Despite a daily barrage of hacks, data breaches and malware attacks, millions of internet users still refuse to take some basic security precautions that could make their accounts nearly impervious — and worry-free.
Consider the current situation with iCloud. A group of hackers calling itself “the Turkish Crime Family” says it has access to hundreds of millions of Apple accounts and passwords, and will begin resetting them as well as remotely wiping iPhones unless Apple pays a ransom of at least $75,000 by April 7.
Has Apple been hacked? Probably not. “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services,” the company said in a statement. Apple also said it is working with law enforcement officials to identify the hackers.
In other words, the more likely story is that the hackers have cross-referenced accounts and passwords from other data breaches, which are widely available in hacker communities. (If firstname.lastname@example.org used “qwerty1234” on five other sites, you probably used it as your iCloud password, too.)
But that doesn’t mean the threat isn’t real. ZDNet, CNET’s sister site, has verified that the hacker group had at least 54 valid accounts and passwords. Even more troubling: Three of those users insist that their password was unique to iCloud. (Read the full details at ZDNet.)
Have the hackers struck gold? Did those three users simply misremember that they recycled passwords several years ago? Perhaps they once logged in to iCloud from a malware-infected computer. Maybe someone was peeking over their shoulder at Starbucks one day they were logging into iTunes.
Ultimately, the details of the “how” these accounts were stolen, collected or aggregated may never be fully known. The only thing that does matter is that some users’ valid passwords are definitely now out in the wild — and yours could be, too.
But here’s what you can do to gain peace of mind with your iCloud account. Or any other online account, for that matter.
Change your password to something new and unique
This is the easiest, quickest and most straightforward course of action. (In fact, Apple actively recommended users change their iCloud passwords back in 2014 when a very similar incident occurred.) But you need to follow some basic security best practices:
- Use at least 16 characters that contain a combination of numbers, symbols, uppercase letters, lowercase letters and spaces.
- The password would be free of repetition, dictionary words, usernames, pronouns, IDs and any other predefined number or letter sequences.
- Do NOT recycle or reuse any passwords you’ve used in the past.
If all of that seems too complicated, consider using a password manager instead (see the third option, below), which should automatically create good unique passwords for all the services you use.
Turn on two-factor authentication
This is key. Turning on two-factor authentication — also called 2FA or 2-step verification — is about as close to being fully locked-down as you can get. If and when your account is accessed from anywhere, the service in question sends a confirmation code to a device you pre-authorize during setup — your phone, your tablet, your computer or even your smartwatch.
Without that second code, which is randomly generated in real-time, the person attempting to access the account won’t be able to get in — even if they have your username and password. So, not only are the bad guys locked out, you’ll get a pop-up or a text message alerting you if and when they’re trying to get in.
Apple’s iCloud supports 2FA, as does Google (Gmail), Facebook, Twitter, Instagram and pretty much any other service that takes security seriously. No, 2FA is not “perfect” or foolproof: App-based codes such as Google Authenticator as well as Authy are more secure than SMS-based ones, and it’s assumed that the authorized device is neither compromised nor in the possession of the bad guys, for starters.
But for the average person, 2FA is as close to worry-free online security as you can get.
Use a password manager
The problem with creating strong passwords using the guidelines described above is that they’re basically impossible to remember. And the moment you write them down on a Post-It note, phone app or the back of a business card — well, yeah, you’ve already destroyed any “security” you gained with that 16-digit string of semi-random characters.
That’s where a password manager comes in. Password managers create encoded logins for all of the sites you use. They’re designed to be impossible to remember — which is why you need to only remember the single master password to the entire account.
Your best starting point is LastPass, which is now free for basic features. Other popular options include 1Password, Dashlane and KeePass.
Of course, the obvious caveat applies: A single password means a single point of failure. Indeed, LastPass suffered a data breach in 2015. But in that incident, the hackers did not get access to the master passwords, which LastPass doesn’t even store. (The company advised users to change their master password as a safety measure.)
But it’s a good reminder that your master password for a password manager needs to be as strong as possible, and completely unique. Follow all of the best practices cited in the first item, above.