A Few Tips For Your Online Security

The frequency of web sites, e-mail accounts, and domain names getting stolen seems to be increasing among my circle of acquaintances.  These instances have lead to defacement of people’s blogs and, much worse, identity theft.  It’s an ugly business, but a serious one as hacking has become a billion dollar business to cyber criminals that typically starts with exposed targets like your e-mail address.  Social engineering, phishing, and brute force attacks are most common to get your personal account information.  That being said, if you have a presence online you should get familiar with securing the basics for a few minutes, or else risk the hours and days of struggling to reclaim what was stolen.

Below are some tips to provide readers with a clear understanding that, if applied, can make it much harder for online criminals to affect you.

1. SECURE YOUR E-MAIL ACCOUNT

Most hacks that affect your other online accounts, such as banking, social sites, and web sites, start with your e-mail account.  An e-mail address is required to not only verify who you are in many cases but also to reset passwords to those other accounts.  Thankfully some sites require the old password when attempting to reset one’s password, but that’s hardly enough.  Google and Yahoo! offer two-factor authentication – something you know (password) and something you own (typically a physical device you own, like your mobile device) – which isolates your access to specific computers you trust.  If the activity is considered suspicious by Google or Yahoo! then the access can be challenged with additional questions or steps to confirm the user is actually you.

• Google Mail’s 2-step verification
• Yahoo! Mail’s Second Sign-in

Microsoft foolishly doesn’t offer such robust multi-factor verification for Hotmail, but they do have Single-Use Codes which are one time passwords designed to be used on public computers.  One-time passwords won’t help against the kind of intrusions that generally affect people’s e-mail accounts, so if you’re a Hotmail user I recommend switching to Google or Yahoo! Mail.  Hope you’re reading this Microsoft.

2. USE COMPLEX PASSWORDS

There are applications undoubtedly banging on your accounts as you read this.  The question is, can it be deduced by that application almost instantly?  Chances are, yes.  Here’s a fun series of tables to help explain why simple passwords of numbers, letters, or numbers + letters just won’t do.

Yes, I love this scene too, but it has truth to it.  According to security firms in 2010, the most popular password out there is actually 123456 with 12345 being the second most popular – no joke.  To keep this simple, consider something or someone you know well and come up with a crafty password that mixes letters and numbers, both lower and uppercase.  Special characters like asterisks and exclamation marks can help as well if they’re allowed by the site in question. The longer the password, the more secure your password will be. Try for at least eight characters minimum, if possible, like S!ngm3@$ong! which is actually 12 characters, but you get my point.  Dictionary attacks can guess words and assist in the cracking process, so the password example I provided would be extremely difficult to guess, while simulating a phrase that isn’t hard to remember.

 3. USE DIFFERENT PASSWORDS (AND USERNAMES IF POSSIBLE) FOR DIFFERENT SITES

I can’t stress this one enough.  Yes, its a pain to remember a password for each site you visit, but its a necessary evil to help isolate the damage done by a criminal if he/she does manage to get access to, say, your e-mail account containing past emails from your bank provider.  Before you can say oh…shitttt, he/she is already trying to access your Citi Bank account with the same credentials just used moments ago.  To make sure your most critical online sites like your banking services are properly protected, make sure they require a unique username other than your email address, as well as entering your existing password if a password change is requested.

4.  DON’T SHARE YOUR PASSWORD OR PERSONAL INFORMATION

This sounds obvious, but bear with me, because I’m not talking about sharing as if it were your favorite dog photo on Facebook.  I’m talking about phishing scams that attempt to fool you into providing your login info or enough personal information to deduce it.  Typically in the form of an email, fakers posing as administrators on Amazon, eBay, Facebook, Citi Bank, etc. either ask you to reply with your personal information, or in many cases, click on a link to their site.  These sites look just like eBay with fields to log into your account, only these sites are also fake and the login info is sent directly to the scam artists.  I know someone who fell for this and within minutes his eBay login was changed and a $20,000 item was up for sale.  Some of these scams can be very crafty and well done, so if you have a hard time determining the nature of the request, just visit the site manually yourself and/or call customer service for the site and verify the legitimacy.

5. CHANGE YOUR PASSWORDS REGULARLY

I know, I know – I hate it too.  You’ve got a grip on all those different passwords for different sites.  This step makes it much harder for someone to deduce your password.  I change my passwords every three months.  Take another look at that fun series of tables I mentioned earlier and you’ll see why changing your passwords every few months is a good idea.

If you’re running a WordPress site, I’ll be writing a follow up on protecting it.  These steps above are related, so if you’re already doing these then you’re off to a good start.