On the Latest Google Chinese-Hacking News

Thanks to many people who have written in asking whether today's Google announcement of a new China-based wave of attacks on Gmail accounts is related to the takeover of my wife's Gmail account just after we spent two months in China this spring. As the official Google announcement says:

>>[W]e recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.

The goal of this effort seems to have been to monitor the contents of these users' emails, with the perpetrators apparently using stolen passwords to change peoples' forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)<<

The short answer is: I can't yet know for sure, but I *think* that what happened to my wife was a case of "regular," small-stakes criminal hacking, to trick people to send in money, rather than anything more exotic or political. But I will say more about the whole situation of online email security, including the political and international aspects, in an upcoming article. On the other hand, some traits of what happened to my wife's account are similar to what the latest Gmail announcement warns about. For instance, redirecting all incoming mainly to a similar-looking but different account controlled by the hacker. And, hey, it's China!

Here is what I can be sure of: in case you haven't done so before, and in case your eyeballs skidded past my previous two zillion entreaties on this topic, if you use Gmail please install Google's relatively new, free "two-factor" authentication service. It reduces practically to zero the chance that anyone could control your account remotely, which in turn vastly increases your protection against attacks like these. Here are Google's official instructions, plus an earlier nag by me, Google has been fairly careful to "blame the hacker," rather than blaming the victims, in these episodes. But the truth is you'll blame yourself if you don't apply the two-step process and some day later get hacked.

Three other quick tips, before a fuller treatment later on:

- Diversity. It sounds so school-marmish, but it really matters not to use the same password everywhere. Reason: if one of your passwords gets hacked, as for instance one of mine was, along with those of 1.25 million other people, in last year's Gawker episode, you could have trouble for that one account. But if you use that same one for banking, email, your credit cards, etc -- then, sigh...
On the other hand, you go crazy if you have to remember dozens of passwords. For "life is complicated enough" reasons, I use the same few passwords for a bunch of nickel-and-dime accounts where I don't really care if they're hacked -- for instance, free registration at some news site. But how do you manage a large variety of passwords for more important sites? This leads us to:

- Password manager programs. I still use and like LastPass, even after the hacking attack it withstood last month. Details later, but "withstood" is the important term. There are a variety of these programs, of which RoboForm is also very well known. See, for instance, this LifeHacker review for more. The point is, there are cheap and easy ways to automate the process of juggling a diverse range of passwords.

- "Strong" passwords. The debate kicked off at the Danish Baekdal site back in 2007, about an easy way to construct good passwords, is worth following. The most surprising part of his argument is that a multi-word pass phrase, like "be my guest," could be both easy for you to remember and hard for anyone else to crack. As the original entry put it,

...it is 10 times more secure to use "this is fun" as your password, than "J4fS<2".

Not everyone agreed, and you can follow some of the back and forth here. I end up using "this is fun"-style pass phrases for some sites, obscure letter-character combos for others, and LastPass as repository for most. Mainly the discussion will make you think about password-ology in general, which in itself is an important step.

About the Author

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne.

More comfortable online than out partying, post-Millennials are safer, physically, than adolescents have ever been. But they’re on the brink of a mental-health crisis.

One day last summer, around noon, I called Athena, a 13-year-old who lives in Houston, Texas. She answered her phone—she’s had an iPhone since she was 11—sounding as if she’d just woken up. We chatted about her favorite songs and TV shows, and I asked her what she likes to do with her friends. “We go to the mall,” she said. “Do your parents drop you off?,” I asked, recalling my own middle-school days, in the 1980s, when I’d enjoy a few parent-free hours shopping with my friends. “No—I go with my family,” she replied. “We’ll go with my mom and brothers and walk a little behind them. I just have to tell my mom where we’re going. I have to check in every hour or every 30 minutes.”

Those mall trips are infrequent—about once a month. More often, Athena and her friends spend time together on their phones, unchaperoned. Unlike the teens of my generation, who might have spent an evening tying up the family landline with gossip, they talk on Snapchat, the smartphone app that allows users to send pictures and videos that quickly disappear. They make sure to keep up their Snapstreaks, which show how many days in a row they have Snapchatted with each other. Sometimes they save screenshots of particularly ridiculous pictures of friends. “It’s good blackmail,” Athena said. (Because she’s a minor, I’m not using her real name.) She told me she’d spent most of the summer hanging out alone in her room with her phone. That’s just the way her generation is, she said. “We didn’t have a choice to know any life without iPads or iPhones. I think we like our phones more than we like actual people.”