Given the number of recent online security breaches – including the release of really, really bad passwords – clearly it’s not so obvious.
Well, I guess I shouldn’t be surprised. After all, I think about this kind of thing as part of my work. Most people don’t. It’s my job to program things that work, but a big part of it becomes making things that other people will find difficult to exploit.
Otherwise, what’s the point? No one cares if it “just works” if some evil person out there can break it in 5 minutes! The way to go about doing this is to not program a single line of code until you’ve got the whole thing sorted in your head. Then, think about how you would hack it.
You don’t do this by thinking like yourself; you must think like someone who wants to attack you. Unless you’re a Russian chess master, you probably don’t think this way very often.
But, not to worry! The following are a few tips that will greatly increase your online security without making your brain catch on fire. Which is nice…
I’ve been saying this for years: USE COMPLEX PASSWORDS!
How? Easy! Read my article: Making strong passwords – and keeping them safe
The ideal password is at least 10 characters in length, and includes a mix of letters (upper and lowercase), numbers, and punctuation.
The key here is stop thinking that you’re so damn clever when making a password.
You’re boyfriend’s name is Cleetus. You were born on the 15th of the month. Ya wanna know the absolute worst password you could pick?
Yeah, that’s crap. I know you think that no one who doesn’t know you could possibly figure that out, but did you ever think that the person who might hack your account is someone you do know? Or maybe one of their friends? Or maybe even somebody who friended you on social networking sites who can glean such information from your posts?
“Oh, but I put a fake birthday on Facebook! I’m smart…”, you say.
Right. And how likely is it that one of your friends will post on your timeline – on your real birthday – and everyone else will see it? Probably pretty likely…
Not everyone online is only interested in talking about themselves and what they ate for lunch. It’s very easy to get information about a person – much easier than you think.
And while we’re at it, if you’re one of those people who uses passwords like:
- abcdefghi ( ?? )
- ihgfedcba ( You have no idea how UNclever this is… )
- 12345678 ( Oh, Sweet Jesus… )
- password ( Well, thanks a lot! I now have brain damage from banging my head against the wall! )
Then just go ahead and leave your wallet and car keys in a public place, and walk away…
Never use the same password twice
This one should be obvious, but again, it’s not.
If you have 30 online accounts and you use the same password for each, one compromised account means I can hack ALL your accounts.
Use a different password for each online service!
To store them, use a password safe such as KeePass. It rocks.
I have over 600 passwords. Yes, you read that right. No two passwords are the same, and they’re all strong passwords.
Without KeePass, I would be lost.
When using an encrypted password safe like KeePass, I only have to remember one very long and very complicated password. DONE!
Which reminds me… For the most important passwords you have, you should never even store them in a password vault!!
That’s right, the absolute best security is a complex password that you do the work to memorize. Now THAT is as close to unhackable as you can get. It’s also more work, but that’s the point, and the reason why it works so well!
Don’t use Facebook to log in to other sites
This one might not be so obvious, either.
Every time you allow an app access to your Facebook account, you’re decreasing your security.
If you’ve ever been in the situation where your FB account was mysteriously spamming other people, the #1 reason is because you allowed some app to access your whole profile. Many apps actually ask to post as you, and if you don’t read the fine print, you simply allow them to do so. Oops!
Likewise, every time you use Facebook to log in to some site to leave comments or whatever, you’re linking the 2 sites together via your account and your password. Should I manage to hack your FB account, I can also post comments as you on web sites, or whatever…
I know it might feel convenient, but using one site to log in to many others is:
- An advertiser’s dream – they’re collecting lots of data on you!
- Inherently less secure
You wouldn’t use the same key to unlock your house, unlock your car, open your safe deposit box, and unlock your office at work. That would be totally insane… So why would you do exactly that online?
The same is true of Google. Why have all your sites tied to Google? Heck, if you have an Android smart phone, why even use the same Google account for your phone and your puter? Well, okay, because it can be convenient. But the point here is to think first… Do you really NEED all this stuff to be tied together? Is it really improving and simplifying your life so much, or is a bit more security and separation a better option?
It’s not that much more difficult or time consuming to forego the “One Account to Rule Them All” login option, and use the site’s own account creation option. Usually, it just means waiting a minute or two for an account creation verification link to arrive in your inbox. You click, and you’re in.
So, don’t go the easy route. It might save you BIG headaches in the future…
Two-factor authentication doesn’t work
Two-factor authentication is supposed to fix everything. As you might have suspected at this point, it doesn’t.
The idea is that you need 2 pieces of “digital ID” to access an online account.
It’s a bit like your bank card: In order to withdraw cash from an ATM, you need a physical card and you must know the proper PIN code. There are two things that are used together to identify you.
For online services, it’s often something like a password plus an instant message with an access code sent to your smartphone.
Well, it’s true that this helps sometimes, but there a few problems:
- Man in the middle attacks: somebody sits between you and the site, and monitors everything without you knowing it
- Malware like trojans can also intercept and monitor everything your puter (or phone) is doing
- Two-Factor Authentication is usually done for login only, but not for things like individual banking transactions once you’re logged in. This is a no-no. Each important “online transaction” should be verified for better security.
Let’s just say that two-factor authentication might slow down the Bad Guys, but it won’t stop them. And if you simply had a unique and hard to hack password, you really don’t need a second factor for authentication.
Biometric security is crap
After all, your smart phone has a fingerprint sensor, just like in Mission Impossible or some James Bond movie. It must be really good, right?
Fingerprint sensors are often easy to fool with very simple techniques. Face recognition software is often “low-end”, and can even be fooled with a good photograph.
These things are changing and getting better every day, but still… Just think about it.
Your physical characteristics could be reproduced. But that uber-secure complicated password you made that is only in your head and/or in a good encrypted password safe? Not so easy to reproduce.
How about a PIN code or Pattern Unlock on your smart phone? Well, how often to you clean the oily smudges off the screen of your phone? If you don’t, it’s child’s play to hack into your phone by simply looking at the dark screen to see where the smudges are…
The first thing you do when you touch your screen is unlock it, and that’s when the most oil will come off your fingers. For a PIN code, which blob of oil is the most defined? That’s more likely to be the first digit of the PIN code. No so hard, eh?
Always remember that even big-name sites are not necessarily done well
Some of the biggest names on the internet have been subject to some of the most egregious breaches of security.
The bigger they are, the more arrogant they are, and the harder they fall.
You also have to remember that “big” or “popular” doesn’t necessarily mean “better”. Programmers should know this all too well.
Need more functionality? Easy! Just use that chunk of code over there in the form of a plugin or module or library. Simple and quick!
Right, but… Did you look into the code to see what it’s doing? It may surprise you to know that most programmers do NOT do this. Time constraints and work pressure mean they hurry to “get it done” to make the Boss happy. The end result is not enough checking and digging into the details, which often means worse security!
Plus, most programmers actually have no idea how to think and program things well; they just follow the current “right way of doing things” paradigm… which is often not the best and most secure way of doing things.
In other words, there is the Human Factor that you can control, and then there is the Human Factor that you cannot control. For maximum online security, you must take these things into account.
That’s pretty much all there is to it…
If you keep this information in mind and apply it well, you will already be safer than 98% of the other people on the net!