Something you know, Something you have

I read an article today in an educational newsletter about keeping your accounts safe with a strong password.  It suggested a range of sensible things like having at least 8 characters, using a mix of uppercase, lowercase, numbers and special characters, and not reusing old passwords.  All pretty good advice.

I hear a lot of people expressing concern about the security of “the cloud”.  They worry that their data could be compromised if kept on a server they don’t own themselves, or a server that is located somewhere else, possibly even in another country.  They express concerns about data breaches from hackers, security breaches of data centres, or even data being accessed by foreign powers during a government uprising. Is any of this possible?  I suppose so. Anything is possible. Unlikely perhaps, but possible.

If it’s true that anything is possible, and we want our data to have zero risk, then we need to not keep data anywhere. The only sure way to have no risk with our data is to have no data, but that’s obviously not possible, because we live in the real world where having data is important and useful. To live in a world without data is not an option. So when it comes to the security of your data, we need to decide what level of risk is acceptable to us.

Putting aside the likelihood of secret hacking attempts or tinfoil-hat conspiracy theories, can we all just acknowledge that the single most likely way your data will be accessed by someone else is if they get hold of your password.  Either you didn’t pick a very secure password to start with, or they guess it because they know your pet’s name, or you do what so many people do and write it on a post-it note and stick it to your monitor at work. Or maybe you are away from your desk without locking your computer. Or maybe you’ve shared it with someone you know.  Whatever the reason, that password, those eight or so little characters, are all that stands between you and potentially disastrous consequences.

So why, oh why, do more people not use Two Factor Authentication (or 2FA)?  I have had literally hundreds of conversations with people who will argue about the alleged insecurity of the cloud, and who get all freaked out because they don’t know where or how their data is physically stored, and who claim that they can’t possibly rely on a cloud service to store their precious data, but who don’t use 2FA on their account!  It’s insane.

Look, I get that some people might be mistrustful of the idea of putting their data somewhere other than a server that they own themselves. But unless they at least use 2FA to secure their account I cannot take anything they say about security seriously.  They are not even taking the most basic of steps to secure their own data, while they bleat about highly unlikely potential worst case scenarios.

So what exactly is two factor authentication?

Many people have two locks on their front door – a top lock and a bottom lock, each with it’s own key. Unlocking either one of the locks is not enough to open the door – you need to unlock both locks at the same time. That’s two factor authentication. You need both factors – in this case, both keys – to open the door.

When it comes to data, you also want to have two keys, or ‘factors’. And ideally you want to have two different kinds of factors – something you know and something you have. 

The something you know is the password, and yes it’s still a good idea to have a strong password, something with enough length and complexity that is hard to guess but easy to remember.  But it’s not enough. It’s just one factor.

The second factor is something you have, or something you physically carry with you, such as a phone or touch key. Unless the hacker or foreign power actually has your phone, they can’t access your data, even if they know your password.  Just like the two keys for the front door, they need both your password AND your phone at the same time. If they have both those things, you may just have bigger problems to deal with.

Some people think that using two factor authentication can be a pain, but it doesn’t have to be. It’s easy and absolutely worth whatever very minor inconvenience it might cause.  You probably have your phone with you all the time anyway, so it’s really not a big deal. Once you set it up, when you log into your account on a new device you simply enter your username and password as usual, then tap a button or enter a code on your phone to complete the login.  No phone, no login. Take that, hacker!

There are a number of ways to get that second factor, from receiving a text message, to entering a secret number that gets generated every 30 seconds, to tapping a ‘Yes’ button on your phone, to having a dedicated Yubikey in your computer. It’s an extra step, sure, but it makes your account very, very difficult to hack.

So please, if you don’t already use 2FA (on every account you own!) then set it up now. Your online life will be exponentially more secure. And if you don’t, then please do not ever express an opinion about the security of the cloud or anything else. If you can’t take even the most basic steps to protect your own online data then you have no business expressing your opinions about whether a cloud system is secure enough or not.  You just sound silly.

Should I Trust The Cloud?

https://www.flickr.com/photos/dherholz/450303689/

I received an email recently from a colleague asking about data sovereignty, and in particular asking about how schools deal with the  need to store all personal data on Australian servers to be compliant with the law. This was my reply…

When deciding whether to do a thing – any thing – you need to assess the relative risk. There is NOTHING that can have it’s risk mitigated to zero. So while we can have debates about the security of the cloud, the fact is that ANY service is generally only as safe as the password that protects it. It’s far simpler to socially engineer your way into a system than to hack it, and it’s easier to follow someone through an open doorway before the door shuts than to crack the lock. There are security risks involved with every system.

What makes you think that data saved on a server that happens to be geographically located on Australian soil is any safer than data on a server located on the other side of some imaginary geographical dividing line? What policies make Australian servers impervious to security issues?  What is it about Australian passwords that are safer than non-Australian passwords?

