The recent security breach at the beloved online storage service, Dropbox, has reminded us of the weakness of the Web. Founded in 2007 Dropbox uses cloud computing to allow us to store all kinds of large files on the Web, and across a variety of operating systems, that are then easily shared with others. For about four hours on June 19 anyone could get access to any account with a dummy password. As a fellow journalist John Pavlus, who also uses Dropbox, noted, “It was like our skirt got lifted for hours.”
This is what Dropbox wrote on their blog on Monday:
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.
We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.
This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.
This is a serious issue for Dropbox—a company valued at $1.5 to $2 billion—since trust is the number one value they offer over their competition. Until we hear more about the “additional safeguards” they intend to implement it does give us pause about our chosen passwords.
We live in a password era, and we all have our passwords that range from the ridiculously simple and romantically cheesy like “love” to impossible-to-get-straight gobbledigook. Apparently a shocking 50% of passwords are “based on names of a family member, spouse, partner, or a pet,” according to this Smart Planet post and this book “Perfect Password: Selection, Protection, Authentication.” And I learned recently that 75% of us use the exact same password for everything. This is a huge mistake. All it takes is one hacker and one weakly protected site (say, a site like Gawker) and your key to everything, including email and banking, is up for grabs. When you use the same password for everything it is only as strong as the weakest site. And there are plenty of weak sites. Ninety-three percent of organizations have been hacked at least once in the past two years, according to the State of Web Application Security Survey, Ponemon Institute.
I use the same series of numbers and letters but I mix them up (upper case, lower case, order, creating what I think is a near limitless variety) for different sites, banking, discount shopping, online publications, airlines, etc. I thought I was being smart. And I have been a bit smart, since I technically don’t use the exact same password for sites, and I change them up regularly.
But there is a better way. A simple way. According to Christopher Mims at MIT’s Tech Review, create only four passwords and use them in a tiered system.
Here they are:
Low-tier password: Something you may already be using that is so easy that it might as well be your middle name. Use this for sites you don’t care about like commenting sites for online magazines or music streaming sites. If you get hacked the worst that can happen is that your username suddenly likes the band Toto.
Second-tier password: “For sites on which you don’t want to be impersonated (Twitter, Facebook, etc.),” says Mims. Here you need something longer (as long as you are comfortable recalling) and use at least one special character, especially inserting it into the middle, not at either end. Never use what is called a “dictionary password” (any real word) since that is a classic tactic hackers use to break into sites.
Third-tier password: This is for email accounts. (I would recommend for your cell phone as well.) It needs to be unique, long and interspersed with special characters. Your email account is where you might hold information about your other passwords, so it must be highly guarded. It is like the “master key” of passwords.
Fourth-tier password: The gold standard of passwords should be given for your bank and financial information. And this password should be unique for your banking, nothing else.
So we don’t need to have 30+ passwords memorized, or worse documented in email or on scraps of paper, we just need four—or at least three—that are tiered for importance and security.
As for tips on creating a vice-like, gold standard password I suggest reading this post on the worst passwords of all time, and avoid them. Even a cryptic string like “abgrtyu” is on the list, so be wary. The hard part is following the paradoxical mantra of password creation: Easy to remember, hard to guess. Uh, ok. Once you’ve mastered that statement, try measuring your password strength using this useful Microsoft test. I used to get angry and hurt when my passwords were noted as “weak” as if it were a personal affront. Now I know it can be part of an entire strategy of protection.
[via Tech Review]