encryption lock graphic for yahoo hack security tips

Yahoo hack: Password management and the problem with security questions

In How-to by Steve WilkinsonLeave a Comment

If you’ve been paying attention to tech news over the last several weeks, or any news for that matter, you’ve heard about the Yahoo email hack (occurred late 2014, disclosed September 22, 2016). It is being touted as the biggest hack of all time, affecting over 500 million user accounts. (Update to the Yahoo hack situation: Yahoo just revealed another hack of over 1 BILLION accounts, a YEAR EARLIER!) I’m going to give you some advice to help keep you safe (in general), as well as a very important tip this particular hack uncovered (and why most of us are vulnerable!). Here are also links to the Wikipedia article, and the official Yahoo announcement.

General hack prevention and password management

Click here if you are aware of the basics, and want to get right to the point…

These kind of hacks seem to happen regularly anymore, so you need to be prepared. My top advice has always been to use a unique, strong password for every account or service. This way, you minimize the damage from any particular hack (not just the Yahoo hack), as the hackers won’t be able to use that stolen password to get into other accounts you might have.

The difficulty this presents, is that it’s hard enough to remember one good strong password. (strong = minimum of 12 characters, with a mixture of numbers, upper/lower case letters, and various symbols. I’d recommend 12-15 as a minimum. If it isn’t random, go even longer.) Remembering them for a bunch of accounts is pretty much impossible. I suppose you could write them all down and lock them in your drawer, but that’s very inconvenient and still quite risky if you ever have a home/office theft.

Password Managers

The solution is to use what is called a password manager. A password manager is software which encrypts your passwords and sensitive information in an organized and searchable manner. It can insert your URL, username, and password (or other information) on command into a login screen, and typically generates strong passwords for you when you create accounts on various services.

Better password managers have a number of other features, such as cross-platform and mobile client apps, and capability to sync the information between devices. This is important, since your passwords are going to be far too complex to remember, and even hard to type. You’ll want this information with you at home, at the office, while traveling, on (or at least alongside) whatever computer or device you happen to be using.

While the method these services use varies, I recommend you consider a few things when selecting one:

You will want to control access to the encrypted file.

Even though the file is encrypted, it’s still possible for some future technology to be able to break encryption, or for some flaw to be discovered, allowing the data to be hacked into. While this is relatively unlikely, especially in the short-term, it is something you should consider when thinking about one of these apps. Where is that data file stored? Who might have access to it? Can you easily manage it? Is it only in the ‘cloud’?

Backup and archive that file!

Murphy’s Law seems to strike at worst time, but pretty much always eventually comes along. Storage devices fail, data gets corrupted, or we make mistakes. You want to have a copy AND history of this crucial file in a number of places. First, you should have a backup system that keeps incremental backups of files you use. Such a system will make a copy of the data that changes at some interval, allowing you to go back to the file in a state before you accidentally pasted your cat’s name over your bank password and absent-mindedly saved. A good example on the Mac might be your Time Machine backups. But, any good backup software will include a timed incremental backup feature.

You should also keep some kind of offsite archive, from time to time, of your data files (for your entire computer, for that matter). For this kind of file, it’s nice to keep a snapshot of it at some interval, much like the incremental backup above, except YOU manage it, not the automated backup software. The reason for this is that automated backup mechanisms sometimes fail, but they also overwrite data after a certain period of time.

The other reason is that if your home/office burns down, or is broken into, you’re likely to lose your backup. I have a story from my consulting history, where an architectural firm was nearly put out of business after a theft left them without their CAD stations, server, backup system, AND the DAT tapes stored in a drawer near the server! Luckily one of the firm partners had taken a couple of tapes home a month or so earlier to work on a large project, and they were able to recover about 70% of their server data from those tapes. Still a huge blow, but fortunately not fatal to their business. Don’t let this happen to you!

Make a todo list entry, and maybe once per month, put a copy of that file (add the date to the file-name) somewhere, like on a thumb-drive in your safe, or if you trust it, into your cloud storage. (See above about about access and trust… while I use services like Dropbox and Google Drive, there is some risk involved to keeping sensitive data there!) These files aren’t typically big, so keep each dated file going back in time. And, like I mentioned earlier, it’s not a bad idea to keep periodic snapshot (bootable if possible) of your entire computer. If you have two external hard drives, you can rotate them off-site somewhere.

