sigh.
Another facebook trojan doing the rounds,
no doubt aiming to steal passwords, and another few friends had their
accounts tumbled into. Here is what to do to stop it happening to you.
First, the simple rules.
Rule 1.
The people trying to hack your accounts usually pimple-faced geeks (PFGs) with nothing better to do. They
are looking for an easy ride. They are lazy, and generally speaking
don't want to cause a major incident by identity theft. They may be
after a few dollars from your bank account, but mostly they are after a
bit of fun.
Rule 2. Most people have passwords
that are pretty easy to guess. It's either the same as their login
name, or it's the same with a few numbers, or can be figured out by
looking at their on line profile. Or it's just "password1".
Rule 3. Catch
one, catch them all. Most people have the same password for their
facebook account as their linkedin account as their gmail account as their internet
banking. Either that or add or remove a few numbers from the end and
you have them all.
Rule 4. Most people who
don't fall into rule 2 or rule 3 have a complex and difficult to
remember password that is written on a yellow sticky note next to, or
under, their keyboards.
Rule 5. People who
don't fall into rules 2, 3, or 4 make life hard for the PFGs and they
will go elsewhere looking for fun. See rule 1.
So here's what to do.
Step 1.
Get hold of a decent password safe program. There are many of them
about, and most of them are free. The one I use is called KeePass, and
it can be found here: http://keepass.info/ There is a Linux version that is compatible with KeePass version 1 files, which is here: http://www.keepassx.org/
The thing I like about it is that it's free, and it can be obtained in a
"portable" edition that can be copied onto and run from a USB stick.
In fact it's not that hard to compile the Linux version statically, so
that it can also be run from a USB stick.
Preferably, use a free
one. This is not an endorsement of KeePass as a product, but free is
the way to go. Whatever you do, don't use one where the source code
can't be obtained, or one that says "we have a fantastic proprietary
encryption algorithm that's all our own that nobody else knows about so
it's ultra safe". That is BS. The best encryption algorithm to use is
AES, preferably in the 256 bit variant. The US government uses this
algorithm for all of its defence needs and mathematicians all over the
globe have been studying the algorithm for years and failed to find any
faults. The worst algorithms to use are the secret and proprietary
ones, because they haven't been scrutinised by hundreds of
mathematicians, and nobody knows if there are faults or not, or what
those faults are. The source code and mathematics behind AES are
publically available, which makes it more secure.
Step 2.
Go buy a USB stick. Doesn't have to be big. Get one with a swivel,
that has a small loop on the swivel so that it can be stuck on your
keyring. Yes, that keyring, the one you keep your house keys on. This
is going to be your "internet" key, and you should keep it safe just
like your house keys. Fetch and install KeePass or KeePassX or whatever
onto the USB stick. Make a folder on the USB stick and call it
something like "holiday snaps". Copy a couple of hundred of the most
boring holiday photos you can find into the folder, preferably the ones
of Uncle Ernie when he got drunk at your sister's 21st and felt up the
cocktail waitress. In addition to those holiday snaps, create your
password safe file (KeePass calls this a KDB file but you don't have to
give it a .kdb extension, in fact you can call it ernie_001.jpg. This
will confuse your JPEG viewer but won't bother KeePass.
Step 3. Think of one password that you will never forget. That's going to be the password to your KDB file.
Step 4.
Use KeePass or your favourite program to generate new, random passwords
to all of your on line applications. You want a different password for
each app, so your facebook password and your LJ password and your
internet banking password will all be different. What size password you
use may vary from place to place, e.g. LJ requires 8 or more characters
in a password, and some require a minimum of 8 and a maximum of 32 or
something like that. 16 or so randomly generated characters of upper
& lower case plus some numbers is usually pretty good.
Don't
try to think of different clever passwords for each application. Use
the program to generate a random one, within the constraints allowed by
the application. There might be something in your thinking that allows a
hacker to guess what password you might choose, but nobody can guess
what happens when you push the "Generate" button to create a random one.
The other simple rules
This
is not a tutorial about how to use KeePass. It's a pretty simple
program, really, and there are many others like it. There are on line
manuals and tutorials and stuff for them, it's not rocket science.
Save
your KDB file back to your USB stick. Carry the USB stick with you.
Don't copy the KDB files to your hard disk, and don't write a copy of
your password onto the USB stick (or on a yellow sticky note on your
keyboard).
Make a backup copy of the USB stick every now and
again (get a second USB stick) and give it to your mother, sister, aunt
or some other trusted family member (probably not Uncle Ernie,
especially if he's prone to getting drunk and feeling up cocktail
waitresses). Don't tell the person who you give the USB stick to what
it's for, or what's on it, or what the password is. If you like, make a
copy of the password, put it in a sealed envelope with the name of the
KDB file and give it to your solicitor, to be opened in the case of your
accidental or untimely death.
Don't write the passwords down
somewhere else. It's an easy enough job to cut and paste the passwords
from the KeePass program into your web browser or whatever other program
you use that needs the passwords (your work's VPN client software for
example). KeePass has a special mechanism where it will put the
password into the clipboard so you can copy and paste it for 10 seconds
or so, and then erase it.
