Wednesday, September 08, 2010

After the Gmail hack - passwords and security

My Google (gmail) account was hacked. Interestingly, I've yet to discover any consequences.

My 58,000 email seem intact. There are no obvious changes to my documents. Passwords were not changed. Spam was not sent. Our financial accounts do not appear to have been hacked.

 It's curious.

So what am I doing differently?

I've always followed Schneier-approved security practices. That is I've calibrated my security measures to the value of what I was protecting, and balanced the cost and benefit of security. Since the hack I've not made any radical changes, but I have adopted somewhat more restrictive practices. I fear the cloud more than ever.

I have no reason to expect that my password database, stored in 1Password on my iPhone and dektop, and in a FileMaker 7 database on an encrypted disk image at home, was exposed, but of course control of my email account would facilitate password resets. I'm gradually going through passwords and updating those I care about. That's probably less than 30 of the 1,500 or so entries in my password database. A gmail search of my email for the string "password" did not find much of interest.

Here's what I do now:
  1. I revised the passwords on my Gmail account (obviously) and all of our Google accounts. I used the free Password Assistant utility to invoke OS X password assistant to help choose good passwords. I use mostly "readable" passwords or, where needed, the number/letter options. I store these in two places - 1Password and FileMaker Pro [1].
  2. I'm incrementally working through the passwords on all of our financial accounts. That's worth doing anyway. Fidelity used to require weak passwords, now they allow reasonably strong passwords. In one case that will go unnamed, their security remains appallingly weak. In several cases the security arrangements remain, essentially, insane.
  3. We are storing less in Google documents. We didn't store much, but I'd considered putting some shared material in spreadsheets there.
  4. I'm deleting email more. No sense keeping what I don't need. I might send myself a password to enter into my password database, but why keep that around?
  5. I printed all password modified in the past two years for Emily and wrote on that directions on how to use the encrypted shares. That's non-electronic and stored in a secured place she controls. If I kick off, she has all she needs to get at the complete set - no passwords required.
  6. I don't enter my Gmail/Google credentials on machines I don't control.
The last is the biggest change. It's doable now that I carry an iPhone around.

These are the changes I'm considering and will probably implement:
  1. Move my email archives off Gmail. 58,000 emails is a rich attack surface. I may decide to keep only a few hundred emails there.
  2. Create Google Apps/Gmail accounts that have limited access to things like my contacts, calendar, blogs and so on. Use these primarily, and limit use of my core Google account. Think of these as perimeter defense that can fall to the enemy.
[1] I don't trust 1Password completely, but there's no easy way to put FileMaker data on an iPhone in a robust encrypted store. So I end up using FMP as my source of truth, and 1Password more or less updates itself and serves as a backup. Both are included in my routine backups, including the encrypted backup I take offsite. I've used both of these for some time.

Update 9/13/10: xkcd on why having a robust password is not enough - creating honey pot services to attract passwords (Ping.FM?). iPhone/Android apps can do the same thing. This could be considered a form of social engineering/phishing. In my case I didn't reuse the Google password.

No comments: