One of the problems of using ZFS, even when taking the data security claims seriously, is that it makes you distrust everything else in the storage space. ZFS isn’t perfect, by any means, but it’s the best thing I can currently use, and I’m going to stick with it until <a href="https://btrfs.wiki.kernel.org/index.php/Main_Page">btrfs</a> is ready for prime time. The other problem with being paranoid about data is that it makes you paranoid about who can access said data. The other end of the rabbit hole comes up in password and account security, which I’ve blogged about before.

In short, it’s not good enough anymore to generate a good password and use it on your accounts. Even if you change it every 6-12 months, for every site you have a login to, you still suffer from the common weakness that most userid’s these days are actually email addresses, and once an attacker has your password in one place, it’s easy to get into everything else you do. And, chances are, you’re not actually going back into every site and changing the password – so you’ll have multiple generations of old, bad passwords out there somewhere. As HBGary Federal proved recently, even the security folks can get it totally wrong.

My suggestion? Use something like LastPass.com. Generate a new, secure password for every site you visit, and save the login info with LastPass. Make sure you tick the boxes to keep everything as secure as possible – the master database key should only exist on your computer. This way, LastPass is just holding the encrypted information, which is useless without both your password and your private encryption keys. Then (I know this is bad) write down the master password somewhere. If you have a safe deposit box, that’s a good place to keep it. The idea is to use the password every day, but if Something Bad happens, you’ll want to have it recorded somewhere. Now, you can generate good passwords which are unique for every site, and they will auto-fill with browser plugins. If you are on a friend’s computer, and need access to a site you’ve secured this way, simply head over to lastpass.com, log in, and get the login and password you need. (And, once you’re back home, change the password. You don’t know where on the internet your friend’s computer has been.)

The other thing to do is enable the Google Two-Factor Authentication system. It’s a pain to setup, but it’s worth it. This will really help secure your Google Account (which gets into your calendar, mail, reader, shopping, youtube, picassa, and anything with OpenID…) by making your authentication consist of something you know (your password) and something you have on you (your smartphone). After logging into a strange computer, Google will make you check the application on your phone and enter the security code listed there. It changes every 30 seconds, and it’s unique to the device in your pocket. This makes it almost impossible for a hacker to steal your account info and use it somewhere else. (Now, if you’ve saved all of your logins in your browser, and have set LastPass to login automatically, and your laptop gets nicked… you’re boned.)

I fully expect none of my readers to actually do this. Which makes me a sad panda.