compromises

How safe is your digital reputation?


If the Evil Bunny gets hold of your Facebook, all hope is lost.

We live in the digital millennium, in a world where your passwords are protecting so much information, that it's probably wise to start thinking about how safe your data really is.

As a photographer trying to carve out a niche for yourself, your digital reputation is extremely important: If my Twitter stream suddenly started being filled with a lot of spam, for example, you'd unsubscribe pretty quickly, wouldn't you? Of course you would.

When you think about it, if someone could look inside your brain and get access to all your passwords, many of us would be worse off than if they stole our house keys.

What happens if someone compromises your passwords?

Stop and think for a moment: What would happen if someone had all your passwords? Could they get into your calendar? Could the hackers see your address book and phone numbers? Could they read your e-mails? Could they access your internet bank and transfer money out of your account? Could they post embarrassing things as you on your website, blog, or social networking sites?

I realised a long time ago that a lot of my reputation and financial stability hinges on my passwords being safe.

So, what can you do to stay safe?

Pick safe passwords

It's no good to pick passwords that people can easily guess; that much is obvious. There's no point in using "Meke" as my password, because anybody who knows me would know that's my sister's name.

Same thing with other obvious pieces of information; It's not hard to find out somebody's birthday (it's often a piece of public information on Facebook) or their mother's maiden name (in these times where marriages sadly often don't last, your mother's maiden name is as likely as not to be her current name). In the case of my own mother; she was remarkably progressive, and never took my father's last name. Whenever my bank asks me for my mother's maiden name as a security question, I sigh and give up. "It has been her name for over 60 years. How is this going to help your security"?

Of course, in the name of security, I made up a new mother for myself, whose name is nothing like my own mother's. (Mum, if you're reading this - I'm proud of you and your name, but you just ain't secure enough for me!)

Anyway; Passwords. Don't use words that are in the dictionary, don't use foreign-language words, and don't use obvious substitutions. "P3SSWORD" is marginally better than "P4SSWORD", for example, because the hackers have figured out that 4 is often used for an "A", etc.

Personally, all my passwords look a little bit like "6MT#2o,UGrI^eBY", "A1_U3YiqR'&guybc" or "3Fs-wOhT/n5MG". Spot a pattern there? No, well that's sort of the point. Use a mixture of upper and lower case letters, use numbers and symbols, and pick something utterly unpronounceable.

Don't use the same password twice

Now that we've learned to use secure passwords, what's next? Well, it doesn't help how secure your password is, if you use the same password for everything.

Why? Well, imagine your password is "asdqwe123", and you have been using it for absolutely everything since the dawn of the internet. You will have hundreds of logins by now, and you will have told each of these sites your password.

Do you really trust all of these sites with all the information you have stored on all other sites? Because that's essentially the compromise you are making.

Don't think that your passwords are safe, neither: A recent case worth keeping in mind was the Gawker network. Last weekend, Gawker had a security breach, where 1.2 million logins and (encrypted) passwords were stolen. In other words: If you are one of the 1.2 million people who ever made an user account to make a comment on Gizmodo, Lifehacker, Jalopnik, or any of their other sites, your password is potentially compromised.

Worse; it seems as if the passwords have already been cracked: Thousands of people were suddenly tweeting about Acai berries, seemingly in connection with the above breach, because people had been using the same passwords on Twitter as on one of the Gawker site.

Password theft is not a one-off, either. The enormous social media site Reddit had a security breach where media containing their backups was stolen, potentially leaking usernames and passwords to criminals.

The list goes on: People have stolen passwords from the government, open source movements and social networks. On top of all this theft, there are a lot of dastardly attempts out there where cybercriminals try to trick you into giving them your details - a practice known as "Phishing".

So, What is a poor social media debutante to do?

I realise this is pretty tricky: As I am writing this, I have no fewer than 576 passwords and logins for various sites. If I were to have a different password for each of those - and especially if my passwords are all resembling "/MZYIougB2)4q" or "3'z1tNgk>Wyq!EjY!" - I would have locked myself out of each account.

Nonetheless, the only thing you can do, is to try to find a way to never use the same password twice. That way, if your password to Lifehacker's commenting engine was stolen, at least the thieves can't post embarrassing stories as you on Facebook.

Software to the rescue

Personally, I use a piece of software called 1Password, from Agile Web Solutions. It can generate safe passwords, and it keeps track of your passwords for you. The trick is to use a single, extremely high quality password to protect all your other passwords. I only use that password for 1Password, and nowhere else; Of course, I now have to trust 1Password to not break or lose my passwords, but I'm happier to trust a heavily encrypted file of my 576 passwords, than any other way of doing things.

1Password has a couple of bonuses in addition to taking care of your passwords for you: It stores your bank and credit card details, completely encrypted of course, and supports 'secure notes', where you can basically store anything you like, and whenever you quit the software, it'll be securely encrypted.

The added benefit of using something like 1Password instead of the password saving functionality built into your browser, is that if someone were to steal your computer, they still can't get access to your passwords and sites.

Rotate your passwords regularly

Of course, the two above steps are great containment strategies: You are making it difficult for someone to break into one of your accounts, and if they do somehow manage to break in, they can't get access to any other accounts.

The final step is to regularly change your passwords for high-risk logins.

So, what do I mean by a high-risk login? Let me give you an example: I'm particularly paranoid about my mail e-mail account: All the other sites I use tend to have "Password Recovery" features: You click a button that reads "I forgot my password", and they send you a new one by email. That's great, but what happens if the thieves are controlling your e-mail account? All the hard work you have done to protect your passwords is wasted; they can get at them from the source.

So: Protect your e-mail password as if it was your most valuable possession. It may very well be true. Change it once per month - no exceptions.

The other important passwords worth changing frequently are your internet bank, your PayPal password (because your money is on the line) and your FaceBook password.

The latter is important because you can log into other site using FaceBook Connect; if you lose your FaceBook account, you are effectively losing a lot of passwords at once (That's the case with any OpenID or Single Sign On solution, by the way). In addition, if you lose your FaceBook account details, you may be opening yourself to various forms of blackmail or embarrassment. I'm sure you can think of a few things you wouldn't want your mum to read, thinking it came from you, for example.

In short...

So: A quick summary: Pick a secure password. Only use each password for one site. Change them regularly. Take extra care of your money and e-mail.