A Non-Golf Story You Should Read: Protect Yourself in The Cyber War

I realize that the focus of Waggle Room is golf and all things related, but I am going to make a departure from that focus for a moment to pass along some information that I feel is important to each of you here in the community, simply because I value all of you as people.

Please allow me to start by stating that our parent site, SB Nation, is and has been secure and that we know of no incidents where our security has been defeated or circumvented.  We have not been hacked.  Many other sites have, but not this one, not yet and hopefully never.  We have a capable and dedicated technical staff that work very hard to prevent that, and so far they are batting 1.000.  Just so you know.

That said, the so-called "Cyber War" is well underway. Hacking is not new, in fact, it's as old as the first connections between two computers. No doubt you have read of the password thefts, the worms, the viruses and all of the other nasty stuff that's happened in the past, but today, things have escelated greatly.  It's all over the news, and you can read or see it anywhere.

Read on, and I will tell you more, plus how it might affect you and what to do about it now, to prevent trouble for yourself later.

Here's the current situation: there are two or three major ongoing online battles, and there have been at least three major incidents of hacking globally that are far away but can affect you personally if you are not careful.  Plus there may be others that have not been reported. 

Again, that’s not spreading fear, that’s simply reality in today’s modern world where our computers and cellphones are always connected and on those devices we have a lot of critical and confidential information whether or not we realize it.  In this modern world, it's very difficult to not have some degree of exposure, and if you are exposed at all, you should take care to prevent the Cyber War from causing you pain.

Just to show you that this is not a flight of fancy in my head, here are three stories all from reputable news sources that give some insight:

Gawker.com hacked by hacker group "Gnosis"

Wikileaks ongoing hacks by "Anonymous" and other groups are spreading:

China’s Government Re-Routes Most of the Internet Traffic Through Its Routers and Servers For Several Days

You might be saying, wow, I didn't know it was that big.  So what should I do?  Simple.  Ben Franklin once said that "a stitch in time saves nine" and relative to the ongoing "cyber war" that stitch in time is protect yourself online now before any identity theft or unauthorized use of your sensitive online accounts happens. Start by making sure your personal information and accounts are as safe as possible.  It may take an hour, maybe two, but you can do this if you to take some time to take a few steps to protect yourself by hardening your key online accounts, even though those accounts have nothing to do with the original hacks.

Ok, so how do I do that?

I would start by changing the password on each of the online accounts that you use to access your finances as well as your Facebook account.  You may even want to change your email account.  Scratch that, if you use Gmail, Yahoo or Hotmail, you REALLY need to change your passwords ASAP.
 
The reason I make that recommendation is simple: in my career, it’s my experience than 95% of the users I have worked for are using "weak" passwords that are easily guessed, extracted or de-crypted.  Many folks use completely useless passwords like "password" or "secret" – things a 10 year old might try first, much less a 17 year old Russian computer genius who wants to use your Visa card.  Maybe you have simple English word passwords, maybe not.  I don’t know, don’t want to know and wouldn’t remember it if you told it to me anyway.

I wrote a manual for my colleagues that define what we call "best practices" – meaning it’s the right way to do stuff.  Read on and learn one method to create "strong" passwords you can actually remember:

Q: Why should I change my password?

A: Three good reasons, and none of them have anything to do company policies, even though we enforce changes every 90 days:

1. Changing your passwords often leaves fewer long-term traces of how to get into your account.  Old hard drives are a notorious way to steal passwords, for example.  By changing often, any old password info that is stored anywhere is obsoleted.
   
   
2. Gawker.com just had a major hack on it where they lost all of their security information, and it is now freely available on the Internet.  The same thing has happened to other sites, perhaps including Amazon.com in Europe, and others.
   
   
3. It’s better to be safe than sorry.  It’s more hassle to have to combat identity theft than it is to change your passwords. 

Maybe you don’t have any accounts at Gawker.com, which is a collection of blogs that are very popular sites.  Gawker.com itself is celebrity gossip, but they also host Gizmodo (tech info), Lifehacker (tips and tricks on most everything), Deadspin (sports) and others.  They have millions of users and get tens of millions of visits monthly.

Okay, you don’t have accounts there.  Good, you don’t have a direct problem there, but – security experts are telling people that it would be a good idea to change their passwords to any other sensitive sites like their banks, credit cards, etc. because if Gawker was vulnerable enough to lose everything, it is possible that some people unrelated to you had identical passwords on other sites that you may also use, and the Gawker.com hack may have given the hackers enough leverage to break into the others sites because they can use the same account information they stole …and from there, steal THOSE password files from the second site to decrypt.  It’s a simple scenario , it has happened before on a smaller scale and is almost certainly one that's in progress right now.

