While much has been written about the recent social engineering exploit affecting Apple and Amazon, and some potential solutions have been proposed, we remain in a poor information security environment today. Traditional credentials are still the primary way that people access systems. People pick a username and password combination and then reuse it as much as possible.
Password security is based on entropy, and passwords with greater entropy are hard for people to remember. Even I have written about selecting and securely storing unique, high entropy passwords. Apple and Amazon's recent issue makes it clear that even people who adopt good password policies are still vulnerable to attack.
So, while the nerds work on more secure, more human friendly forms of authentication, what are we do do? How can we protect our own information and privacy in an age where so much of our lives are "in the cloud?" These tips will help you secure your personal computing environment.
- Pick a different, strong password for every site or service you use. Ideally, use a password generator instead of your mind. 1Password and LastPass are both good solutions for automating this and make it easier to do passwords right.
- Dont forget your computer. Make sure you have to enter a password to use your computer. Consider using full disk encryption. Your computer is connected to the Internet and is a potential vector for attack. Give your account a nice, strong password. Be careful what software you download, and what emails you click. Malware with key loggers or phishing attacks via email are common ways that even good passwords are compromised.
- Use a pin code on mobile devices.
- Use two-factor authentication when it's offered. My Facebook, Steam, PayPal, Blizzard and other accounts all have a way to give me a time limited code to add new devices to those accounts. This adds additional security against compromise.
- Backup your data. More than once. I use Apple's Time Machine and CrashPlan, in addition to Dropbox. Time Machine gives me a local backup that is completely in my control. CrashPlan makes sure my data is offsite in the event of fire, theft or other disasters. Dropbox is not a backup solution, but it means I have multiple copies of my current working data.
- Encrypt sensitive information. I keep financial records in encrypted disk images. I keep personal information locked in 1Password. Even if Dropbox, Crashplan or an email provider i use is compromised, an attacker still won't have access to my most private information.
Doing some of these things will make your computing experience less convenient, but you gain considerable resistance to attack by following these simple measures. When you have multiple backups, an attack is easier to recover from.
It's a jungle out there.