Today's Online Security Tips

By James Fallows

1) I am not a fan of the "less info! more blank space!" new look of Gmail, described by the company as "cool" and "modern." Fortunately the company offers customization options. (Although there is an ominous note in the Gmail blog suggesting that it might take those options away: "Our new interface will eventually expand dynamically to accommodate different screen sizes and user preferences, but until then you can pick the information density that you prefer." Until then?)

For as long as the customization era lasts, you can apply the tips that Alexis Madrigal recently offered to show more actual email on your screen. Call me crazy, but my email is what I'm hoping to see when I load Gmail.

LastPassGoogle.png2) I am a fan of Gmail's "two step authentication" system, as mentioned in items so numerous that I won't link to any of them. (I will, though, link to my article on why you really, really don't want to have your email account hacked.) Via reader MQ, news that the password-manager system LastPass is piggybacking on Google's "two-step" security system, to make its role as a "vault" for your online passwords all the more secure.

I am also a big fan of password managers. I use LastPass, but many are good, and 1Password and RoboForm are also very well known. All of them are designed to solve the Catch-22 problem of passwords: A password that is easy to remember can be easy to hack, and passwords that are hard to hack can be impossible to remember. One way out of this predicament, as mentioned before, is to use long "phrase" passwords, as described in my Hacked article. But another is the online-manager approach: a browser extension that remembers your passwords and applies them automatically when you visit sites.

Does using one of these managers make you even more vulnerable, in that anyone who hacked your master account would get all your passwords at once? Well-run sites, like the ones mentioned above, should reduce rather than increase your risk. Partly that is because of a human-factors bet: that users will do better thinking up and remembering just one very secure password to guard all the others, than they will trying to juggle dozens of passwords on their own. It's also due to a technical arrangement: your passwords are stored at the master site in a gibberish form that can only be deciphered in combination with info that you enter each time, or is on your local machine. See this explanation of LastPass's approach to this problem. So, things could go wrong, but on balance they seem safer. And the more you worry about this, the greater the incentive to switch to "two-factor" system like the one LastPass has just introduced.

One more point, particularly significant to those who travel overseas or otherwise do a lot of work from "public" computers. Very often when using internet cafes in China, I would worry about "keystroke loggers." These are devices that can track everything entered on a computer and thereby get any username/PW combo that you type in. Manager programs enter the passwords without your doing anything on the keyboard and therefore avoid this vulnerability.

3) Via reader BW in Washington state, this Computerworld story on a free service, to all appearances legit, that offers clues about whether your email address has been compromised. It is called PwnedList.com, and if you merely enter an address it tells you what it has founded on data bases of compromised sites.
 
This is not a perfect guide to whether you'll actually have trouble. My wife's Gmail account, which was the object of a devastating hack about six months ago, comes up clean on the PwnedList -- whereas my address, which to the best of my knowledge has not been compromised, gets a warning message. (That warning comes from last December, when I was out of the country. I've changed the password several times since then.) Still, worth a look.

After the jump, a couple of reader testimonials on other tips and tricks.

From a reader in Massachusetts:

I'm writing because there are several good personal security options that you (and others) should consider.

1. Throwaway email accounts. You attribute all this trouble to password reuse between important sites like Gmail and unimportant, throwaway sites, possibly Gawker (google "aaron barr anonymous"). You didn't give this advice, but someone should: whenever you're asked to register with an email (and password) for some throwaway account (like Gawker), ALWAYS use a throwaway email account supplied by a site like mailinator.com and a unique, throwaway password. Once registered, the original email account is unnecessary, and your personal identifying information is never used for Gawker-like sites.

2. Personal clouds. You quote, "Where the sensitive information is concentrated, that is where the spies will go. This is just a fact of life." So stay away from highly concentrated sensitive data stores like Gmail and Yahoo! Tools to set up and host your own personal cloud services are becoming increasingly easy and inexpensive. This is also easily done with virtual servers sold by Amazon, Rackspace, and others. Apple OS X Lion Server costs $20, once.

The security issues associated with having your computer online (which it already is and always will be) must still be addressed, but the likelihood is miniscule that intensive hacker resources will be used to catch a tiny guppy. And when you backup your computer, you also backup your cloud. Finally and perhaps most importantly, you protect your personal privacy by not using a "free" cloud service that has the ability to scrape, use, and sell personal information about you from email and other accounts.

The theme for both approaches is that looking out for your privacy on the web provides greater security, unlike the traditional false "privacy versus security" dichotomy.

Along these lines, one could add a third point about always-on encryption. Gmail does this well, but not Yahoo or others. I tell my family to avoid any site that accepts personal information without providing a secure HTTPS link. The EFF's Firefox plugin HTTPS-Everywhere make this easier.

The larger societal issue is that it's the Wild West right now for nearly everything that involves cyber privacy and cyber security, and like the wild west of old (or at least of film), your only protection now is to take care of these issues yourself because no one else will.

I've added emphasis to that last sentence because for me it's the main lesson of this whole hacking episode.

Another reader:

I spend my time as a freelance IT Consultant with many small businesses who are interested in using GMail as their primary mail provider. Google has made this easier with their "Google Apps" offering. Surprisingly, backing up the email isn't one of the services that they offer (as you well know).

After some investigation, I'm happy to report that I've discovered Backupify, a business that creates a separate copy of your Google-hosted mail.  Even if Google goes belly-up, like it did for your wife, you would still have a copy of your messages, including their attachments.

The pricing is reasonable, but the peace-of-mind is enormous.

I know nothing about Backupify, but FWIW check it out. And one of many tips on the art of generating "easy to remember, impossible to crack" passwords:

I have hundreds of Internet passwords, only four are passwords used for more than one site. It is my position that even those four are inappropriate; each account should have its own unique password and your article has prompted me to make them such.

Let me share with you one of the memory tricks I use, and as one who is four score plus, I need all the help I can get. I select a reasonably long phrase, e.g., roses are red violets are blue sugar is sweet and so are you,  and compose the password from the first letter of each word, i.e., rarvabsisasay. Sometimes I make a letter or two uppercase. It works for me, although I do use an online password manager, 1Password.

More tips from readers shortly.

This article available online at:

http://www.theatlantic.com/technology/archive/2011/11/todays-online-security-tips/247966/