We’re all adults here. Whether we approve of them or not, we can all admit that sites like Ashley Madison have a right to exist. But as with any right, the right to exist comes with a responsibility. In this case, it was the responsibility of the parent company, Avid Life Media, to keep the data safe.
They weren’t able to do this, and now Ashley Madison hack victims have more to worry about than their marriages. Now they have to worry about identity theft. When the hacked data was posted online, it didn’t just reveal affairs…
Now what on earth does the Ashley Madison hack have to do with Renters Insurance, you ask? That’s an excellent question, and it was addressed in part over at Ars. The inherent problem here is that it wasn’t just usernames and real names that were leaked.
The passwords were hashed in a way that makes them difficult or impossible to decrypt – perhaps the one thing that Avid Life Media did right in all of this. That’s good news. The bad news is that rainbow tables exist. What’s a rainbow table? Let’s say that you know that the password “wombat” always hashes to “85d7997b1096a1ab8ea8693515d24029”. All you have to do is search the leaked data for that string.
You now know that any email associated with that hash uses that password. Now you and try to log in to every bank, credit card company, etc. with that username and password. Since people have a terrible habit of using the same password everywhere, you’ve got a good chance of getting in. Rainbow tables are a list of hashes of common passwords. Compare a list of hashes to the leaked data, and you’ll get a large number of hits – now you have the login and password for a wide variety of accounts. It’s easy, and it requires practically zero computing power.
But the Ashley Madison hack is worse than just the ability for people to try your username and password on financial sites. It includes GPS data in some cases, data about preferences that might have been relevant to the purpose of the site, credit card numbers (about ten million of them), phone numbers, birth dates, and more. Absolutely everything that an identity thief would need to open accounts in someone’s name, even enough data in some cases to sell a victim’s home out from under them illicitly and take the money and run.
On the positive side, social security numbers are not included. But that’s small comfort when, in many cases, there’s enough data there to go down to the Social Security office and social engineer your way into a new copy of the card itself. Once an identity thief has that, it’s game over – if it wasn’t already.
With all this data out there from the Ashley Madison hack, how can you protect yourself? There are a few things to be cognizant of that will help you protect yourself whether you’re on a questionable site like that or any other site.
Unique Passwords – Every Site, Every Time
Not all sites properly encrypt and salt (extra data that’s not part of the password) your passwords. Some even store them in plain text. If someone got hold of that data, they’d have that password in clear text. That’s why you should use unique and secure passwords on each site, and never reuse a password. There’s an XKCD that deals with one way of handling it. The Ashley Madison hack data only has encrypted passwords, but you can bet there are sites out there that don’t bother with this basic security precaution.
Password managers are another great option – they’ll create random passwords and store them so all you have to remember is the password to get into the password manager. Add a second authentication factor like Google Authenticator or a Yubikey, and even if someone has your master password they’re not getting in.
Right Question, Wrong Answer
Those secret questions for password recovery are a good idea, except that they’re not. How difficult is it to find someone’s mother’s maiden name? Not terribly. That’s the sort of information that’s often easily available online. Remember when Sarah Palin’s email got hacked? “Secret” questions were the weak point.
The solution is to use consistent, but wrong answers. Tell every website that you were born in Anchorage, your childhood best friend’s name is Betty White, and you grew up on Elm Street. They don’t have to be right, they just have to be consistent so you can remember them. This wouldn’t have helped in the Ashley Madison hack, of course, but it certainly helps against people who are targeting you as an individual.
Your Circle Of Trust Should Have A Radius Of Zero
So you trust your bank’s website. That’s nice. Do you trust your local radio station’s website? Probably not. So why would you use the password for your banking on the radio station’s website? Is your convenience worth the risk? Not a chance. Every site you give the same password to is an exponential expansion of the circle of trust with that password, as well as an exponential expansion of the risk it will be compromised.
If you keep your circle of trust to a one site maximum, even if that password is breached, you’ll only have to clean up the mess and change the password on one site. If you use the same password on every site, you’ll have to change the password on literally every site you’ve ever logged into. Not worth it – it’s much easier to just follow best practices and use a password manager.
Renters Insurance Identify Fraud Protection
Identity fraud protection on renters insurance is a great way to protect yourself. Large breaches have a way of expanding to other areas of your life, and many times thieves will sit on personal information or card numbers for some time before trying to use them. How much would it cost you to fix someone using your credit cards? How much time, energy, and money would it cost if someone opened cards in your name? Renters insurance identity fraud protection pays for the expenses related to cleaning up after someone steals your identity, and it’s a great way to protect yourself. It’s also incredibly affordable.
If you have additional questions, please feel free to call, and make sure to review our Guide To Renters Insurance. If you prefer, there’s a video version of the guide below. It’s a quick watch, and there is some great information about your policy in there.