Interface and operation

How does the actual app function? Does it fit into your workflow? For example, the password manager I use is able to auto-type information into pretty much whatever app I am using, whereas some can only operate within a browser. If you’re mostly using browser-based services, then this might not be a problem. But, if you’re a software developer, you might want it to be able to paste info into a terminal window, for example.

Do you need to be able to work between family members or a team of people? If so, you’ll have to think of a way to manually keep the information in sync, or use a cloud-based service (again, if so, keep my above warnings in mind).

My recommendations

PasswordWallet by Selznick

1Password by AgileBits

Stay away from ‘built-in’ methods, like Apple’s Keychain

Recently, a flaw in Apple’s iOS device backup to the computer potentially exposed all the passwords to an easy hack given physical access to the computer. While that situation might be rare, imagine if the problem affected the backups into iCloud? Apple (and many other companies) are simply a mess these days in terms of software quality. They can hardly keep the core of things together, let alone side features like this.

Obscurity and specialization are your friend when it comes to things like this. Pick software from a company that specializes in this stuff, and don’t depend on some side-feature of a major OS or other piece of software. And don’t store it in your browser! (Like Chrome asks if you want to do.) Log out of services after you use them. That’s even a good idea on your home computer if you’re going to be away from it for a while. (In fact, I log out of services even during general computer use, as services like social media often follow you around to sites you visit for comment system use. That’s just a bunch of extra info I don’t need to share with Facebook, etc.)

Be aware of phishing, social engineering, and links.

Most of the tips so far help keep you safe from the big hacks where a bunch of account data is exposed. But, there are other kinds of threats to be aware of which are more targeted at you.

A phishing attack is when someone tries to trick you into giving your information. If you fall prey, even the best security methods will fail. Be skeptical about password dialogs, following links, phone calls, etc.

The basic advice here, is for YOU to initiate, NOT to react. If you get a dialog asking for info, are you directly on the site it belongs to (or is the dialog coming from a trusted source, if you can tell)? Is it encrypted (ie: https/SSL)?

If you can’t tell, make sure to go directly to that service and sign-in yourself; don’t trust the dialog or link. If you get a link in an email, it might be best to, again, go to the site yourself and not follow the link.

If you get a phone call from the IRS, your bank, Microsoft, etc. is it really them? How would you know? Most of these places would never call you and ask you for information. It’s likely some scam. So, look up the proper phone number or contact info, then you contact them, login directly, etc.

But, this Yahoo hack exposes a different risk!

One aspect of the news surrounding the Yahoo hack that caught my attention, was that the hackers got the ‘security’ Q&A (questions and answers) along with the data. You know, those questions like: “Where did you go to high school?” or “What is the name of your favorite pet?”

The problem with security questions!

No matter how good the physical/encryption security is, hacks are often accomplished through social engineering. I remember seeing a video of a couple of security experts having access to a reporters bank account within a matter of about 10 minutes without even touching a computer. They had researched a bit about the guy, and posed as the guy’s wife/partner and were able to gain access.

Most services you’ll sign up for, even the most secure ones with multiple-factor authentication, have some method of password recovery or account access, if all else fails. And, these methods are typically very vulnerable.

‘What high school did you attend?’ Give me a break! What is the point of having super multiple factor security and strong passwords if someone can unlock your account with just a phone call and knowing the answer to one of these questions?

It’s a crazy method, but unfortunately, it’s used by nearly everyone; possibly even your bank. So what can you do? Some services are now allowing these questions and answers to be deleted (recognizing the risk). For example, when I signed into my Yahoo account to change the passwords, there was an option to delete them (and replace them with a text to a phone number or alternate email). That’s slightly better, but still potentially problematic.

But, what if the service you use forces you to use these – so called – security questions? What if you answered the security questions at your bank with the same answers the hackers now have from this Yahoo hack? The solution is fairly easy – LIE! It’s a bit of extra work, but might keep your account safe.

Remember that password manager? You’ll need it for this. When they ask what high school you went to, answer with something like: MSWNg67yI95iwPF8m (and be sure to use different random answers for each site!)

In your password manager, keep both the security question and this strong password answer. It is a bit of a pain when they make you do three to five of these, but it will be worth it in the long run. This is a good reason to be sure your password manager supports a notes area, or custom field creation.

And, maybe, just maybe… if enough people start to do this, companies will take a step back and come up with a better authentication method.