Online Security Tips
I thought I would write up a small guide on securing your online accounts since there has been an increasing number of people getting their accounts compromised recently. Ill try to cover the main things to keep an eye on in your accounts: your password, password recovery options, and two factor authentication.
Choosing good passwords (How not to get pwned)
With modern GPU's and software like oclHashCat or the older John The Ripper you can crack a sub 8 character text only password relatively quickly. Like really quick actually. This means you should use a complex password. What is a complex password? Well it should be over 8 characters long and contain a mix of letters, numbers, special characters (!@#$%...) throw some upper and lower case in there as well. Remember that the longer the complex password the better.
Use Two Factor Passwords when Available
A lot of modern websites accounts allow you to use two factor passwords. This is a combination of a password you know and a token or device that will give you another second random one time use password that you also need to log in Both Google / Gmail and Facebook allow you to use two factor passwords with your phone as the device which will generate the other random pass.
Two factor passwords are stronger because if someone gains just your password, they still cant log in unless they had your phone or other token generating device.
Choose Strong Password Recovery Questions
Most websites have an option for a password recovery option. This is a very common vector of attack. Most people choose poor password recovery questions. Make sure that your answers to your questions are not easily searchable for online. Example: Don't use your first street address if you still live at that house. If you Google your name and current or past city together, you will be surprised what information about you is online.
Use Different Passwords for Different Sites
This is pretty simple. Don't use the same password for everything online. If one site gets compromised, they have your password for everything. Use a password vault to keep track of your passwords.
Use a Password Vault
A password vault is a program for your computer or phone, that stores all your passwords, usernames, and other info in a encrypted file. Some password vaults store info on your local machine, others are an online service. Most password vaults can also generate random passwords for you as well.
Here are a few of the more popular password safes:
KeePass: http://keepass.info/
Last Pass: https://lastpass.com/
Password Safe: http://passwordsafe.sourceforge.net/
Audit All of Your Online Accounts New and Old
Another important step is to make a list of all your online accounts new and old. Next make sure that any accounts you no longer use are deleted or disabled. Sometimes forums don't allow you to delete your account. In that case delete all info that you can about yourself and change the password. Note it in your audit list or password safe.
Browser Security
Finally make sure that the browser you are using to view the web is up to date. If you are using a modern browser that allows plugins like Chrome or Firefox I recommend the following:
AdBlock / AdBlock+
Blocks advertisements on websites, and in YouTube videos. Cleans up webpages nicely
Ghostery - http://www.ghostery.com/
Ghostery disables tracking cookies and shows you what ad networks websites use when you view them, and what they are communicating with. Very neat and helps keep your browsing more anonymous.
NotScript / NoScript
This plugin disables java / flash / other scripts so that nothing runs without your permission. May take a bit to tune it to your needs but really increases security by disabling potentially harmful scripts from running.
Good Refrence Info
Gmail Security Checklist
http://support.google.com/mail/bin/static.py?hl=en&page=checklist.cs&tab=29488
How to Backup Google Account Data:
https://www.google.com/settings/exportdata?hl=en
Choosing good passwords (How not to get pwned)
With modern GPU's and software like oclHashCat or the older John The Ripper you can crack a sub 8 character text only password relatively quickly. Like really quick actually. This means you should use a complex password. What is a complex password? Well it should be over 8 characters long and contain a mix of letters, numbers, special characters (!@#$%...) throw some upper and lower case in there as well. Remember that the longer the complex password the better.
Use Two Factor Passwords when Available
A lot of modern websites accounts allow you to use two factor passwords. This is a combination of a password you know and a token or device that will give you another second random one time use password that you also need to log in Both Google / Gmail and Facebook allow you to use two factor passwords with your phone as the device which will generate the other random pass.
Two factor passwords are stronger because if someone gains just your password, they still cant log in unless they had your phone or other token generating device.
Choose Strong Password Recovery Questions
Most websites have an option for a password recovery option. This is a very common vector of attack. Most people choose poor password recovery questions. Make sure that your answers to your questions are not easily searchable for online. Example: Don't use your first street address if you still live at that house. If you Google your name and current or past city together, you will be surprised what information about you is online.
Use Different Passwords for Different Sites
This is pretty simple. Don't use the same password for everything online. If one site gets compromised, they have your password for everything. Use a password vault to keep track of your passwords.
Use a Password Vault
A password vault is a program for your computer or phone, that stores all your passwords, usernames, and other info in a encrypted file. Some password vaults store info on your local machine, others are an online service. Most password vaults can also generate random passwords for you as well.
Here are a few of the more popular password safes:
KeePass: http://keepass.info/
Last Pass: https://lastpass.com/
Password Safe: http://passwordsafe.sourceforge.net/
Audit All of Your Online Accounts New and Old
Another important step is to make a list of all your online accounts new and old. Next make sure that any accounts you no longer use are deleted or disabled. Sometimes forums don't allow you to delete your account. In that case delete all info that you can about yourself and change the password. Note it in your audit list or password safe.
Browser Security
Finally make sure that the browser you are using to view the web is up to date. If you are using a modern browser that allows plugins like Chrome or Firefox I recommend the following:
AdBlock / AdBlock+
Blocks advertisements on websites, and in YouTube videos. Cleans up webpages nicely
Ghostery - http://www.ghostery.com/
Ghostery disables tracking cookies and shows you what ad networks websites use when you view them, and what they are communicating with. Very neat and helps keep your browsing more anonymous.
NotScript / NoScript
This plugin disables java / flash / other scripts so that nothing runs without your permission. May take a bit to tune it to your needs but really increases security by disabling potentially harmful scripts from running.
Good Refrence Info
Gmail Security Checklist
http://support.google.com/mail/bin/static.py?hl=en&page=checklist.cs&tab=29488
How to Backup Google Account Data:
https://www.google.com/settings/exportdata?hl=en
Comments
Post a Comment