It may look like this all has to do with your password, but that s not the only factor to worry about.

Transcription

1 Account Security One of the easiest ways to lose control of private information is to use poor safeguards on internet accounts like web-based , online banking and social media (Facebook, Twitter). People make mistakes such as: Using the same password in multiple sites Using an easy to crack password Making it was for someone to guess your password, or reset it against your will. It may look like this all has to do with your password, but that s not the only factor to worry about. How Do Accounts Get Hacked? There are four basic ways for someone to break into your account: Password Cracking Software: A hacker employs software to keep trying to log in until it succeeds. Strong passwords help protect against this. Phishing: A hacker employs a deceptive or website to get you to enter your login information. Never enter your login information after clicking a link in an , and always double check to see if you re signing into to the site you recognize. Look for typos in the site and its web address and other things that look out of the ordinary. Human Cracking: A human being guesses the password, or tricks an administrator or service provider into granting access. This is especially common when the perpetrator is someone the victim knows, such as a (supposed) friend, partner or family member. Properly storing passwords, making them hard to guess, and lying in your security questions all help protect against this. Site Hack: Hackers invade the site or service and get a list of usernames, passwords, or both. The perpetrators may break into your account themselves, or share the information with a third party. The only way you can minimize risk is to stick to online accounts with reputable sites and services. Convenience versus Security These days, we may have over a dozen online accounts for different things, and by looking for an easy way to manage them all, we may end up making our accounts easy to break into. It may be convenient to use the same password for everything, but it isn t secure. You may have to sacrifice some convenience to protect your accounts, but you can make things easier by following the advice in this document. The more of this advice you use, the better protected you ll be. Risk Factors Poor management of your account creates risk factors. The more of these you have, the easier it will be to break into your account. Public Username: You posted your address or username online. Sometimes this is unavoidable people need to know your address to contact you, and some services (such

2 as blogging) put your username in an obvious place, such as the web address you re using. In general, you should avoid letting anyone know what your username is. Weak Password: If your password is too short, too common or otherwise weak, it s easier to hack. Repeated Password: If you use the same password for multiple sites, cracking one lets hackers crack the rest. Guessable Password/Security Question: If your password or any answers to security questions relate to something people know about you, someone might guess them. Sharing: If you share passwords or account access, you greatly increase the chance of your account being hacked. Adults should never share online accounts. Insecure Record: If you leave a note at your desk that lists your password, guests and intruders can find and use it. Protecting Your Login While some attacks may select your account at random, others target it when you make hackers aware of your account s existence, or a possible vulnerability. Here s what you can do to protect yourself: Lie for Security Questions: Many accounts ask for the answer to a question in case you lose your password and need to reset it, or as an additional factor to add security. Unfortunately, it might be easy for people who know you or spy on you online to guess the answers. For example, if you mention your brother s name on Twitter, a hacker will know what to say if the question asks for that name. The best solution is to lie about these answers, as long as the lie is something easy for you to remember. If your mother s maiden name is Jones, you might decide to always say it is Smith instead. Avoid Posting Your Username/ People and automated services may both find your username by looking it up online. Some programs grab every address they come across. Avoid letting anyone know what your username or address except in non-public postings. If you must post your address, don t write it as example@example.com. Type example (at) example (dot) com or something similar instead. Use Separate Accounts for and Sign Ups: If you use one account for everything, someone who breaks into that account may be able to break into others. Consider signing up for a separate account to manage accounts for services such as Facebook. Never post the address of or send from this account. For extra caution, use a third account exclusively for financial services such as online banking. Again, never post the address of or send from this account. Never Sign in to an Account through a Link: Phishing designed to steal your login information will often ask you to click a link to log in. Phishing will often look like from the real site or service. Always go to the site you want to sign into separately, without clicking the link. Do Not Let Web Browsers Remember Your Login or Stay Logged on Unless It s After You Log In to a Computer: All major web browsers give you the option to remember your login, and many services allow you to stay permanently logged on. You should never allow this except on

