Apple’s Secure Password Advice No Help Against ‘Epic Hack’

by Robert McMillan, wired.com
January 16th 2013

If you haven’t read my colleague Mat Honan’s eye-opening account of his “epic hacking” over the past weekend, you should. If you have, you have a pretty clear idea of how the trust we put in service providers can be cracked, and then subverted to amazing effect.

In Mat’s case, passwords were clearly the weakest link in the attack. Equally clear, however, is the fact that the password security practices most commonly enforced by cloud providers and corporate IT gave Mat no cover in the incident.

We’ve written about this in the past, and it’s worth asking again: Does our myopic focus on writing secure, impossible-to-remember passwords, really help us much? Or does it create a false sense of security and suck all the air out of what should be a more nuanced discussion of password security?

Take Apple. To set up an iCloud Apple ID, you must have a minimum of eight characters. You must also use a number, an uppercase letter, and a lowercase letter. This isn’t a bad idea, but creating strong passwords like this protects you from one type of attack — a brute force attack where the bad guys guess — and guess and guess — millions of password combinations until they chance upon your password.

It’s great to have a strong password if someone steals a big batch of hashed or poorly encrypted passwords. People with strong passwords were protected in the recent LinkedIn hack.

But brute force attacks aren’t how the bad guys typically get passwords these days. They’ll steal them with phishing attacks or keyloggers. Or in Mat’s case, they’ll do social engineering. They gleaned a bit of information from Amazon and public sources, and then called up Apple with just enough information to trick tech support into handing over to his account.

Hackers are a bit like toxic sludge flowing downhill. They find the cracks in security and flow through them. And right now strong passwords aren’t the big cracks.

In the security world, we’re pretty good at addressing the big, well-understood problems. That’s easy. What we’re not so good at is seeing the next ones that are coming. And often they’re the ones we need to worry about the most.

When we talked about the incident at Wired yesterday, Mat said that if he could go back in time and change one thing, he would have added a second authentication factor to his Gmail account. He’d also have backed up his data somewhere else.

If you work for a big corporation, you’re probably forced to use really secure passwords and to change them regularly. But do you get any advice on how to spot a phishing attack, or how to secure a service like Gmail using your mobile phone? Does corporate IT or your cloud service provider tell you how to lock down and decouple consumer services that you might be using for work? Does your company make sure that ex-employees are no longer allowed to send Twitter messages or post to the company’s Facebook page? How many apps can access your corporate Twitter account? How could someone get access to them?

These are more important questions right now than “Does your password include an uppercase letter or not?”

If you want to know how to avoid becoming the next Mat Honan, check out Threat Level’s great security tips here.

It’s fair to ask whether corporate IT should get involved in any of this. But workers — and ex-workers — are using consumer services at work. And when things go wrong, that can cause real brand damage. Just ask Gizmodo.

Story has been updated to add Threat Level’s security tips.

Original Page: http://pocket.co/sGRLK

Shared from Pocket

^ed