Today's Heartbreak-of-Hacked-Email Saga

More

I regret to say that every day I get a message or two like the one below. "Regret" because of the churn and hassle the people who write are going through; regret because I generally intend to do something with or about the accounts - write a post, figure out better answers -- but generally something else comes up.

So let me just put up the latest email-distress account more or less the way it just came in. For those joining us late, three points of background:

  • For how and why I got an immersion in the world of hacking and passwords, see this report of the time a West African attacker took over my wife's Gmail account and zeroed out six years' worth of correspondence.
  • For the importance of Gmail's "two-step authentication" system, which the reader refers to, see this and this - but mainly turn it on now. If you feel brave, you can wait until after you read the message below.
  • For background on one question the reader asks, about whether he needs to change an entire suite of "reallllly long passwords," consider these truths of password-ology: The longer a password (and most systems now take very long ones), the harder it will be for an attacker to crack through a "brute force" attack. After all, each additional character in a password can increase the number of possible combinations nearly a hundred-fold, if you allow for upper and lower case letters, numbers, special symbols, etc. On the other hand, really long passwords can be easy for you to remember, if they're based on some mnemonic - an entire verse of a song, a list of streets in your hometown, anything.

    The reader says that he has applied these principles by making his passwords loooonnngg, based on a familiar-to-him phrases, and then adding minor variations according to a principle. To give a very simple example, an Apple password could be something like:

     TheRainInSpainFallsMainlyOnThe!Apple&Plain         then, for Amazon
     TheRainInSpainFallsMainlyOnThe!Amazon&Plain      and so on

This wouldn't be a good combo because anyone who guessed the first four or five words would have a key to the rest. Still you get the idea.

 He is wondering if his whole approach is now at risk.

All this is offered as a public service, in hopes that if you haven't applied proper password hygiene, you'll start doing it now. And, yes, I am aware that in the long run some solution other than passwords is needed - biometrics and all of that. But the long run is not yet at hand. Over to the reader:

I just had the misfortune of having my briefcase stolen, containing work laptop, original iPad, personal and work papers. The experience is almost bewildering - I feel like I should be more angry, but I am mostly sad and twisting in the wind.  Oh, and working my fingers to the bone changing websites.

I can say without hesitation that figuring out what passwords, verifications, and permissions to find, revoke, or delete is already the most troublesome part of this process thus far.  I already have 2-factor authentication on both my primary and secondary email addresses through Gmail.  I installed a 3rd party anti-theft app on my Apple and Android devices, although I will admit that their FAQ/forum is not being particularly helpful now that my iPad is, um, stolen.

Thoughts:

1) It's true, this is a major pain in the ass. Wouldn't wish on any except my worst enemies.

2) If I didn't have 2-factor and Google's ability to revoke access to subsidiary apps on a device-by-device basis, not to mention the ability to log those other devices out, I'd be really, really unhappy.  [JF note: Yes. Gmail's 2-step system can seem cumbersome in some aspects, but it offers very quick, convenient, and all-in-one-place ways of revoking or de-authorizing passwords for specific devices passwords after an episode like this.] I also feel much better about it all having several services (likely candidates like AppleID) tied to a second, 2-factor email address with text authentication rather than my primary email's app authenticator.  

3) I want a device that tracks all of the things that you've ever logged into - I am recreating it by looking at the iTunes App Store purchased section, and that's only helpful for the immediate big ones.

4) My AppleID Password is reaaaallly long (25+ characters).  I still have to change it right?  Second but related question for your experts out there:  IF you use a mnemonic to create a unique password for multiple services, and the mnemonic is, say, reaaaaallly long, but the unique elements are short and the rest repetitive, in other words, easier to crack, is that a safe approach?  We are assuming here that I am A) Not a famous person of interest worthy of the processor cycles, and B) not typing AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAb1, b2, b3 etc.

5) If someone from Prey [anti-theft app] is on your email list, will you ask them how I can enable push notifications after the fact, or whether I am doomed to waiting until this Black Monday thief takes my Apple stuff somewhere so I can get an IP, GPS triangulation, and so on to send to the police?

6) Do you have any advice beyond the stuff I've mentioned?  Should I set a Credit Report Alert on general principle?

7) On the exceedingly unlikely (but unfortunate!) chance that the thief is a reader here, would you please heavily redact this prior to publication [JF: done, also some details changed], although I would be happy to continue the conversation so future victims can benefit.

p.s. Any requests for Bus money because I am stranded in England should henceforth be disregarded, although please do call and let me know.
Presented by

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne. More

James Fallows is based in Washington as a national correspondent for The Atlantic. He has worked for the magazine for nearly 30 years and in that time has also lived in Seattle, Berkeley, Austin, Tokyo, Kuala Lumpur, Shanghai, and Beijing. He was raised in Redlands, California, received his undergraduate degree in American history and literature from Harvard, and received a graduate degree in economics from Oxford as a Rhodes scholar. In addition to working for The Atlantic, he has spent two years as chief White House speechwriter for Jimmy Carter, two years as the editor of US News & World Report, and six months as a program designer at Microsoft. He is an instrument-rated private pilot. He is also now the chair in U.S. media at the U.S. Studies Centre at the University of Sydney, in Australia.

Fallows has been a finalist for the National Magazine Award five times and has won once; he has also won the American Book Award for nonfiction and a N.Y. Emmy award for the documentary series Doing Business in China. He was the founding chairman of the New America Foundation. His recent books Blind Into Baghdad (2006) and Postcards From Tomorrow Square (2009) are based on his writings for The Atlantic. His latest book is China Airborne. He is married to Deborah Fallows, author of the recent book Dreaming in Chinese. They have two married sons.

Fallows welcomes and frequently quotes from reader mail sent via the "Email" button below. Unless you specify otherwise, we consider any incoming mail available for possible quotation -- but not with the sender's real name unless you explicitly state that it may be used. If you are wondering why Fallows does not use a "Comments" field below his posts, please see previous explanations here and here.
Get Today's Top Stories in Your Inbox (preview)

Sad Desk Lunch: Is This How You Want to Die?

How to avoid working through lunch, and diseases related to social isolation.


Elsewhere on the web

Video

Where Time Comes From

The clocks that coordinate your cellphone, GPS, and more

Video

Computer Vision Syndrome and You

Save your eyes. Take breaks.

Video

What Happens in 60 Seconds

Quantifying human activity around the world

Writers

Up
Down

More in Technology

From This Author

Just In