Not just since the last leak and hack of German politicians and other public figures, secure access to accounts is an important topic. Secure passwords have been a long time topic but mostly for IT-Pros, IT-Nerds and maybe for people wearing hats made out of aluminum foil, but not for private or semi-private users.
Often inexperienced users tend to be lost and don’t know what to do to secure their accounts. Sometimes they don’t even see the need. This article addresses the unexperienced but also experienced users of what you can do to secure your internet accounts like Facebook, Twitter, Email, etc. against malicious access from third parties and, if you have a breach, to mitigate the risks.
I will be using some technical terms, but I will do my very best to create links to sites that explain their meaning and give some deeper insights.
Using Secure Passwords
No wonder that we have to start with password behavior. Passwords are the most prominent example of how getting access to accounts works. But not many know that insecure passwords are the reason of more than 82% of all data security breaches! Having secure passwords is a cornerstone of your own information security.
Just saying “use secure passwords” is too simple. What are secure passwords and what other rules apply to them?
Use one password per service
The first and most important rule regarding passwords is: Every service must have its own secure password! The reuse of a password can make the difference between a small data leak, where only one account is affected, or a massive breach to several of your accounts. Because what do attackers do? If they get access to one account and get hold of one password, they try the same password on multiple of your accounts. It is up to you if this strategy works or not. That’s why each of your services needs an own secure and unique password! How that works? I’ll show it to you…
Generate long and random passwords
But what are secure passwords? The rule is: Use passwords that are as long as possible and as random as possible! But what does that mean? Passwords should be at least 8, better 12 digits long and contain random characters, numbers and special characters. Also, do not use single words or personal data (like Name of your pet, birthday or any word that can be found in a dictionary or can be socially engineered).
There are various techniques that help users generate secure passwords and still be able to remind them. One technique is, to use the first character of each word in a sentence. Example: “In the morning I wake up & brush my teeth for 5 Minutes” – the resulting password would be: “ItMIwu&bmtf5M”. Another technique is to use multiple words that have no connection to you or to each other. Example: “Dog1HouseGreenEvening”. Lastly, there is the technique of using one standard password (for example “fRt5&k”) and add the name or some letters of the service to it. For example, the first and last character of “Facebook”. The resulting Facebook Password then would be: “fRt5&kFb” and for Twitter “fRt5&kTr” and so on…
By applying these three techniques users can easily generate passwords that can’t be brute forced, social engineered or just guessed. Still, you would have a chance to remind them. For all passwords there is the rule: Rather use longer, more complex passwords and therefore rotate them less often than having short, easy to remind passwords that rotate in a short period.
Speaking of password rotation: In the past, and still, many companies have these policies, people were forced to change their password every three months. If you have a long, secure and not leaked password, there is no reason to change it more often than maybe once a year.
Use a password manager
Another way to manage and generate passwords is the use of a Password Manager like LastPass. Password managers store all passwords in a single, secure and convenient to access space. This means that users can use very long (much longer than 12 digits) and truly random passwords for every service they sign up for. Additionally, they provide a list of all accounts you have – many of which users aren’t aware of anymore on a daily basis. LastPass in special also has an integrated password audit tool called “Security Challenge” where users can see the security of all of their passwords on one page! That notifies a user for to less complex, reused or breached passwords. Password managers also often come with a password generator, which enables the generation of really random and long passwords – which should also be the most preferred solution over the above password rules.
For obvious reasons the use of a password manager somehow contradicts the ask of using one password per service because with this single-user account an attacker could get access to all usernames and passwords. Because of this, securing the password manager with a really secure and long passphrase, a random username or email address as well as a second factor! We come to all of that in detail later.
Security Question Answers
Many people use security questions as they are meant to be: They provide honest and correct answers to the given questions. Is this a good idea? Surely not! With security questions, or, with their answers, an attacker can reset an account and ultimately get access. That’s why you have to pay attention to the answers to the security questions as well. Never give correct answers to a security question! Mostly they can be easily social engineered, like birthdays of pets (maybe you posted something on that on Facebook), maiden name of your mother (could also be googled)… So, with correct answers to these questions, you as well put the security of your account on risk!
