Pantheon Customer Success Engineer Dan Ficker recently attended MidCamp and presented Personal Internet Security Basics. Watch the whole session here and read a summary below:
A year ago, I got a scary e-mail. Netflix said, “We've changed your account email address, as you asked.” I thought, “I didn’t ask to change my e-mail address.” And now I couldn’t log onto my Netflix account on any device. What’s going on?
Like many who have been on the Internet for years, I have hundreds of accounts on websites. And when I started, I didn't think much about security, just about my personal usability. So I often used the same password for most of these sites. As we’ll get into a bit more, we’ll see how that was not a secure way to protect my personal information. Sooner or later, if I continue to use the same password on multiple sites, it will let me down and it will let you down too.
Keep Your Passwords Secret & Unique
Back in 2009, I signed up for an account on a game for my iPhone. I just used my standard username and the normal password that I used for nearly every website. And for years, I didn’t think anything of it. All the account only really allowed me to do was post high scores in the game. And, well, that doesn’t really matter because there always seems to be someone much better than me at any game. Many someones, actually.
Unfortunately, the game developers didn’t think security was much of a concern either. In 2018, they reported publicly to their customers of this game that stopped working a few years before, that they had been storing usernames and passwords in a database without any encryption. That data had been stolen by malicious users and was being passed around on the Internet.
Two days later, I got the notice from Netflix I mentioned above. Someone saw my e-mail address and password on this list and tried to login to Netflix with the same credentials and it worked. Thanks to Netflix notifying me of the change, they only got a few hours of streaming out of it. I had to call up Netflix customer support and prove to them that I was paying for an account that no longer had my name, e-mail, or phone number associated with it. They gave it back to me so, in the end, it was not that much of a headache for me.
Don’t Reuse Passwords
As shown in the story above, reusing password data can be very detrimental to data security. As the Netflix Customer Service person assured me, all they could do is watch TV shows and movies on my dime. But what if it had been my online shopping or banking account? The site where I prepare my taxes? If you’re using the same password on more than one site, then if the password is compromised then your access and data on all those become compromised.
Hopefully, websites that have your usernames and passwords take better care of their security than this iPhone game developer. But, even if they do, security is hard to protect against. Many big, smart companies have had their data stolen from under them due to both simple and complicated hacks. In fact, it’s very likely that your password or even your e-mail address and password is already out there. Security researcher Troy Hunt created https://haveibeenpwned.com/ a few years ago as a tool for us to get a better idea of what data has leaked. If I put in my e-mail address on the home page, it shows 14 breaches my e-mail address was found in. On another page, I put in this password I used to use on Netflix and it also verifies that this password exists in breached data stores as well.
Only Remember One Password
It’s impossible to remember the hundreds of passwords we have for all our Internet services if we are going to use a separate password for each one. Also, if it’s going to be a really secure password, it should really be random data, not just something you made up that looks random. (If the hackers really want to get your data, they’ll find your pattern in the pseudo-randomness.)
Thankfully, these days there are many solid solutions to this problem. You could just carry around a text file or spreadsheet or even a printed paper with all your passwords. Actually, don't do that, please. A better way would be to store these in an encrypted data store and use software to generate completely random passwords. Here are a couple of software solutions to do that:
LastPass is my chosen solution. It encrypts your password store and stores it on the cloud. If you give it your password, you can access your password for any device. They have apps for all the common browsers, phones, and computers, many of which even fill the passwords in for you for quick login. The main feature set is free.
1Password is very much the same as LastPass for personal use. It started as a Mac application, but they continue to improve support on non-Apple devices.
KeePass is an Open Source password manager. For those that really want to Trust No One.
If you’re an all-Apple house, you can just use Apple’s iCloud Keychain to generate and store passwords. It works on Macs as well as iPad/iPhone devices.
More Security and Web Development
I hope this post gets you more interested in your own personal security on the Internet because it’s increasingly important for everyone. It is an important part of being a web professional or even a citizen of our world today. To find out more, watch the recording of my session on personal internet security from MidCamp.
You may also like: