When you think about it, a username and password are just two strings of characters. A measly handful of letters, numbers and symbols are all that stand between your digital identity and nefarious spammers and phishers, hungry for just a taste of your juicy bits and bytes. While securing your many online accounts may be somewhat inconvenient, weigh that against the inconvenience of losing everything to a hacker who, with little effort, gained access to your personal information and used it to take money from your bank accounts and burn bridges in your name.
The following are just a few steps that you can take with relatively little effort to secure your online accounts and to rest, comfortable in the knowledge that your online identity is yours alone.
It is far too common for people to use a single password for all of their major accounts for the sake of mere convenience. Doing so leaves you vulnerable to major breaches in security across your entire online life, especially when you consider the possibility of someone gaining access to your primary email account. Think about it: Every time you sign up for a new account anywhere an email is sent to you. Often these emails lazily include your password in plain text, or at least provide you with the details necessary for resetting or changing your password. With this information your entire online presence is at risk. Everything from your social networking accounts to your work contact list, even your bank account could be exposed to someone who, but for the sake of convenience, could make use of them for their own dark purposes.
Fortunately, you can protect yourself from these nerdy malcontents. There are simple steps that you can take to secure traffic between you and the severs you frequent, software you can use to store and easily recall complex passwords, even unique secondary devices which facilitate two-factor authentication.
HTTPS
The controversy surrounding Firesheep, a Firefox extension which grants users access to nearby active social networking accounts, recently highlighted the necessity of using secure transmission wherever possible. The extension hijacks unencrypted cookies as they are transmitted across a network. Active Facebook, Twitter and other common site accounts quickly populate in the user’s browser side panel. From there, it is a simple matter of double clicking on one of the accounts to instantly be logged in as that user.
Hijacks such as these can be easily avoided by making use of HTTPS; a secure transmission protocol which is a combination of the normal Hypertext Transfer and SSL/TLS protocols. By creating a secure channel between the source and host, network traffic can be encrypted and safely transmitted across unsecured networks for decryption by the trusted host. Both Twitter and Facebook have implemented an option to always connect via HTTPS which is frustratingly disabled by default. Unfortunately, many other major websites don’t even provide the option to securely connect, thus necessitating the use of browser extensions such as HTTPS Everywhere for Firefox which forces the use of HTTPS wherever possible.
Most modern browsers make it easy to tell when you’re connected to HTTPS. Aside from the presence of https:// at the beginning of your current URL; Chrome, Firefox, Internet Explorer and others will change the color of the address bar, or display a padlock to show that your current connection is secure, and associated with a verified, trusted site.
Password Managers
Many see the creation and maintenance of a large list of complex passwords as a chore. The best way to make chores more palatable is to make them easier and more efficient. Password managers can do just that. They remove the necessity of having to remember passwords and allow you to log in with ease, safe in the knowledge that the your data is protected by a password as unassailable as a bank vault.
LastPass is a great option for managing your passwords. Once you have created and memorized your master password, every other password you require can either be stored and forgotten about, or generated and forgotten about. Strong password generation is a great feature, allowing you to quickly create a new unique password with little fuss. Once you associate a password with LastPass, logging in is as simple as clicking OK when you note that the fields are adorned with the LastPass logo and have been pre-filled. Accessing passwords that you don’t have memorized only requires a quick visit to the LastPass site, and logging in with your master password. Using the LastPass extensions available for all of the popular browsers, or even the mobile apps can speed up this process even further. To top it all off, LastPass is free for the basic features that most users will require, excluding use of the mobile apps and USB two factor authentication.
1Password provides a similar service to that of LastPass, but primarily utilizes a client application that is installed on your computer. An extra level of security is achieved by storing all of your data locally instead of in the cloud. Portable functionality is supported and enabled through association with a Dropbox account, or by storing a copy of your “agile keychain” on a usb key kept on your person. As far as payment models go, 1Password have chosen a higher up-front cost without a free version, as opposed to the LastPass free entry paired with the option to pay an ongoing fee for premium features.
Google 2-Step Authentication
Earlier this year, Google rolled out a their 2-Step Authentication feature to all users. The basic premise of two factor authentication is that users are required to provide to forms of identification upon login, thus severely limiting the chance of unauthorized account access. Other forms of two factor authentication rely on the use of an RSA key, a small security token which most commonly rely on the generation of synchronous dynamic passwords - strings of characters which, when entered into a server prompt, are checked against a synchronized algorithm for authenticity.
Google’s version simply uses your phone in place of a security token by sending a verification code via SMS or voice message to a predefined phone number. Users are required to log in with their username, password and verification code in order to gain access to their account. If for some reason you are without your phone, a second number is requested during sign up to be used as a backup. Failing both of those options, a set of ten single-use codes are provided which should be stored somewhere safe.
For applications that aren’t set up to prompt for 2-Step Authentication verification codes, users can generate application specific passwords which are displayed once, then hidden forever. Upon generation, the user is asked to name the application that the password is to be associated with. These passwords will work indefinitely, until the user manually revokes an application’s password from their Google account.
This sort of authentication is rock solid. Not only would a would-be data thief need to have acquired or guessed your password, but they would also need your phone in order to gain access to your account. If your Google account is your primary point of contact for email, you really should consider turning on 2-step authentication.
Common Sense
Finally a few tips for keeping your information private on the largest public network in the world.
Don’t put anything on the Internet that you wouldn’t be ok with the world knowing someday
It should go without saying that once something is publicly available on the Internet, it is very difficult to make private again. If you’re unsure whether a piece of very private information can be safely stored or transmitted via a web-based service, you should think about maybe not putting it on there.
Never share your password with anyone
It might sound paranoid, but even sharing your password with a trusted friend or partner is a risky move. Relationships change, small liberties taken with privileged access can easily become large breaches of trust before either party even realizes the scale of the intrusion. If you absolutely must give someone your password, change it as soon as humanly possible. Especially if you are guilty of using the same password for multiple accounts.
Use strong passwords, smartly
As covered by above and by Matt Braga in a previous post, strong passwords can add orders of magnitude to the time it takes for your accounts to be cracked by brute force attacks. And a strong password doesn't have to be difficult to remember, either, as illustrated by this XKCD comic.
Change your passwords at the slightest hint of a security breach
Changing your password is a simple task, especially when done using a password manager. If you’re even slightly worried that someone may have gained unauthorized access to your account, take this small but effective step to counter any future attempts.
Change your passwords regularly
One of the most annoying pop-up alerts any corporate employee can see is the impending password change dialog, especially if you pride yourself on already using strong passwords. Though these corporate requirements can be frustrating and often counter-productive (in the case of users who simply increment a number on the end of their old password), the basic concept is sound. The only way to make a strong password more difficult to crack is to deprecate and replace it.
Comic via XKCD