How Not to Become Mat Honan: A Short Primer on Online Security

Meet Mat Honan. He just had his digital life dissolved by hackers. Photo: Ariel Zambelich/Wired. Illustration: Ross Patton/Wired

By now, you’ve probably read or heard about Wired staff writer Mat Honan’s journey through digital hell, in which hackers social-engineered Apple into giving them the keys to his digital life, allowing them to scrub his laptop, iPhone and iPad, hijack his and Gizmodo’s Twitter accounts and delete eight-years-worth of email from his Gmail account.

Honan admits to making a number of mistakes — such as failing to enable two-factor authentication and not backing up his data — that allowed the hack to escalate to the point from which there was no return.

In the hope of preventing you from experiencing a similar fate, we’ve listed a number of steps you can take to protect your data and your identity online. While nothing is foolproof — if hackers install a keystroke logging Trojan horse on your computer, all bets are off — these steps will help protect you from the tactics that Honan’s hackers used, and other ones out there.

1. Use Two-Factor Authentication with Gmail and Other Accounts

Gmail and other services offer two-factor authentication that help secure your account even if your password is stolen or cracked.

When you set up two-factor authentication, you get verification codes delivered to your phone, which you then enter, in addition to your username and password, when you sign into Gmail. Google also offers an application you can download to your phone to generate the codes locally. See the video above for an explanation.

Amazon web services and Rackspace cloud service, and other sites and services have adopted Google’s two-factor authentication as an option (there’s even a WordPress plug-in), allowing you to use a Google application on your smartphone to generate verification codes to access your accounts with their services as well.

While two-factor and the associated application-specific passwords can be a minor hassle, they mean that even if a hacker gets your password, they’ll have another layer to break through. If you find it annoying to enter the secure code every time you use your computer, you can choose to have Google remember your computer for 30 days or forever, but this means you have to be very sure your computer won’t fall into the wrong hands.

2. Use SSL or a VPN with Public Wifi

When logging into accounts from public WiFis, make sure to use SSL login pages (https). The Electronic Frontier Foundation’s HTTPS Everywhere tool can helpfully do this for you. Even better, use a virtual private network (VPN) to protect your data so that your login credentials can’t be sniffed by someone on the network. Basic VPN costs start at $5 a month, and for light usage on a Mac try TunnelBear.

3. Use Unique Passwords

Don’t use the same password for multiple accounts. Pick unique passwords for personal e-mail, work e-mail, banking, social networking sites and shopping. If one site gets hacked and your username and password are exposed – as occurred in multiple hacks over the past year – hackers will attempt to use the exposed password with multiple accounts you might have. Don’t help them do one-stop shopping for all your credentials.

4. Use Complex Passwords for Important Accounts

Honan’s accounts weren’t hacked due to weak passwords – so consider strong passwords to be only one part of good online security habits. But nonetheless, we’ve said it before – and so has everyone else – passwords should be longer than eight characters and include letters, numbers and characters – Pn3L!x8@H. And yet, every time another major hack exposes passwords, the top passwords used turn out to be “password” and “abc1234.”

With so many tools available these days to help you generate solid passwords and remember them, there’s no excuse to use poor password hygiene. Wired staff use both LastPass and 1Password. And the old paper-in-wallet trick, loved by security expert Bruce Schneier, works as well. Unique passphrases are also handy – EveryFineBoyDoesGood — but should be used with other characters to avoid easy cracking — Every!Fine@Boy%Does8Good.

Ideally, this kind of complexity isn’t necessary for websites as long as you don’t use a dumb password (e.g., your anniversary, birthdate, “password” or “1234″) that is easily guessed, since sites should be set up to lock out a user after multiple password tries to prevent password crackers from bruteforcing a password. But, since we know that websites don’t always do what they should do, be warned.

5. Don’t Link Accounts

The hackers who hijacked Honan’s Twitter account, were also able to take control of Gizmodo’s Twitter account because Honan, who used to work for Gizmodo, had linked the two accounts so that he could automatically sign into Gizmodo’s account with his personal Twitter account credentials. Keep log-ins separate for different accounts.

6. Get Creative With Security Questions

Skip the standard security questions like “What’s your mother’s maiden name?” or “Where did you go to high school?” since that kind of information is easy to glean about you with a simple Google search (Hello, Sarah Palin!). Or you can answer those common questions in creative, unexpected ways by swapping answers to various questions. “What was the model of your first car?” How about using your first girlfriend’s name for the answer instead, and the name of your first car for your girlfriend’s name? Or simply add characters to the name of the car – Ch!evy Ca27maro.

Feel free to create unique answers for each site that requires a security question and keep them stored in your password manager.

7. Back Up Your System

Honan’s pain was increased tenfold when he discovered the hackers had erased all of the photos from his daughter’s first year of life. Storage is so cheap these days and automated backups are so easy to set up that there’s no excuse not to keep copies of your important data.

8. Encrypt and Password-Protect Devices

To prevent someone from accessing your data and the password storage tool you have on your devices, encrypt the data on your devices and password-protect them.

9. Use Single-Use Credit Cards

One of the ways the hackers got access to Honan’s Apple data was by providing the last four digits of a credit card number he had used at Amazon. Apple had the same card number on file for him. Aside from the fact that Apple should never use the last four digits of a credit card number to authenticate users in the first place, Honan might have protected himself by using a single-use, or disposable, credit card number for his online shopping at Amazon, thus reducing the number of services that stored his real credit card number. Citibank, Bank of America and Discover all offer disposable card numbers that are tied to your real card number, but prevent that number from being exposed if a site is hacked.

Always use a credit card, rather than your debit card, when shopping online. While you can get reimbursement for fraud on either card, there’s no buffer between you and the money linked to your debit card, allowing hackers to drain accounts that are linked to it. With a credit card, you can dispute the charge before you pay it.