

James Fallows on the vulnerabilities of the cloud after wife's Gmail is hacked - Thrymr
http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/2/?single_page=true

======
Matt_Cutts
From the article: "if you use Gmail, please use Google’s new “two-step
verification” system. .... This is not an airtight solution, but it can thwart
nearly all of the remote attacks that affect Gmail thousands of times a day."

Here's more information:
[http://www.google.com/support/accounts/bin/static.py?page=gu...](http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284)

This additional protection will radically improve the security of your account
against hijacking.

~~~
tomahhy
What happens if i change my phone number? Whats the process when i do that?

~~~
StavrosK
I only use the SMS option very, very rarely. Usually I use the authenticator
Android/iPhone app.

------
Mithrandir
1\. Backup your emails with Thunderbird and put them on an external hard drive
encrypted and/or encrypted on an online backup service, like Dropbox or
ADrive.

2\. Backup some of your other Google data with Takeout:
<https://www.google.com/takeout/> Use 2-step authentication as well.

3\. Passwords? Use Keepass/KeepassX or LastPass. Generate new random passwords
using the generate password feature. You could technically reuse passwords for
accounts that aren't sensitive, but with those password managers you don't
really need to, especially since they both support search. Backup them up like
you did with emails (external hard drive encrypted and/or encrypted on an
online backup service, like Dropbox or ADrive.)

4\. Master password? Try passphrases (<http://xkcd.com/936/>) or (for a
slightly weaker option) use the initials of the words of part of a song,
phrase, or something you can remember that isn't too common. It should be at
least 10 characters long. Add memorable symbols or numbers for bonus credit.

5\. On Windows? No Anti-virus software? GET SOME.

6\. Don't enter your passwords on public computers. In fact, I wouldn't even
access any private data on a public computer.

7\. Don't tell your friends/family what your passwords are. Should be obvious,
but not always so.

8\. For Pete's sake, DON'T WRITE YOUR PASSWORDS DOWN ON POST-IT NOTES! and
don't store them in unencrypted files. Really, this is a bad idea.

Even if you follow all the above, you still need to use common sense online
when it comes to security.

~~~
kristaps
Number 8 is overrated, it requires physical access to the password and is less
viable than any pure online attack. See
[http://www.schneier.com/blog/archives/2005/06/write_down_you...](http://www.schneier.com/blog/archives/2005/06/write_down_your.html)

------
potatolicious
I've said this before, and I will say this again.

 _Email is a service worth paying for._ It is quite possibly _the_ primary
method of official communications between you and anyone else these days, far
surpassing the volume of paper correspondences you have.

So why are we using free services that offer no guarantees, no SLAs, and no
support - for anything other than throwaways accounts?

I run my own server, but this is hardly necessary for the majority of the
world. What you _do_ want is a server that backs you up constantly, and can
respond to _precisely_ issues like these.

~~~
Codayus
Okay. So who is offering a service that can match Google's offering? In
particular, they need to offer a good (ie, at least as good as Google's)
webmail client and spam filtering.

~~~
RossP
I use www.fastmail.fm (owned by Opera) and can't recommend them highly enough.
For a family or small business it's great as you can have shared
folders/address books, use your own domain(s), and more.

The web mail doesn't include tagging or inline conversations but otherwise
it's pretty good with not too much wastage. Of course you also have IMAP/POP
access if that's your flavour.

~~~
radiowave
Another happy fastmail user here, of about 9 years. Agreed, it's worth paying
for.

------
RockyMcNuts
Repeat of this thread

<http://news.ycombinator.com/item?id=3122798>

------
pw
_"For reasons too complex to explain here, even some systems, like Gmail's,
that don't allow intruders to make millions of random guesses at a password
can still be vulnerable to brute-force attacks."_

Anyone care to explain?

~~~
noahc
I don't know what he means here, but one possible way to brute force would be
to iterate the username and not the password. It depends on what you're trying
to do, but if you just want accounts you pick the top X number of passwords
used then get a list of usernames and a healthy collection of proxies. As long
as your list of usernames and proxies are long enough you should be able to
brute force your way into a lot of accounts.

------
brokentone
Anyone else have a few issues with this story?

1\. Thinking that Google owed them a higher level of customer service for a
free account. They're already offering a much better email system than almost
anywhere else, for free!

2\. Letting the backup email address expire.

3\. Not backing up important messages. You can't leave backup to other people
regardless of who they are.

4\. Not using two factor security for an email account with so much important
data.

5\. Sending important personal data over email?? "At some point over the past
six years, our correspondence would certainly have included every number or
code that was important to us" WTF? E-mail, regardless of the provider, is not
secure! Why would you send these things plaintext across the Internet??

6\. He alludes to the fact that his wife's info may have been on the Gawker
release. . . and they were just hacked now??

Granted. . . maybe we cannot expect a nontechnical consumer to know these
things. So how do we get them up to par? (edited for formatting)

