*** If you think one of your online accounts is hacked or compromised in some way, and that’s how you got here, immediately log into whatever account it is and change your password. ***
Recently a friend of mine’s Facebook account was phished which is the impetus for me creating this entry. All of his friends received Wall posts saying that they had pictures posted on a web site. This was designed to get the unknowing to visit the site. Once on the site, the site began asking questions of the visitor prior to allowing you to interact with the site, for example, to view your pictures. This is a standard tactic for deriving information from users by claiming to have something that the users want. If you filled out the information, and created your own username and password on their site, which is mandatory, they then asked what site you came from, ie. Facebook. I didn’t follow through, but I can imagine that if I had put in a standard password that I use, then next my Facebook account would be hacked.
It’s best practice to have different passwords for different websites, though in this day and age, it’s almost impossible. The next best thing you can do is to have different passwords for different types of sites. For example:
- Password 1: Used only for financial sites. Financial sites most often protect their user’s passwords by hashing them. Hashing is a form on "non-reversible" encryption (it can still be compromised, but it is not easy by any means… see "brute force"). If you lose your password to a site that is hashing your password, you will have to create a new one since password recovery is not an option. These are the safest sites as even the software engineers and administrators can’t view your password. This should also be your most complex password using upper and lowercase alpha, numeric, and special characters. Want to be REALLY secure? Come up with a password that uses all of the above and is a minimum of 16 characters long. A pass-phrase can help with replacing some alpha characters with numeric or special characters. "Th15 Is @ $tr0n6 P@$$w0rd." Oh and did I mention that you can also include spaces. Brute force against long complex passwords with spaces is about as difficult as it gets.
- Password 2: Sites that are trusted but do not hash your password. These are sites that if you click on the "forgot password" link they will email your password to you or show it to you on-screen. These sites are not very secure in that your password can be viewed by anyone that has direct access to the database in which your password is stored. Some of these sites DO encrypt passwords, but the encryption is reversible, which mean a programmer could extract the data. Most company’s will attempt to use some sort of encryption on your personal identifiable information by encrypting it, therefore lowering their liability, but reversible encryption is still a flawed security measure in my opinion.
- Password 3: A junk password that you use for sites that you really don’t trust, don’t care about, and will likely never visit again. Frankly, if you don’t trust, don’t care about, and will likely never visit again, it’s probably best to just not create an account or you may be subjecting yourself to someone’s SPAM list as well.
ALSO, a rule of thumb when signing up for an account on a site that you do not trust, or any other site for that matter, NEVER, EVER, EVER, EVEREVEREVEREVEREVER, use a password or username that you have associated with an account that you do care about. For example, never use the password for your email account, when creating a new account on a site. That site most likely asked you what your email address is and will therefore have complete unadulterated access to your email box and that is a great place to send SPAM from, and there’s no one to blame but you.
If you do decide to use separate passwords for separate sites, come up with a pass-phrase that you will remember that directly relates to content on the site and follows complex password rules, and rules that you set for yourself, like putting special characters in word one, numbers in word two, and so on. This is, by far, the method that will protect your passwords the most. If one password is compromised, it means nothing to the rest of your passwords. Keep in mind, any good site out there that asks you to create a password, provides a means to recover, if not reset it if you forget what it is.
Finally, I’ll say that most reputable sites go secure to authorize you. This means that when you are on a login page, any page asking for your password, or any page asking for any other personal information, you will see HTTPS in the address bar.
Cell Phone Number.
When looking for something on a site, and the site asks you for your cell phone number, unless you trust the site, treat it as someone trying to steal from you. What most people don’t know and fail to realize is that there is usually a ton of small print on those sites (that we are trained and accustomed to ignoring) usually telling you that you are signing up for a service that costs you money every month, until canceled. Oh did I mention that most likely they will NOT let you cancel, and you’ll be calling your cell phone company every month to get the charges reversed.
The simplest of protections for you is to have more than one email address. With Hotmail, Gmail, Yahoo, etc, it takes very little effort to open a new email account. This second email account, usually referred to as a SPAM account, is exactly that. When some site asks you for your email address for no good reason, or some retail site that you know is going to send you things that you’re not interested in, put in this address. Check it when you want to, need to, don’t have anything better to do, or never (well try to check it every six months or the email provider might wipe your account). Every time you look in there, you will be pleased that you don’t have to go through all of this stuff just to see what your family and friends might have sent you. Consider it no different than giving a stranger on the street the wrong name if asked.
Oh, and if you go with an unrecognized name in email providers, be sure not to give them any personal information, and don’t use any of your secure passwords.
Treat your time on the Internet as if you are walking down the street. You wouldn’t answer personal questions if I were to just stop you and ask you would you? You wouldn’t walk into a "shady" looking store… unless you were looking to be shady ;). And last but not least, if I tell you to let me hold your wallet, but if you change your mind, I’ll give it back to you without taking anything out of it, I’d hope that you’d tell me to "Go to hell," and give me directions to get there.
Protect yourself at all times. It’s a jungle, mostly friendly, but there are always predators lurking about. You don’t have to be paranoid, but just remember, the Internet is public. Don’t play with your identity or pocketbooks. On the Internet, the neighborhood that you’re playing in can change with a mouse-click from safe to unsafe and always keep in mind that if something feels wrong, it usually is.
If this blog entry helps even ONE person out there avoid a hack or phishing scam, it was well worth the time and effort that went into writing it. Also, please feel free to leave comments with questions, additions to this blog entry, etc., and recommend it to anyone you know that might need a few tips in Online Security.