IDENTITY: an important topic and some tips

And we're back ...

During my latest absence, I've been spending a great deal of time thinking about IDENTITY. At first blush, a simple concept. Scratch just beneath the surface, and the concept becomes incredibly nuanced. Identity has implications at once philosophical, biological, engineering ... the list goes on.

You've likely jumped to the conclusion that I've been thinking about identity as applied to people. The image atop this post does point in that direction; it comes from a fascinating post. I will address both "people identity" and "things identity" in future posts, the latter in the sense of physical inanimate objects.

You may have jumped to the conclusion that I've been thinking about identity and security, in the Venn diagram sense of the two overlapping. You would be mostly right. Over the years, I've penned a TON of posts on security topics. I've reached the conclusion that identity is one of a handful of "root level" security issues. Phrased another way, solving many classes of security challenges requires first solving the identity challenge.

Identity is the new major blog theme. I will tackle all this step-by-step over the coming months. With any luck, there will NOT be a book (by me) involved.

There are A LOT of people interested in identity. Your identity. Grabbing elements of your identity for nefarious purposes. Most recently, Yahoo "involuntarily shared" a database of half a billion (with a 'B') user credentials.

If you pay attention to such identity breaches, this is nothing new. Big companies have suffered big hacks at an accelerating pace, in which the ne'er do wells steal databases with tens or hundreds of thousands user credentials. How many companies? How many user credentials? Check out this outstanding webpage to get a sense of recent user credential breaches.

Yikes.

The website Have I Been Pawned is one of the best answers to the question "What the heck can I do about this?" Right there atop the homepage, type your email address and you'll immediately discover which of the major breaches included YOUR user credentials.

Find yourself included in a breach? Now you're thinking "What the heck can I do about THAT?" First thing is to learn a little about the breach, starting with when did it take place. If you haven't changed your password on the breached website since the date of the breach, you'll want to do so now. If you can't remember the last time you changed your password on the breached website, don't take chances, you'll want to do so now.

Here's the trickier bit: if you used the compromised password on another website, you'll want to change that password. Trickier still, if you used a tweaked version of the compromised password on another website, you'll still want to change that password. For clarity: if the compromised password was "My1Mutt" and you used "MyMutt1" or "My2Mutt" on other websites, ALL of the "rhyming" passwords are compromised.

Lest you think I'm being paranoid, this is PRECISELY why the aforementioned ne'er do wells go to the trouble of absconding with user credentials in the first place. The hackers may not be interested in logging into your Yahoo account at all: they want to hack into your bank account. And enough people use the same (or rhyming) password on multiple websites to make it worth their while.

That is Tip #1 for the post: visit Have I Been Pawned, type in your email address, and take appropriate action. At the risk of stating the obvious, you'll need to do that for each email address you use.

Tip #2 for the post: visit the very same Have I Been Pawned website and click "Notify Me" in the menu at the top. This is a remarkably valuable service that will alert you to future breaches that include your email identity. You'll get an email confirmation, and be sure to click the link therein.

Tip #3 for the post: dammit, I hesitate to even go here ... use a different STONG password on every website. That's 10+ random characters. 10+ random upper-case letters is a fine password, though most websites want to see lower-case letters, a numerical digit, and often a punctuation mark. Clearly all these strong random passwords means you need a password manager, natch.

What does this post have to do with identity? Your email address has been overused and abused as a form of identification. It is the common element that enables the ne'er do wells to hack one database of user credentials and then attempt to attack your accounts at unrelated websites.

Most websites require just two pieces of information to login: your username and your password ... and your username is most often your email address. One way or another—breach or no breach—your email address is in the public domain. Your password is the ONLY line of defense, hence the "strong password with 10+ random characters" requirement.

Identity. A lot to think about. Ought to keep us busy here for some time ...