By Joel Don
Earlier this year, hackers broke into LinkedIn and made public more than 6 million passwords. Including mine. Welcome to my (very personal) war with online security and some tips on how you can protect yourself from the sometimes Jurassic practices of high-powered Internet entrepreneurs and coding geniuses.
If social media behemoths such as LinkedIn can’t protect your double secret login credentials, should you be worried about security when you register with a new, gotta-have website or social media service? In my experience the answer is: probably. Not too long ago, Mark Zuckerberg’s Facebook account was hacked as a result of lax security protocols. Since major league players such as LinkedIn and Facebook don’t always get it right (by failing to stay current with security best practices), what about smaller social sites and new purveyors of all manner of widgets, plug-ins and add-ons?
Let’s start with your first point of contact with a new website or online tool: registration. Do you see “https” (vs http) in the website URL? If not, technically anything you type is being transmitted in clear, unencrypted text. The Facebook hack apparently was the result of an off-the-shelf eavesdropping browser add-on that can monitor unencrypted traffic at public Wi-Fi hotspots. Lesson: while you are sipping your triple-shot non-fat latte and listening to some cool Benny Golson riffs at your local java shop, the person sitting on the comfy leather couch might be siphoning your keystrokes.
My all-time favorite website security gaff is the new user registration or password reset confirmation email fail. When you register at a site or request a password reset and the response is to email your username and/or password, you might as well have tweeted your login information to the world. Unless email is sent in an encrypted format, as it passes from server to server around the globe, it can be read by hackers using server “sniffer” apps. OK, the chances might be considered remote, but remember that it has been well-reported that the U.S. government is already an active consumer of private emails. If the government is reading your stuff, so can the hackers.
Since you can’t ultimately trust a website or online service provider with your security, here are six steps to help you deal with the not-so-best-efforts of website designers and application developers:
1) New user or website registration. Unfortunately most sites use your email address as the username or user ID. Since email addresses are not generally private or hidden, that means half of your login credentials are public. Solution: For relatively low cost, you can purchase a domain or use one that you already own to set up a unique forwarding email address for each site registration. For example, for your Twitter account you might have a user ID/email address such as twitter@mydomain.com that automatically forwards all mail to your main working email address. If a site or service is hacked or your email address is sold to a spam list, you can easily trace the source of spam and crush the email assault by simply creating a new forwarding address for the site or service. Yes, this does take a bit of extra work to create the address for each account, but through my service with GoDaddy I can create a new forwarding address in less than a minute and register at a site in no time. If you don’t own any domains or have an email hosting provider, you can create accounts at Hotmail or Yahoo, though that process certainly will be more time-consuming.
2) Test site security protocols before using a super-secret password. When you register at a new site or service, use a throwaway password on initial setup. If the site sends you an email notice confirming your username and password in plain, unencrypted text, the security red flag goes up: that’s a crummy, outdated practice. Use the “forgot password” function to reset your password. If the site again emails you a confirmation displaying your old and/or new password, run away from that site or send a note to the owner telling why you are taking your business elsewhere. If the site passes the test, then go ahead and change to a preferred strong password. Optionally, if it’s a must-have site or service with lax security, create a unique password only for use at that site. For example, after my LinkedIn experience, I did just that – just in case they didn’t get it right. LinkedIn and a few other sites are on my blacklist until see enough evidence over time that security is up to current standards.
3) One password fits all, or unique password for every site? Security experts advise that you should create a unique password for every site. My response: get real. I register at hundreds of sites and managing a huge password list can be a chore. Another approach is to adopt a tiered password approach. For established financial institutions, brokerages and domain/hosting companies that are hyper-sensitive about security, use a very strong password and take advantage of the fact that most sites that manage money or your online domains enable the user to create a unique username or user ID, rather than using your email address. That’s strong binary security: create a unique/complex username coupled with a super-strong password. Double whammy. Second-tier sites such as Facebook, Twitter and LinkedIn get strong passwords and unique email addresses. For third-tier sites and services, security practices can run from good to mediocre to questionable. Don’t use your special passwords until you know whether the site owner spent a fortune on decent security protocols.
4) Make your passwords eat lots of spinach. There are plenty of sites and applications that will generate complex passwords for you. If you want to test your password, try this site to see how long it would take a PC to crack it open. The secondary part of passwords is storage. There are many password management applications with all kinds of features and capabilities. The main concern is the encryption level of the saved password database. You don’t have to get geeky about it. Just know that 128-bit file encryption is good, 256-bit AES encryption is better. If you use an app to save your password, determine the encryption level and use a very strong password to protect that file.
5) Sharing login credentials. From time to time, you may need to share or give login credentials to a colleague or friend. Never, ever send that information in an unencrypted email. A safer method is to email the username or user ID, and then phone or text message the password, i.e. separating the transmission pathways for the two pieces of your binary login credentials.
6) Firefox plays with fire. Since I am browser agnostic, I enjoy using a variety of products for surfing the Web, including Firefox. If you use Firefox and have not changed any of the default security configuration settings from the menu bar, I recommend that you click “Tools,” “Options,” “Security.” If the option to remember passwords for sites is checked (the default), click the button “Saved Passwords” and then the button marked “Show Passwords” (lower right). Surprise! Any unattended computer running Firefox without the deployment of the Master Password feature is a dream come true for anyone with malicious intent. Use the Master Password or take your chances.
These are just a few ways you can protect your online security. What steps or approaches have you taken to sleep well at night?
About Joel Don -
Joel is principal of Comm Strategies, a consultancy that leverages public relations strategies, reputation enhancement tactics and social media tools to maximize business success. Joel has worked for several PR and marketing agencies, and previously served as a public information officer at UCLA and UC Irvine. He also directed business and financial communications at a Fortune 500 computer manufacturer. Formally trained as a journalist, he has written for daily newspapers and national magazines throughout the country. In addition, Joel developed a digital solution for measuring the readership of company news prior to the advent of today’s link-tracking systems.