So change your passwords!

Now, the lesson part:

Passwords Best Practice: Use Complex Passwords, And DO NOT use whole words.

I suggest that you do this: find a phrase that you can easily remember and make a mnemonic out of it, with at least one capital letter, one number and one special character…and the whole string should be at least 8 characters long. 

Example 1: Use easily remembered phrases to create complex passwords:

Consider the phrase "All work and no play makes Jack a dull boy."

Mnemonically, you can express it as

awanpmjadb

which you can then change to

Aw&npmjadb1

That is a mnemonic string of the first letter of each word of the phrase, with the first letter capitalized, an ampersand substituted for the "a" where the word "and" is (that’s an intuitive replacement) in and finally simply adding the numeral "1" to the end of the string.  Sounds hard, but it isn’t really.

99 out of 100 people would not be able to guess the entire string, and a computer trying to decrypt that string would take a very long time (hours or days) to crack it.  That’s plenty secure enough.  The passwords we are using now, are actually very guessable and a desktop computer could decrypt them in less than 2 minutes.  That’s why it is important to go through all of this to create something we can remember but is very difficult for a hacker to extract.

The trick with the system is to simply remember the phrase and then put it back together when you log in.  After a day or two, your fingers will start to remember the new password and it becomes second nature.  I’ve used the system for years and it really is easy.

Example #2: Using mnemonic password strings to help remember old passwords:

You will change your passwords over time, and you might forget a site and be one or two password changes behind the next time you try to log in to it.  We all do that, and it can be maddening to try to remember a password we may have used several months or even a few years ago.  "What was it again?" you might say, and try perhaps five, six or even seven or more passwords you can dig up out of the back of your head.

That’s where the second key to the mnemonic system comes in: choose consecutive password phrases that "go together", so every time you change it, you can backtrack quickly to old passwords.

I like to use a master key for my passwords, one where each password is secure by itself, but still password A, B, and C are relational and I can thus go backwards easily if I need to.

To do that, define a source series of phrases for a mnemonic only you know. You could use lines out of Mother Goose or even something like a Dr. Seuss book you have on your bookshelf.  Or anything like that.  Following me here?  What you are doing is creating a series of passwords that all have something in common so that Password 1 and then Password 2 have a common source so in case you forget Password 1 you can recall it by recalling where it came from.  Actually, it is easier to show you, so read on.

Here’s a poem you know or can easily find on the Internet in less than a minute:

Every Who
Down in Who-ville
Liked Christmas a lot...

But the Grinch,
Who lived just North of Who-ville,
Did NOT!

The Grinch hated Christmas! The whole Christmas season!
Now, please don't ask why. No one quite knows the reason.
It could be that his head wasn't screwed on quite right.
It could be, perhaps, that his shoes were too tight.
But I think that the most likely reason of all
May have been that his heart was two sizes too small.

<and so on…>

Okay, here’s your first password if:

"Every Who Down in Who-ville Liked Christmas a Lot"

is

Ewd1wlcalot <- note the curve ball I threw by exchanging a numeral 1 for an "i" in my phrase, sly, huh?

And then your second password

"But the Grinch, Who lived just North of Who-ville, Did NOT! "

Is

Btgwljn0wdn! <- again the inner numeral inside the string, a zero for the letter O, and an exclamation point at the end because that’s how the verse ends

And then a third password in your series

"The Grinch hated Christmas! The whole Christmas season!"

Is

Tghc!twcs!1 < -- see if you can figure out what I did on your own.

And so forth and so on down through the whole story. Using a system like that, you can probably get 2-3 years worth of password strings that are pretty easy to remember.  And…you won’t be banging your head on your desk when you inevitably forget an old password and suddenly need it.  You’ll just dig up The Grinch poem, and start recreating your old password mnemonics in a minute or two.  But since I told you about using The Grinch, find something else.  And no, I don’t use that poem as a source for any of my own passwords either. 

The bottom line here is this:

• Protect yourself by using passwords that DO NOT appear in dictionaries, because there are so-called "dictionary attacks" that literally run through the dictionary trying to guess passwords to get into  system.  The dictionary attack is some 30 years old, so it’s not new. 
• Make a difficult to guess password but one you’ll be able to remember. 
• Use successive passwords with a second common key and you will never, ever lose one
• Passwords are, well, secret.  So don't tell people you don't know what they are, no matter how convincing they sound.  See "social engineering" for more info - it is a tried and true way to steal passwords - someone simply tricks a user into giving it out to them. 
  
• If you use the mnemonic system I told you about above, keep the key phrases secret too.  No sense in giving the bad guys a head start.

Anyway, save this and pass it on if you want.  It’s a fairly common IT best practice, and something that people should employ in their personal lives.