Instead, use long random answers or sentences which have nothing to do with the correct answer. Think of them as long passwords that belong to a specific question. You can store the answers to the questions along with your username and password in your password manager. The chance that you need them is low anyways if you have a good and secure password manager – like LastPass.
Stop using shared identities – Have an own login for each service
One bad habit of users in recent years is to log in to services “with Facebook”. For instance, if you sign up for a Spotify account, you can either create a separate login, or you can use Facebook as an identity provider. Startups often used this to not bother with the whole security slew that has to do with user management and log in. But what does that mean for a user? If someone could get hold of your Facebook account, he automatically has access to all connected services! A breach that, for itself is worse, can get to another magnitude. Generate a separate login account for every service you use and don’t rely on sharing my identity.
In addition, if you use for example the login of Facebook to sign in to other solutions, you are also subject to Facebook’s monitoring and logging. Internet services can then very easily combine your user data of several services generating more benefits and better user monitoring.
Use two-factor authentication
Why only secure accounts with one factor: something you know – a password? Most applications already support the use of a second factor – an SMS token or popup message in an app. Always use a second factor where possible! When logging in to an account, this Multi-Factor Login generates a random one time code which needs to be filled in or acknowledged in an app. By this, the knowledge of username and password is not enough! You need to have the second-factor device as well!
This is very convenient and easy to setup. Facebook even has its own Code generator to prevent unwanted assess for unknown devices – but Facebook also supports the use of other two factor applications like Microsoft- or Google Authenticator. Twitter also supports this as well as nearly all other widely used services as well! Just google it and set it up within 10 minutes. No one without access to your second factor (for instance your phone) can log in to the service, even if he has a username and password! What could be better?
Pay special attention to critical services
Pay special attention to mission-critical services that contain sensitive information or payment information such as the login to your password manager, your email accounts (since you normally don’t have to enter the password very often, if you use a mail client, you can choose for the maximum length of password allowed by your mail poster) or online banking accounts including PayPal and accounts that allow immediate purchases such as Amazon. Your address book also contains sensitive data: The contact data of your friends, colleagues, and family! This information is valuable to attackers as well as this can be the basis of an attack on them! This practice is called doxing and can impose a serious threat to the ones closest to you as their mail addresses most likely are their usernames (hey, forward this article to them btw!)! By the way, this is also the reason why you should never share your address book with services like LinkedIn, Facebook or even third-party apps! For example, the recent hack and leak of more than 1000 politicians and celebrities in Germany were due to only 50 people being actually hacked. All the others just were victims of doxing.
Amateurs Practice Until They Get It Right; Professionals Practice Until They Can’t Get It Wrong
George W. Loomis
Using Secure Usernames
To this moment we’ve only spoken about one of the two credentials needed to log in to services: The password. But what about the username?
Wouldn’t it make sense to hide the username as well of the instant sight of an attacker? How is this possible? Of course, it is easily possible with services where the login-name is detached from a username or email address. Simply use a random string as a username that has nothing to do with your name. But even if the login-name is your email address (for example like Facebook), you can do your best to hide the username from attackers!
But first, why is it risky to have a known email address, or an email address you actively use, to sign in to services? First, an attacker might already know it. He might have purchased it in spam lists or got it through doxing of someone who had it in their address book. Secondly, if that’s your username, it is for sure also the account reset address. So, attackers want to gain access to it in order to reset your accounts’ password.
The solution is easy: just use a separate, not publicly know, email address to log in to these services. Nowadays it’s easy to generate a number of mail addresses for instance at Google or other providers. Just generate one random address which you use to login to these services or set as primary (and only) account reset email address.
