Passwords and Simple Practices to Protect Your Data
Last month, Sony released information to the public about a massive breach on their networks, resulting in 75 million user accounts worth of information exposed, including my own. I am a PS3 owner, and a soon-to-be canceller of my PSN account (when it comes back online, that is). Other major network breaches, like the one on Gawker controlled websites, Plenty of Fish dating site, or even recently, the possible breach of data at LastPass are scary reminders that our data is public and may, someday, find its way into the wrong hands.
The breach on Sony's networks will go down as the largest in history. The PSN (as well as other online subscription controlled Sony games, like Everquest) was, for lack of better words, poorly architected and security was an afterthought. For almost a year, the folks at Sony knew that the server technology was outdated version of Apache and a flavor of Linux, unprotected and not behind a firewall. A class action is now being formed against Sony and their part described as 'criminal negligence' for not taking steps to protect its customers, even after being notified about network weaknesses. Creditors and banks are now getting involved to determine why Sony was not being PCI compliant, who was responsible, and what the damages will be.
Believe it or not, hackers were able to determine that purchases or other data sent over the PSN network were sent in clear text URL, including user name, password, credit card number, expiration and CVV code. Although Sony has denied that to be true, Sony also tried to finger Anonymous as being behind the attack to shift blame. While Anonymous claims to not have been involved (they typically tell the truth about what is and what is not their work), this false claim by Sony now has the FBI/DOJ and other branches of government interested in this case. The result will most likely be millions of dollars spent on an investigation and court case(s) to only find out what we already know: Sony did not take any steps to protect its users.
I and many other people just learned the hard way that you can never assume big companies know what they are doing when it comes to online security. This is Sony, one of the worlds largest electronics manufacturers, with a great console, and free online store/network play. They must know what they are doing over in the Sony gaming network branch, its all they focus on, right? Wrong.
The PSN network is still down/unaccessible nearly a month later. This may cripple the future of the next Playstation or other Sony endeavors involving home console gaming or online subscription play/payments. While they may recover financially, the major blow to their credability may be forever irreparable (at least for 75-77 million people who's data was leaked- you know, the entire base of customers).
As users, we should trust that a company is as secure as they say they are when we hand over our information online. But, as Murphy's Law states, anything that can go wrong, will go wrong. If you've been through this before, you undoubtedly know the consequences that can happen when data is snatched. Changing bank account numbers, credit cards and passwords is quite the hassle.
What can you do?
It is important, for one, to use a different password for every site or service that requests a password. Using the same password for everything is asking for trouble- if an account is compromised on one site, all your accounts are at risk. Don't be a victim, because you will only have yourself to blame for that.
We suggest that you use a service like Strong Password Generator to generate a password 15 or more characters in length. We know, you can't possibly remember a generated password. That's the point. Coupled with a service like LastPass, 1Password, or KeePass, your passwords are just a click away ready to be used. While LastPass had a breach earlier this month, they took the appropriate steps to rectify the issue and protect its users, all of which you can read in their blog. If you are weary about online storage, you may want to consider KeePass, which runs on your local machine.
Additional steps you can take is to take advantage of Two-Step Authentication if it is offered. Google offers this for its Apps and Gmail services (most likely more) for additional protection in the event that you lose access to your account, forget your password, and controlling which sites/devices should have access to your account.
Another reason to use a generated password is you don't become dependant upon it and use it everywhere 'because its easy' to remember. This is a mistake most people make with their password. Password cycling is a good habit to have. Every 30 days, change some of your passwords. If you do use a service like LastPass, password cycling is a definite plus. Once you do learn of a possible breach, changing all your passwords is mandatory.
Be proactive. This is your data, after all.