Safety on the Cloud

I’ve been giving a fair bit of thought recently to ‘The Cloud’. In particular, because a lot of our information is in this cloud, I’ve wondered how safe it is.

So first, a discussion on safety. Nothing is fully safe. Castles crumble, firewalls fizzle, and valor vacillates. We’re left with a trade-off between how inconvenient do you make an attacker’s life versus how much inconvenience is in your daily life? Keys, passwords, guards, badges, all these things cost us money and time, but they make it less likely an attacker will be successful.

When it comes to computers and our information on them, the same sort of logic holds true. What you want to do is make it easy for you to access information from the cloud, yet difficult for an attacker to do the same. What is needed are three things:

  1. A secure local computer. Alex covers antivirus solutions, and I recommend
  2. A safe place on the cloud which is also an Alex recommendation. I use OneDrive myself.
  3. Safe passage in-between, such as easy access wherever you may be.

Safe passage in-between is the part on which I want to focus. (So far I’ve shamelessly pirated from Alex.) Single passwords are no longer safe, and one in ten users has a very poor password:

1. 123456

2. password

3. 12345678

4. qwerty

5. 12345

6. 123456789

7. football

8. 1234

9. 1234567

10. baseball

11. welcome

12. 1234567890

13. abc123

14. 111111

15. 1qaz2wsx

16. dragon

17. master

18. monkey

19. letmein

20. login

The problem is we’re used to traditional data. It lived on our computers, in our homes, and, short of physical theft, our passwords weren’t an issue. Not true anymore. You want a secure password, and for that, I recommend building something you can remember. Then see just how safe it might be on Steve Gibson’s ‘haystack’ website. The key is you want a search space for your password that is enormous. These days, I’m not worried about brute force attacks on my password:

GRC's Password Search Space
GRC’s Password Search Space

Sadly, passwords can be readily stolen. Most of us have too many passwords these days. (I’ve over 100 myself.) I reduce, reuse, and recycle and have various programs to store passwords for me. Any one of those is a Heartbleed away from joining a list like the one above. It would become quite easy to build a password profile. Attackers are sophisticated. They know the answers to my security questions from my Facebook. They know what sort of passwords I like from cracked servers or from reading this blog.

Enter Two-Factor Authentication (TFA). The technique is simple. I use a password I can remember, and I keep my phone with me. I teach my phone a secret, and the cool thing about this secret is it allows my phone to do a quick bit of calculation to give me a six digit code. A six digit code that changes every 30 seconds! This means if my Facebook password is hacked or released via security question challenges, that’s okay. I still have a fail-safe. If my phone is stolen and broken into, I have my password. Either way, it becomes more difficult to compromise my cloud. And, since it is my phone and not me who does the memory work, each website that offers TFA has a different secret!

This sounds like a lot of work, and it can be. So, I only use it for things that are quite important. I store all sorts of my personal documents on the cloud, and for the most sensitive of those I use other measures. However, a good password and a six digit time sensitive code are pretty good starters. I have a lot of my financial statements go to email – I save trees all the time! So, I use this for my personal email as well. The most valuable thing I own is a reputation. I care about demonstrating integrity and intelligence and earning my employers’ and clients’ trust. Victoria College links to this blog from some of our top-level pages, and one in ten VC employees has read at least one of my posts. So, this blog you’re reading is almost certainly hand-typed by me because it would take 1.74 hundred billion centuries to crack my password on the WordPress server. Then you’re still facing a six digit code that expires every 30 seconds.

This feels pretty safe to me.



Matt Wiley is a tenured, associate professor of mathematics with awards in both mathematics education and honour student engagement. He earned an assortment of degrees in computer science, business, and pure mathematics from the University of California and Texas A&M systems. He is the director of quality enhancement at Victoria College, assisting in the development and implementation of a comprehensive assessment program to enhance institutional performance outcomes. A programmer, a published author, a mathematician, and a transformational leader, Matt has always melded his passion for writing with his joy of logical problem solving and data science. From the boardroom to the classroom, he enjoys finding dynamic ways to partner with interdisciplinary and diverse teams to make complex ideas and projects understandable and solvable.

One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s