Tuesday, January 06, 2009

Being Security Conscious Online

I'm working on my next client newsletter and will be writing about security online. The newsletter isn't actually due out for another 2 weeks so I wanted to share some thoughts here beforehand.

There are a few common mistakes I see many people commonly when it comes to online security. All of these are things that have caused problems for friends, clients and associates.

1.Using the same password at one or more sites

Hacking and phishing scams are nothing new. The recent Twitter issues showed what can happen and how difficult it can be to contain them. If you use the same password across multiple sites and even one of those sites is compromised, you might find yourself in trouble.

Consider this: if someone knows what your email address is, your common password, what user name you may be using at other sites, what industry you work in, maybe even where you work... what else could they potentially get access to?

Solutions:

A. Ideal - create a totally randomized password for each site that you visit that consists of both letters and numbers, preferably with some upper and some lower case letters. Use an entirely different email address for each site that you need log-on credentials with. (If you have your own domain, this can be easily accomplished by using a catch-all POP account.)

B. Next best - use some kind of common format for password creation based on the site you are joining. This will save you from having to remember/record the details for each site. Use an email address specific for each site that you need log-on credentials with. For example, blogger@yourdomain.com.

C. Finally - if you don't want to deal with so many different passwords, at the very least make sure that any crucial passwords are different from others. For example, your email password, financial ones, etc.

2. Password reset information should be known only to you.

Many sites these days allow you to reset a password if you know a bit of information about the user. Sometimes it's as little as knowing your country and birthdate in order to reset a password. Before you join a new site, have a look at what the procedures are for resetting a password. Then make sure whatever information you provide them with is something you can remember but no one else can guess.

3. Be careful what information you reveal in public or even privately.

Several months back a young man I know learned the price of sharing too much. He had met this "incredible" woman through one of the social networking sites. They spent a few hours chatting on IM. She had asked him loads of questions - seemingly random and in an effort to get to know him. A few days later, he finds out that domains he owned had been transferred out, financial accounts compromised, etc. It turns out that by revealing just 3 pieces of information, he gave the person enough information to hack his accounts. Ouch. He could have prevented all of this trouble by using multiple passwords, using different user names at sites and by using security question answers HE could remember but that weren't accurate.

2 comments:

Carl Grint said...

one of the benefits of using GMail is the way you can use the + to your username to tag each website you register with, for example username+twitter@gmail.com would end up your Gmail account, and allow you to filter it, add a label or know when someone has been selling your details ;o)
This is especially helpful for those without hosted email which allows either catchall (watch our for spam with that) or adding an email box forwarder for each site you register with (twitter@domain.com for example)

tonychung said...

OMG I think I revealed too much in our chat on Sat night. If I lose all my domain names I know where I'll be looking. LOL!

Thanks so much for the time. I look forward to your continued tweets.

@Carl I did not know about that Gmail feature. Great to know. The only problem then is replying with the same email address format. I haven't found an email client where I can change the From: address dynamically. I once hack my self-hosted webmail client so the From: field was open text, but can't be bothered to host my own client again.