“Hacker Croll,” an eponymously named hacker, was able to get access to some very sensitive business documents from Twitter’s Google Apps account this week. It was a very high profile hack, and quite embarrassing for Twitter. People familiar with the incident say that the hacker was able to easily figure out the security question to one employees account and, with that, access all of the documents stored in the company’s storage cloud at Google. He put them in a zip file and emailed them to techcrunch.com. Ouch!
Note: Google Apps is a suite of free (and paid) business productivity tools that you can access from any web browser. You are probably familiar with most of the apps: Gmail, Google Talk (Google’s version of IM), Google Calendar, Google Docs (word processing, spreadsheets and presentations) and Google Sites for websites and wikis. You don’t download and install them, you use the tools when you’re online. You also have the option to store your data in the cloud so that other team-members and colleagues can access them from remote locations.
This security breach has captured the imaginations of many cyber-pundits and self-styled security experts. It has also inspired some very lively conversations between proponents of cloud computing solutions and more traditional geeks. But there are two things to keep in mind.
Passwords can only
1) Twitter is a very big, high-profile target that comes with associated bragging rights. In other words, Twitter is more likely to get on a hacker’s radar than your company, and 2) The reason that this account was so easy to hack had very little to do with the fact that the Google Apps are a cloud computing solution. It could have been accomplished with any account that could be accessed from the web. This account was hacked because the user did not have a “robust” or “strong” password and security question.
With that in mind, I thought we might use Twitter’s most unfortunate security breach as a teaching moment.
Passwords can only protect you if you use them correctly. Here are some guidelines.
Use letters (caps and lowercase), numbers and symbols. The more cryptic your password is, the better it will protect you.
Use computer geekspeak to make weak passwords stronger. Leet replaces English letters with numbers and symbols. For example: a=@, E=3, i=1, S=5, etc. Check out Wikipedia for a complete Leet table.
Leet can help you turn proper nouns, which are very, very easy for machines to crack, into stronger passwords. For example: macintoshczar becomes m@c1nto5hcz@r. You can still easily remember it, but it is much harder to crack.
Make up a sentence and use the first letters of each word to create your password. For example: “Mozart is one of my favorite cats in the car.” would yield the password: “Mioomfcitc.” Then write it in Leet to make it even stronger, “M100mfc1tc.” The sentence is a mnemonic device that will help you remember your password, and Leet makes it much stronger.
Lastly, keep in mind that the longer a password is, the better it is. Change your passwords on a regular basis. No birthdays, names, proper nouns, ages or anything else that looks or sounds like English or says anything about you! And, don’t reuse them.
As for security questions: never use your mother’s maiden name, the last four digits of your social security number or anything else I can find out about you with Google or on your Facebook or LinkedIn profile. Don’t even use your drag queen name (your first pet’s name and your mother’s maiden name, mine is Muffin Whitehead) it may be great fun at a party, but it is not secure!
If you keep these very simple principles in mind, you will be much more hacker proof than you are right now. Use your username and passwords on your personal computers all the time. Security begins right at your desk. And, don’t write them down, of course!