Technology journalist Mat Honan infamously had his entire digital life hacked and erased this week. Slate published some advice to keep the same from happening to you, and my former classmate and newspaper staff mate Theo Hahn asked me to comment.
In my professional opinion, the advice is generally good. I’ll elaborate on the article’s four points as I believe necessary.
Two factor authentication. If it’s practical, two-factor authentication is always good. Two-factor authentication combines something you know (a password or a PIN) with something you have or something you are. That second level makes things much more difficult to hack, though not impossible.
Web-based two-factor authentication usually involves your password and a smartphone. You’ll enter your password, then the web site sends a text message to your phone with a code, which you then enter into the site. If you’re willing to pay for unlimited messaging, this is a workable way to implement it. The likelihood of someone being able to steal your password and your phone is slim. The likelihood of someone distant being able to steal your password and your phone is nearly zero.
Industrial-strength two-factor authentication generally uses a smartcard, which usually doubles as your security badge to be in the building. You insert your card into a card reader, enter a PIN, and you’re in. No passwords to remember. It’s not entirely foolproof, but when implemented well, is very slick.
I wish we could make drivers licenses and state-issued IDs into smartcards for our personal use, but I don’t see how it would be practical. Commentators who know nothing about how smartcards work or can or can’t do would speculate wildly about how the government is probably using the cards to track what we do online, so the idea wouldn’t go anywhere. And of course, card readers aren’t standard equipment on consumer PCs, though they generally are standard issue for business-class PCs these days.
With the smartcard option unavailable for the masses, the smartphone trick is a workable solution for a significant (and probably growing) part of the population, though not necessarily for everyone.
If you can’t turn on two-factor authentication, use a strong password. That’s a password at least 9 characters long, with at least one uppercase letter, one lowercase letter, one number, and one punctuation mark or other non-alphanumeric character. 1q2w!Q@W1 isn’t a good one because it’s just adjacent keys on the keyboard repeated, but that gives you the idea.
I have a 12-character, all-lowercase password I’ve been using for as long as I can remember. It got hacked a few weeks ago by someone in Sri Lanka. I knew I shouldn’t be using it, but wanted to see how long it would take for it to be hacked. It was based on a very old family joke and not in any dictionary. That’s not good enough anymore for 2012. Now you know.
Backup. The article advocates you use a backup service. I don’t, but I do advocate backups. I spent three of the worst years of my life in charge of backups for a former employer, but backups don’t have to be that painful.
The right way to do personal backups is to make at least two copies on different forms of media. Copying all of your personal data onto an external hard drive and a collection of USB flash drives is a good approach. This can happen naturally, too. When you upgrade your hard drive, store the old drive as a backup. When your digital camera’s memory card fills up, dump it to your computer, then label the card and put it in a desk drawer and buy another one.
Then store one of the copies off-site. Store one with a friend or relative, or (with your supervisor’s permission) in your desk drawer at work. Distance is good: A fire won’t wipe out both copies then, and if you send them to a relative who lives a fair distance away, the same natural disaster won’t be able to take out both copies.
Use two forms of media in case of failure. The life expectancy of hard drives sitting on a shelf is around five years; flash is closer to 10. If one fails prematurely, you can fall back on the other. Ask someone who lost a Zip disk or a CD-R to premature failure a decade ago about what that was like.
Encrypt. There are several approaches to encryption. You can encrypt your entire drive or device, or you can encrypt files or groups of files. Recent versions of Microsoft Office (2007 and later) are capable of encrypting documents on a file-by-file basis. If you have a program that doesn’t have built-in encryption, or want to encrypt a collection of files, Zip them with WinZIP 10.0 or later and select AES-256 encryption. I won’t put you to sleep with the details of encryption, except to say that AES-256 is military-grade encryption, so if it’s good enough for the military, it’s good enough for you.
If you don’t want to pay for WinZIP and want to impress your buddies with your command-line skills, GnuPG is capable of AES-256 encryption, and it’s free.
Don’t chain your accounts. This is good advice too. I have multiple e-mail accounts for a variety of reasons (cough) hiding from spam (cough), and while it never occurred to me that I was also helping my security by having my various online accounts point to different e-mail addresses, it makes sense. But admittedly, the idea of having a totally random address somewhere, protected by an obnoxiously secure password, then pointing Facebook and Amazon and everything else you can think of that might ever send you a password reset request to that account is even better still. If I lost one e-mail account, I’d lose roughly half of my online accounts. Losing zero would be even better.