Actually, it is important that any online password be strong. Apple's pretty stringent about the kind of password you make: Their requirements are that Password must: - Have at least one letter - Have at least one capital letter - Have at least one number - Not contain more than 3 consecutive identical characters - Not be the same as the account name - Be at least 8 characters And here's an extreme example of how horribly wrong things can get when your password is hacked: Hacked iCloud password leads to nightmare | TUAW - The Unofficial Apple Weblog I don't know how he got around it, but not too long ago, My wife and I were locked out of our respective iCould accounts because Apple required us to change us passwords. Same goes for a number of clients of mine. I'm now glad that they did that. Take care folks, there are some really nasty people out there.
yeah, that was in update #2 which wasn't up yet as of posting. That really is malicious. Still, it's a good a time as any to be conscious of your password.
apple and amazon both got social engineered. and when social engineering is executed flawlessly, and having read kevin mitnicks ghost in the wires, no information is safe. How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab | Wired.com the scarier part is that wired.com was able to replicate the hack, twice, within minutes
Update: Amazon has announced they have changed policies to not allow anyone to add credit cards via phone. Apple meanwhile has suspended AppleID password resets over the phone.
i went through such an attack a few years ago--someone hacked my apple, gmail, and yahoo passwords, and made a huge mess of things for a few days. i was on the phone to apple support for about an hour trying to convince them i was who i was, and it took some very specific questions (which i won't say here) to establish my identity and for them to reset my password. thankfully, in my case, it seemed more like a simple hacking exploit used for one purpose (my .mac mail was used to generate a series of those "i'm stranded in madrid can you send some money" messages). i managed to stop it within the day. none of my bank accounts or personal information was compromised. and i'm very security-conscious--i'm not one to fall for those "urgent" messages from "yahoo" or from my "bank" asking me to give my password--so this was even scarier. i suspect that my password was obtained through what they call "sidejacking"--the digital equivalent of someone looking over your shoulder as you type in passwords in public places like airports or coffee joints. and thankfully again, i back up--redundantly. especially after that episode.
mmm.....if available, use a two-step verification to access a service. The first part is the user password while the second part is a numeric code (good for 30 days or one-time use) sent via sms (or automated voicemail) to the user's registered cellphone number. Gmail was among the first to implement this more secure authentication protocol. Hotmail (and Outlook.com) followed. For password resets, the numeric code will also be sent via sms (or automated voice mail) to the user's registered cellphone number (assuming the user has configured it correctly in his/her account profile settings). A two-part procedure involving a secondary device (cellphone) is a more secure way to protect against the possibility of a hacked account. Another reasonable precaution is not use the same password string for multiple services. Removing account linking is another. My procedure is simple: my email accounts are categorized as throwaway accounts and non-throwaway. Throwaway email accounts are utilized to register into websites, fora, ordinary communication, etc. Non-throwaway are my primary accounts which I use for more sensitive stuff (paypal, gaming accounts, on-line purchases etc.). In the secondary email field (where the service can send the password reset link), I do not mix my throwaway and non-throwaway accounts. In other words, there is no registered link between the two. Social media is a security hole, as demonstrated in this case. Common sense solution: be more prudent in the type of information that you publish in your social media accounts. Personal details in social media accounts need not be the same as personal details registered in the email accounts. On the hardware side, do not access your email service on public wifi and if there is no choice, use a VPN and only for accounts with https (ssl) connection. Public or free wifi is also free............................free for the hacking public to steal your account credentials. How to create a strong password? The recommendation of security experts is to use a combination string of letters, numbers and character strings in both uppercase and lowercase. That's a tall order but there is a simple way, even if you have been using the same password over the years. My method is to use base64 conversion. For example: Favorite password: I Love Bacon. Simple and vulnerable password. But converted to base64 string (using this encoder) , that same password that you have been using for years will be: SSBMb3ZlIEJhY29u. That is strong enough but it is very difficult to remember. But it's not. All you have to remember is your favorite password and convert it to base64 code. IOW, just remember the procedure.
mmm....to add: another point of vulnerability are mobile devices, in particular, cellphones. Most of us have smartphones with push email enabled. Very convenient since we can receive our emails via cellphones 24/7 but it is also makes our email accounts vulnerable. The problem is smartphones are protected with a 4-numbered PIN code, not a very secure system. To deal with this problem: As soon as I've read an important (or sensitive) email, it is deleted and the trash folder is emptied. The trash folder is not synchronized so the email remains in the email web server (for subsequent access or perusal) but not on the mobile device.
I just turned on 2-factor authentication for my google account. It's a bit of a chore to set-up external apps that could not send authentication requests but it's a one-time setup that should hopefully prevent any security breach in the future.
mmm....chore, yes, but just consider it as an ounce of prevention....which is worth a pound(ing) headache once your account(s) is/are compromised. Also, keep your 10 one-time-use, pre-provided numeric codes in a very safe place (in case your Gmail-registered phone is stolen). Facebook two-step authentication is also available. Re: gmail....sometimes gmail sms is delayed. I just opt for the automated voice call to get the code.