It’s interesting that whenever I hear the security argument from someone, I ask them whether they use 2-factor authentication on their online accounts. The answer is almost invariably never. I find it hard to take someone seriously when they bleat about security and yet do nothing to secure their own stuff using the safest and simplest technology we have available; 2 factor authentication.

I also find it amusing that these same people who bang on about not trusting the cloud, also almost always have a bank account. When I ask them where their money is stored, they say “in the bank”. When I ask where is it actually stored, they have no idea. They don’t know where their money – or the digital records that define the concept of money – is actually stored. They never stop to consider than when they go to an ATM and withdraw $50, it’s not the same $50 note that they actually put into the bank. There is no magical shoebox under the bank’s bed that stores their actual money… it’s all just computer records, kept on a server, somewhere, and I guarantee that they have no idea where that somewhere is.

That’s why the debate about whether we should be allowing our data to be stored offshore is such a laughable concept. It shows a real lack of understanding about the way the Internet actually works.

The truth is, it doesn’t matter WHERE your data is stored. What matters is WHO is storing it, and whether you trust them with it. I’d rather trust my data to major cloud provider offshore who offer privacy policies that I trust, along with strongly encrypted and sharded data storage techniques, virtual and physical security over their datacentres, and a proven track record of doing the cloud right, than to some minor player in the cloud storage space just because they happen to have servers in Australia.

I’m also not a lawyer.  However, I’ve done enough research into the Australian data sovereignty laws to feel satisfied that I’m interpreting them the right way. And contrary to all the Fear, Uncertainty and Doubt being spread around regarding these laws, they do NOT say that cloud services cannot be used unless the servers are in Australia. What they say is that the cloud service USER – that’s you – needs to feel satisfied that the cloud service PROVIDER is offering a service that meets your expectations of safety, security, privacy and redundancy.  If you do your due diligence, and come to the conclusion that you’re satisfied with your cloud service provider is giving you a level of service you can trust, then you are free to use it and in turn offer it to your users. If you don’t believe they are offering this level of service, then don’t use them. It’s as simple as that.

Your choice will never be able to come with a 100% guarantee. Nothing does. But if you do your research carefully and make your choices well, the chances are as good as they will ever be that you have made the right decision. The cloud offers amazing possibilities, and I’m completely convinced it IS the future of computing. I’m all in on the cloud as the platform.

To me, there is really only one obvious choice in picking a cloud provider. You want someone whose entire infrastructure is built for the cloud, whose entire business model is built on doing it right, managing data with security and integrity and maintaining the trust of their users. I’m not mentioning names because I’m sure you can make your own decisions about who you trust and how well they do this cloud thing.

What I don’t want to do is to place my data with a cloud provider who is still playing catchup, whose cloud infrastructure run on legacy platforms that were never built for the cloud, and whose business practices in slagging their competition I find completely distasteful.

I don’t care where their servers are located.

Header image by Dave Herholz – CC BY-SA

Getting out of Password Hell

A while ago I realised that my online life was in password hell. I was using literally hundreds of sites and services that required passwords, but they were held together with a confusing mess of old passwords that I’d mostly forgotten, numerous passwords which were being used on more than one site,  passwords that didn’t meet the usual complexity rules usually required across the Internet, and so on. I often found myself having to do a password reset just to access a site, and of course that new password became yet another one I had to remember. Or forget.

I felt things were a little bit out of hand so I finally took a few steps to clean up my digital life.

First, using the same password for everything is an exceptionally stupid idea. Instead, I came up with my own system that helped me create hard-to-guess, but easy-to-remember passwords that I could apply to any site.  Having a clear system for this meant that when I signed up for some new online service I could quickly come up with a password that was memorable while also being unique to that site. It really helps to have a system. I made sure that my system always met the minimum complexity rules usually found online… that is, they contained uppercase, lowercase, numbers and symbols and were at least 8 characters long. If you do nothing else, come up with a system for your passwords! It’s so frustrating when you attempt to log in to a site that you’ve been to previously and can’t remember your password. So come up with a system for yourself, and please don’t just use the same password everywhere!

Secondly, I turned on multistep or 2-Factor authentication  for passwords on every site that offered this option (and there are a lot of them now). This is probably the single biggest thing you can do to improve the security of your online life. If you go online and don’t use 2 factor authentication, you’re not really serious about your online security. It’s that simple. I find it both amusing and frustrating when I hear people questioning the security of online services, and then find out they don’t use 2-Factor passwords. If you don’t use 2-Factor on every site that enables it,  please, don’t ever complain about the dangers of online security.  It just makes you sound silly. It’s not hard to set up, and if you use something like Google Authenticator to manage your second factors, it’s very simple to use.  The minor inconvenience of having to enter the second factor is far outweighed by the added security. Trust me on this. Turn it on. Now.

Finally, I set up a password manager. I chose LastPass,  but there are others. It took a while to get my head around how LastPass works but once I did, it made life so much easier. If you want to try LastPass for yourself you can get it on this link.
https://lastpass.com/f?7253846

If you are in password hell like I was,  take some of these positive steps to sort it out.