You see, like most data professionals, I have three levels of password security. Level one goes to my bank account password. It's long and complex and hard to guess. Level two goes to my e-mail accounts - they're shorter, but still don't spell anything, and should be hard to break. Level three goes to my shopping and utility accounts. I don't care so much if someone breaks in and gets to my electric bill.
When I first set up my iTunes account, three years ago when I got my iPhone, I set it up as a shopping account. Time went on, I got an iPad, iCloud arrived to back up my data to the cloud, and I wasn't thinking that part of the data backed up to the cloud was my e-mail contact list. I still had it on the simple password list.
I found out about the hack about ten minutes after it happened - my friends on the west coast were up and checking e-mails, and one of them texted me. I cussed a blue streak, got online, changed my password and started on damage control. I was puzzled by some of the bounced messages - they were sent to people who weren't on my personal e-mail account. So, I puzzled and puzzled some more (in the immortal words of Dr. Seuss). How did the hackers get the addresses? It wasn't until morning that I figured out the link to my iTunes account - it's the one place where my personal and work emails blend.
I felt a little better; my email account password hadn't been hacked after all. But really stupid. I should have thought about the security of the iTunes account when I set up the online backups. Fortunately for me, it was a hit-and-run hack. They sent out some stupid link to a magical weight-loss site. **sigh** I do wish these people would use their powers for good...
So, for those of you who are not data professionals, here are a couple of ways for you to avoid the trap I found myself in:
- For anything that involves money or your email accounts, the password should be 10-16 characters long, shouldn't spell anything, and should be used on one site only. A good way to come up with a secure password is to pick a phrase: The sun will come up tomorrow. Then, pick the first letter of each word: Tswcut. Add some numbers you'll remember. (The last four digits of a friend's phone number work well, for those of us old enough to remember when we had to remember phone numbers without the help of our phones.) And you have it: Tswcut6403 - a hard to hack but easy to remember password. (And yes, I have a list of websites and passwords written down somewhere. I figure it's really hard to hack my paper files...)
- I have a separate email account I use for shopping accounts. I figure since I use simpler passwords on those sites, this way if the accounts do get hacked, they don't get much - just links to places that send me shopping e-mails. I also don't allow the sites to save my credit card number - it's not THAT hard to type in each time, and I've heard of too many places getting broken into and those lists of card numbers stolen.