Skip to main content

What the PSN breech means for you

Submitted by sdgi222 on Tue, 05/17/2011 - 01:11 pm

As some of you may or may not be aware, the PlayStation Network was hacked several weeks ago, resulting in 77 million users having their names, usernames, passwords, and addresses stolen, among other things.

Look at that number: 77 million.  That’s a greater population than most countries in the world.  How in heaven’s name did a group of hackers manage to gather all that data?  It turns out that Sony thought it would be a good idea to store all their users’ personal information as plain text.  Plain text is infamous for being vulnerable and insecure; sort of like a child using their hands to cover up something they don’t want the teacher to see, only for her to brush them out of the way moments later.  They did have the decency to encrypt credit card data, but this gaping hole in users’ security has done massive amounts of damage to Sony’s PR (for example, Japan still won’t let the network come back online in their country).

So, how does this relate to those of you lucky enough to escape this fiasco?  Stop for a moment, and think about these questions.

1. How many websites do I frequent and use the same password?

2. How many websites have some form of personal info?

3. Which websites log me in with my Facebook/Myspace info instead of a unique username and password?

4. How easy would it be for someone to answer my security questions?

To be fair, the poor little human brain has difficulty remembering a dozen different usernames and passwords, and security questions seem pretty straightforward.  But comfort is no excuse when there are programs that can test over 10,000 possible passwords an hour (to put that in perspective, there’s less than 250,000 words currently in use by the English language). So, aside from the informative info videos you can find a senator or concerned police officer giving online, what can you do to keep yourself safe?

First, know that unless it’s a website like Ebay or Citibank online, you really don’t need to give out accurate information as to your real name or address.  Most websites I frequent are perfectly fine with me being Reginald Haberdashery, who lives at 1313 Dead End Drive in Townsville. I also recommend combining random strings of numbers with any street name from Monopoly. If it asks for a zip code, Google any random five digits and see what state you wind up with. 

Secondly, know that some websites really, REALLY don’t need to know every little detail about your life.  Take Facebook for instance.  Imagine that someone got hold of your password or, heaven forbid, you left yourself logged in at the library or at home where anyone could hop on.  What data about you would they see?  Is it absolutely necessary to say what school you go to, where you live, how old you are, etc., when everyone who you know will probably already know most of those tidbits?  People will “Facebook you” already to try and learn about potential dates, so that right there ought to be an indication that we’ve gotten a little too cozy posting personal data to a public venue.  Be careful.

Thirdly, be creative with the passwords.  I’m not saying combine your dog’s name with your birthday; that’s kid’s stuff any hacker could get from Googling your Facebook profile and photos (see what I mean?) No, I mean really out there, where did you come up with that creative.  Think back to the class that broke your 4.0 GPA.  What was the course?  Who taught it?  What year did you take it?  Combining these bits of data is meaningless to anyone else, but it’s something you can remember because it directly affected you and only you.  Other good passwords are sport scores with the player who made the winning point on your old high school team, your favorite shampoo and what you wistfully remember paying for it prior to the economy tanking, and how many licks Mr. Owl needs to take to get the center of a Tootsie pop.

Finally, NEVER be direct with answers to your security questions, no matter how obscure they may seem to be.  Let’s say that you pick the question, “Who was my first boyfriend?”  That was back in freshman year of high school, and you haven’t spoken to the guy in years!  No one will ever guess who it was, and your data is safe for another night. Or it would be, if I didn’t know you dated John Doe.  Maybe I found that in a yearbook, maybe we went to the same high school and I remember, maybe you mentioned it in a Facebook post; it doesn’t matter.  What does matter is that I know the answer, I got in, I changed your password and the security question, and there’s nothing you can do about it.

So, how to avoid this sort of disaster?  It’s actually quite easy. Let’s say that you once again choose the question, “Who was my first boyfriend?” The answer is John Doe, and it would be tricky to try and say it was someone else, so we can’t use another ex.  But let’s say that you and John had a very messy breakup, and years later you still think he’s kind of a jerk.  So, the answer to the question is now, “Jerkface Jerkenstein.”  You’ll remember because you consider him to be a total jerk, but unless you repeatedly address him as such, no one will figure this out (bonus points for not using words that are considered actual words by spellcheck, since most password crackers need way more time time running random letter patterns instead of nice, whole words found in the dictionary).  What about, "Who was your favorite high school teacher?"  Think about what book you read that influenced you the most at that age, and write down the author’s name.  "What was your first car?"  Call it by its old nickname, like "my baby" or "the party wagon!"

The point is, it’s as easy to keep some data hidden as it is for others to break in and steal that information.  Just be careful, be private, and for goodness’ sake, stop posting every last detail about your life to Facebook.