I’ve been giving a fair bit of thought recently to ‘The Cloud’. In particular, because a lot of our information is in this cloud, I’ve wondered how safe it is.
So first, a discussion on safety. Nothing is fully safe. Castles crumble, firewalls fizzle, and valor vacillates. We’re left with a trade-off between how inconvenient do you make an attacker’s life versus how much inconvenience is in your daily life? Keys, passwords, guards, badges, all these things cost us money and time, but they make it less likely an attacker will be successful.
When it comes to computers and our information on them, the same sort of logic holds true. What you want to do is make it easy for you to access information from the cloud, yet difficult for an attacker to do the same. What is needed are three things:
- A secure local computer. Alex covers antivirus solutions, and I recommend av-test.org.
- A safe place on the cloud which is also an Alex recommendation. I use OneDrive myself.
- Safe passage in-between, such as easy access wherever you may be.
Safe passage in-between is the part on which I want to focus. (So far I’ve shamelessly pirated from Alex.) Single passwords are no longer safe, and one in ten users has a very poor password:
The problem is we’re used to traditional data. It lived on our computers, in our homes, and, short of physical theft, our passwords weren’t an issue. Not true anymore. You want a secure password, and for that, I recommend building something you can remember. Then see just how safe it might be on Steve Gibson’s ‘haystack’ website. The key is you want a search space for your password that is enormous. These days, I’m not worried about brute force attacks on my password:
Sadly, passwords can be readily stolen. Most of us have too many passwords these days. (I’ve over 100 myself.) I reduce, reuse, and recycle and have various programs to store passwords for me. Any one of those is a Heartbleed away from joining a list like the one above. It would become quite easy to build a password profile. Attackers are sophisticated. They know the answers to my security questions from my Facebook. They know what sort of passwords I like from cracked servers or from reading this blog.
Enter Two-Factor Authentication (TFA). The technique is simple. I use a password I can remember, and I keep my phone with me. I teach my phone a secret, and the cool thing about this secret is it allows my phone to do a quick bit of calculation to give me a six digit code. A six digit code that changes every 30 seconds! This means if my Facebook password is hacked or released via security question challenges, that’s okay. I still have a fail-safe. If my phone is stolen and broken into, I have my password. Either way, it becomes more difficult to compromise my cloud. And, since it is my phone and not me who does the memory work, each website that offers TFA has a different secret!
This sounds like a lot of work, and it can be. So, I only use it for things that are quite important. I store all sorts of my personal documents on the cloud, and for the most sensitive of those I use other measures. However, a good password and a six digit time sensitive code are pretty good starters. I have a lot of my financial statements go to email – I save trees all the time! So, I use this for my personal email as well. The most valuable thing I own is a reputation. I care about demonstrating integrity and intelligence and earning my employers’ and clients’ trust. Victoria College links to this blog from some of our top-level pages, and one in ten VC employees has read at least one of my posts. So, this blog you’re reading is almost certainly hand-typed by me because it would take 1.74 hundred billion centuries to crack my password on the WordPress server. Then you’re still facing a six digit code that expires every 30 seconds.
This feels pretty safe to me.