I regret to say that every day I get a message or two like the one below. "Regret" because of the churn and hassle the people who write are going through; regret because I generally intend to do something with or about the accounts - write a post, figure out better answers -- but generally something else comes up.
So let me just put up the latest email-distress account more or less the way it just came in. For those joining us late, three points of background:
- For how and why I got an immersion in the world of hacking and passwords, see this report of the time a West African attacker took over my wife's Gmail account and zeroed out six years' worth of correspondence.
- For the importance of Gmail's "two-step authentication" system, which the reader refers to, see this and this - but mainly turn it on now. If you feel brave, you can wait until after you read the message below.
- For background on one question the reader asks, about whether he needs to change an entire suite of "reallllly long passwords," consider these truths of password-ology: The longer a password (and most systems now take very long ones), the harder it will be for an attacker to crack through a "brute force" attack. After all, each additional character in a password can increase the number of possible combinations nearly a hundred-fold, if you allow for upper and lower case letters, numbers, special symbols, etc. On the other hand, really long passwords can be easy for you to remember, if they're based on some mnemonic - an entire verse of a song, a list of streets in your hometown, anything.
The reader says that he has applied these principles by making his passwords loooonnngg, based on a familiar-to-him phrases, and then adding minor variations according to a principle. To give a very simple example, an an Apple password could be something like:
TheRainInSpainFallsMainlyOnThe!Amazon&Plain (and so on)
He is wondering if his whole approach is now at risk.
All this is offered as a public service, in hopes that if you haven't applied proper password hygiene, you'll start doing it now. And, yes, I am aware that in the long run some solution other than passwords is needed - biometrics and all of that. But the long run is not yet at hand. Over to the reader:
I just had the misfortune of having my briefcase stolen, containing work laptop, original iPad, personal and work papers. The experience is almost bewildering - I feel like I should be more angry, but I am mostly sad and twisting in the wind. Oh, and working my fingers to the bone changing websites.
I can say without hesitation that figuring out what passwords, verifications, and permissions to find, revoke, or delete is already the most troublesome part of this process thus far. I already have 2-factor authentication on both my primary and secondary email addresses through Gmail. I installed a 3rd party anti-theft app on my Apple and Android devices, although I will admit that their FAQ/forum is not being particularly helpful now that my iPad is, um, stolen.
1) It's true, this is a major pain in the ass. Wouldn't wish on any except my worst enemies.
2) If I didn't have 2-factor and Google's ability to revoke access to subsidiary apps on a device-by-device basis, not to mention the ability to log those other devices out, I'd be really, really unhappy. [JF note: Yes. Gmail's 2-step system can seem cumbersome in some aspects, but it offers very quick, convenient, and all-in-one-place ways of revoking or de-authorizing passwords for specific devices passwords after an episode like this.] I also feel much better about it all having several services (likely candidates like AppleID) tied to a second, 2-factor email address with text authentication rather than my primary email's app authenticator.
3) I want a device that tracks all of the things that you've ever logged into - I am recreating it by looking at the iTunes App Store purchased section, and that's only helpful for the immediate big ones.
4) My AppleID Password is reaaaallly long (25+ characters). I still have to change it right? Second but related question for your experts out there: IF you use a mnemonic to create a unique password for multiple services, and the mnemonic is, say, reaaaaallly long, but the unique elements are short and the rest repetitive, in other words, easier to crack, is that a safe approach? We are assuming here that I am A) Not a famous person of interest worthy of the processor cycles, and B) not typing AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAb1, b2, b3 etc.
5) If someone from Prey [anti-theft app] is on your email list, will you ask them how I can enable push notifications after the fact, or whether I am doomed to waiting until this Black Monday thief takes my Apple stuff somewhere so I can get an IP, GPS triangulation, and so on to send to the police?
6) Do you have any advice beyond the stuff I've mentioned? Should I set a Credit Report Alert on general principle?
7) On the exceedingly unlikely (but unfortunate!) chance that the thief is a reader here, would you please heavily redact this prior to publication [JF: done, also some details changed], although I would be happy to continue the conversation so future victims can benefit.
p.s. Any requests for Bus money because I am stranded in England should henceforth be disregarded, although please do call and let me know.
More From The Atlantic