to recommend them than a collection of holiday postcards, why are you there?
Maybe your Facebook account or MySpace account is the explanation. If you have one, that's your choice - Some security experts suggest staking your claim to an account in your name, just to prevent people cyber-squatting your ID on whichever network you choose. Just sign up, put the bare minimum of details about yourself on there (ideally, no picture) and sign out. Now, I know a lot of people have Facebook accounts and use them as their main conduit between themselves and their friends. If you do this be sensible: don't use it for transmitting important information or for "privately" hosting pictures of yourself having sex with your best friend's significant other. Now I know you probably wouldn't do that that, but be aware that just because you label something private, doesn't mean it won't get out in the open. Facebook accounts get hacked. MySpace accounts get hacked. You don't want any picture of you In flagrante delicto floating about the 'net in a torrent.
And don't think for a moment that because you are a small fish in a big pond, you are safe. Security though obscurity is at best a delaying tactic. You need to take an interest in these matters.
So, Common Sense: Have you got an account name for some service that involves your first name and your month and year of birth? Hopefully not. Are all your passwords written down on a sticky note, stuck to your monitor? I hope not. Do you have one password for all your accounts? One PIN for all your cards? Is is 4 of the same? Do you have this number written down in your wallet? I hope the answer is no to all of these. Another piece of what I consider common sense (and feel free to disagree with me on this one) is having multiple email accounts. Quite a few site, such as social networking oriented ones or messaging aggregating ones, will say "If you give us your email password, we'll aggregate your contacts". While this is neat for getting everyone you know under one umbrella, I would question the sanity of doing it. Privacy disclaimers aside, your email address is very much your one stop shop for resetting passwords. And if you use IMAP (for instance, in gmail) and a bad person gains access to your account, then it doesn't take a lot of work to find out which sites a person has accounts on and ask for new passwords. My argument is, no matter how much a site promises not to store you login details, giving up your email is not a great idea for security. Unless, you have one email address you use for frippery and another you use for the important stuff. Even then, I'd suggest asking how much you really want to use the aggregation functionality.
Let's talk a little about what makes a good password. Dictionary words are right out. Likewise names. Length should, ideally, be dictated by the length the field will accept - the longer, the better. Don't repeat characters if possible; keep it upper and lower case, put in numbers and, if the field will allow, special characters (punctuation and the like). An absolute best is if the field will allow you to put in several words. Apparently this makes life that much harder on anyone who tries to brute force your password. In Cryptonomicon, Neal Stephenson has a character who generates a pass-phrase from a sentence in a book. For that one off pass-phrase (I prefer pass-phrase because "word" doesn't really encapsulate a string of near-random letters, numbers and symbols.) a sentence from a book might work well, but in the long run you're going to have trouble remembering numerous sentences, so you need to think of a secure way of storing multiple passwords. You might want to try the "perfect passwords" page on grc.com to generate as near to random as possible a pass-phrase.
If you run Linux or Mac OSX your operating system will have a keyring. This is a file that store passwords you enter into programs such as your IM client or web browser for later use. When you shut the computer down or log out of your account it "locks" itself and when you fire the computer up, it will "unlock" itself when you log into your account. Again, ideally this keyring should be locked at all times and require you to enter your account password everytime to access it. Real-world, this is just an annoyance. So just don't let someone run off with your computer when you have it open. I mentioned Linux and OSX as they are the operating systems I am familiar with. Windows, I would imagine (I hope), does something similar.
You can use software to regulate access to the keyring, programs such as 1Password or KeePass, allowing your to generate and store strong passwords and access them easily. And to back them up securely in case of emergency. I would argue that with a set-up like this, all you need to know, and perhaps should know, off the top of your head, is the key to your password manager and the login for your main, account associated, email address.
Next up: Basics of using crypto for daily living.
0 comments:
Post a Comment