Sometimes there’s online dating stuff in the news that I take forever to comment on. I want to really roll it over in my mind, think about what’s been published, and have a good handle on my thoughts.
This Ashley Madison hack is a little different. I don’t care that much about the news, but I do want it to scare you into making some simple, responsible, prudent changes to your online profiles and habits.
*Ashley Madison data dump appears* *everyone in InfoSec puts on their game faces* “It’s Go Time.”
— Securitay (@SwiftOnSecurity) August 19, 2015
I don’t particularly mind Ashley Madison. Sure, it might seem nefarious to most people that a site exists expressly for having extramarital affairs. But I think there’s a ton of context around why and when people seek affairs—sometimes it’s consensual, sometimes there are extenuating circumstances, like a partner who’s unable or unwilling to have sex with their spouse. Sometimes it’s just smarmy people being smarmy.
But really, wouldn’t you rather that they all be smarmy together on a site that expressly identifies itself as for the affair-seekers, rather than duping people looking for a monogamous relationship on other dating sites into getting involved with them? I think it’s kind of good to have a place to go for your extramarital brand of online dating. I’m unsurprised that Ashley Madison exists and has become popular, and I don’t think the rest of the world needs to concern itself with Ashley Madison or its users.
But… that hack, y’all. That’s a LOT of very personal data out there in the world, as well as some terrible security practices from what I can surmise.
Let’s focus on the teachable moment, not on demonizing the company or its users. Here’s what we can learn from this whole episode:
Use a different email address for each site
There’s no disadvantage of doing this, REGARDLESS of that site’s purpose. I’ve long recommended in my tech tips that people create dedicated online dating email addresses for safety reasons. This isn’t the thing I mean by “safety,” normally—I mean more like “when you move the conversation from Match messages to emails, share an email address that doesn’t reveal your full name or your employer”—but this is another, more modern layer to safety. If you have a dedicated address per dating site, a breach of any given dating site means your usual login credentials won’t be exposed for hackers to try them on other sites.
Keep in mind that breaches of your login credentials can also happen with the people dating sites sell/share their lists with, or the ad tracking networks that you didn’t realize you opted in to letting follow your activities when you browsed Match. It’s ridiculous how invasive that stuff can be, and how much info totally unrelated seeming companies can have about you. Different email addresses per site = slightly less trackable online presence. Don’t worry; you can still get your push notifications to know when someone has asked you out!
Don’t make your dating username your bank/credit card username
Usually it’s a bad idea to have your username for stuff like credit cards be the same as your dating site username. Because usually, the name on the dating site has very different needs and should be tailored to a very different audience and purpose. But just in case you’re one of those people who uses the same username everywhere: quit it. Come up with a new username (here’s help) for dating profiles.
Use a stronger password, dammit
I tell my clients this all the time, but they usually don’t listen or change their passwords. :) I get it—it took me years to update to using a secure password management tool (I like 1Password best of all). But I do now, and I’m glad I switched to doing this before I became a bigger media presence in online dating–how lame would it be if an online dating expert’s social media or dating profiles got compromised and started sending everyone weird online vitamin spam links? Ugh!
Even if you’re not on a site expressly devoted to cheating on your spouse, and you’re not a media expert with the same concerns as mine, imagine how awkward you’d feel if your eHarmony account got hacked. For all we know, maybe that company stores all your personality data in a file indicating your aversion to homosexuals and your feelings on the political landscape leading up to the 2016 election. Maybe you just don’t want people to know you love long walks on the beach at sunset, because that’s horribly cheesy and you should have hired me years ago. I don’t know what you’d find most embarrassing, but I know you’d be squicked out if your entire digital dating life were published online. Or even if some weirdo just logged in and started messaging people randomly as you. It’s happened. It’d be weird. Trust me.
So just take this super-simple precaution already. Make sure whatever usernames and passwords you use to log in to ANY site (dating or not) are all different from each other, and as complex as the often pathetic password rules will allow for. (eHarmony’s password max is something ridiculous like twelve characters with no symbols. Match allows for passwords as short as four characters with no capitalization/numbers/symbols. Great job, folks.) Be as secure as any given system will let you be.
Make sure your Facebook password is hella strong.
Lots of dating sites and apps lean on Facebook to log in and/or create accounts. I’m big on NOT using a social media account if I don’t have to, because I’d rather have more control over what data is used—but plenty of sites and apps (ahem, Tinder) don’t leave us a choice. Rather than refuse to use Tinder, because, come on, most people aren’t going to, you should go out of your way to make sure your Facebook password is incredibly strong. Like, far too annoying to actually keep memorized strong. I’m telling you, use password software. This is one of those seemingly small paranoias that you should get ahead of BEFORE something nefarious happens, not after.
Know that being online in general always has some risk.
None of this is foolproof. OkCupid could get hacked tomorrow, no matter how great your password is. (Frankly, I trust OkCupid slightly more than other dating sites/apps simply because the product was developed by a bunch of computer scientists, but they’re also delighted that they don’t have any QA, they have a poor banning/blocking visibility policy, and they’ve had plenty of bugs in which users’ privacy is handled poorly or violated entirely.) Nothing is perfect. Trust no one company completely to be 100% un-hackable and to store all your info in perfectly prudent, future-hack-proof ways.
But hey, this is also true of shopping with a credit card or check at Target, or your local grocery store, or any restaurant ever. Risk is everyone. New meansures like NFC payment and chip-and-pin transactions are helping a tad, but not a ton. Cash was pretty secure, but we’re all kinda done with that, amirite? We all use plastic, and plastic is risky but it sure as hell is convenient.
Accept that being online carries some risk, and entering online transactions always carries some risk. Heck, texting a friend carries risk the NSA is listening. TRUST NOTHING! :) Develop good habits about mitigating that risk, via smart practices, helpful tools, and regular checkups to your credit report and credit card statements.
And listen to me when I yell at you to change your damn password already.
Further reading, if you’re interested:
— Securitay (@SwiftOnSecurity) August 20, 2015