3 computers user accounts that only you may log into, such as a Windows or Mac login. This login should require a password. Strong Passwords A strong password is critically important. Many sites will no longer let you use weak passwords. The rules for what type of password can be used varies from one site or service to the next, but a strong password always combines two things: Length: The longer the password, the stronger it is. For example, largepillowmanatee2 is better than largepillow2. Complexity: The less it resembles common words, phrases and sets of numbers, the more complex it is. (l)a{r}g[e]p<i>l(l)o{w}2 is better than largepillow. In addition, you should never use the same password in more than one place. Sites will often ask you to use numbers, capital letters and small letters. Do so! In addition, you should use the following guidelines: Make them at least eight characters, preferably more. Do not use any words or information that can be guessed about you, such as a pet, hobby or relative s name. Do not re-use passwords from other sites or services. Using Password Rules to Make Strong Passwords Unfortunately, it may be difficult to think up and remember passwords that are long or complicated enough. One way to get around this is to come up with a set of personal rules you make up for generating passwords. It works like this: 1. Think of two or more root words you ll use. These should be unusual words that cannot be guessed and are not always used together. You will change these words from one password to the next, though you might always decide, say, to combine a food and a vehicle. Example: bacontractor 2. Come up with a rule that changes these words. Examples: Surround every other letter with brackets, starting from the top of the keyboard and work your way down. Result: bacontractor turns into b(a)c{o}n[t]r<a>c(t)o{r}. Add an increasing multiple of 3, starting with 3, after every two letters. Result: bacontractor turns into ba3co6tr9act12or Capitalize every vowel. Result: bacontractor becomes bacontractor. 3. If your rule would not provide a capital letter or number make up a rule to add them, but do not put the capital letter at the beginning or assign the number 1. Example: I might always capitalize the third letter and add 23 before the last letter in my words. 4. Apply one or more rules to the word, making sure you have capital letters and numbers, as noted. So taken together, here s how I might create different passwords: 1. I decide to follow the food + vehicle rule to make up words. I come up with:

4 fishsedan chipsplane burgersled 2. I decide I will always capitalize the last letter of my word and put the number 52 right before it. 3. I make a rule saying that I will add a symbol from SHIFT + the top number row, working back from 0 (running through )(*&^%$#@!) after every second character. 4. After applying these rules to my words, I get the following passwords: Facebook: fi)sh(se*da&52^n Twitter: ch)ip(sp*la&n5^2e bu)ur(ge*rs&le^52%d All I need to do is remember the words and the rules, and I can make very strong passwords, as long as I don t write the words or rules down. Using a Password Manager Password managers (also called password lockers) are programs and services that collect all of your passwords in one place. The password manager submits your login information for you. Instead of memorizing many passwords, you just need to enter one into the password manager. This way, you can create secure passwords for each account without worrying about memorizing them. All you need to do is to log in to the password manager itself. There are some drawbacks, however: You must make sure the password manager s password is secure, and that you don t forget it. If someone guesses that password, they can get into everything. Your password manager only works when you can get to it. On a different computer you may have to log in normally, which means you ll still need to remember your password. Some password managers now operate in the cloud, which means you can sign in to them from any computer, which then grabs your login information from an internet server. Two Factor Authentication Two factor authentication is a service that sends a one-time code you need to enter in addition to your password. Some services like Gmail offer this for free. Otherwise, some software can add this feature for you. Two factor authentication can take many forms. Gmail s version sends you a text message with an extra code to enter. You may want to use two factor authentication for a few very important accounts, but not bother with it for less important things. It s inconvenient, but makes your account more secure. Changing Your Passwords If you ever suspect in the slightest that an account has been hacked or password discovered, change your password immediately! Hackers typically exploit stolen logins right away, so you should fix the problem as soon as possible. The new password should be as different from the old one as possible. In addition, some services, workplaces and other organizations ask that you change your password regularly. This will normally be asked automatically, through security policies. You may wish to do

5 something similar for important personal accounts, changing passwords every few months. In any event, this is no substitute for using a strong password and taking other steps to keep your accounts secure.