By doing so you achieve two things: 1st, an attacker does not only not know your password, but he also does not know your username! Making it much harder for him to do a targeted attack on your account. 2nd, an attacker would not even know which email account to attack if he wanted to gain access to it to be able to reset your password. So, this makes sense in multiple ways.
Another way to achieve this is, to use catchall email addresses. Many internet domain hosters, like 1&1 or Strato, support the creation of an email account that catch-all emails, that are addressed to an email account that does not exist on that server, in their hosting offerings starting from very few Euro per month. For example, the email@example.com does not only receive emails sent to firstname.lastname@example.org but also emails sent to email@example.com or any other string before the @. By this, you can easily use an own reset email address for each account (for instance firstname.lastname@example.org or email@example.com)! An attacker would never know your reset- or login-email address because you don’t use it for communication neither one of your piers has it in their contact list. And even if an attacker knew the reset email address, he wouldn’t know the email account to hack, since the email addresses the mails are sent to, do not exist on the mail server. Also when following this guide, you don’t have to create several separate email addresses for the different critical services. Using your own email hoster is a good idea anyway if you are interested in protecting your information.
Data encryption and Data parsimony
Encrypting data should be the normal state rather than the exception. All modern desktop operating systems have built-in full disc encryption (MacOS: FileVault, Windows Vista and higher: BitLocker). Encrypting your hard disc protects your sensitive data from being stolen, even if your device gets into other hands. How quickly is a laptop being forgotten in the tube or being stolen at trade shows or other occasions? Mobile operating systems like iOS or Android use fully encrypted discs by default – this should also be the case on desktop systems since it does not cost any money or performance.
Another mostly forgotten device that needs to be encrypted is changeable media like USB Sticks or mobile hard discs. Even if you store only non-sensitive data on them.
Being mindful of which data is stored where is always a good idea. Don’t spread out private data widely and, where possible, encrypt it. For instance, it is a bad idea to store private data in business accounts or vice versa. Keep data separated.
Delete data junk! Why would you need 5-year-old emails or SMS? Attackers, however, could be very interested in emails about financial transactions or your ex-girlfriend – a leakage of them can cause great harm. If not to you, maybe to your communication partners. If you need this data, create an encrypted backup and store it in a secure space. Then securely delete the data from all other systems.
Delete unneeded accounts! If you don’t use a service anymore, why not delete the account right away? This reduces your security risk, reduces the amount of accessible data for attackers and you have one system less to bother about.
Lastly, check security settings in applications and devices regularly and narrow down access to information as much as possible. Why would a fitness tracker need access to your location at all times, even if you are not using it? Why should a social network need access to your address book? Why would a game need access to your microphone? By checking these settings in applications and apps you will not only get a sense of the amount and nature of data this application works with, but you might also find potential to narrow down their rights. Always go by the principle of least privilege! Grant as fewer rights as possible, only as much as really needed.
Security is a process, a way of being, not a product.
This quote really gets to the point of it: Security is never a state, a way of being or a product – it is and will always be a continuous process and we all have to work on it for our own security.
Other Security Related Tips
- Be sensitive about where you enter your login information. Many phishing sites use clever replicas of the actual sites to make you enter your login information and grab your password. A password manager often helps in this regard as they will only do auto-fill if the domain name is correct. They are not so easy to fool as a user. Secondly, a two-factor authentication helps as the username and password are only two of three parts needed to log in to a service.
- Do not open links in emails from recipients you are not absolutely sure about / do not open email attachments unless you are really sure about the sender and you expect an attachment from them. Be awake and always be leery! If you are in doubt if your bank needs a re-authentication as they might state in that strange mail you got, type in their base-URL manually and log in. If they need information, they will notify you upon login. Never click on email links. By following this, you are also much less at risk to be a victim of phishing.
- Deactivate the downloading of external sources in emails. There is no need for your email client to communicate with other sources than your mail server. If your mail client does not allow to deactivate this, you can restrict the access to the internet in your local firewall to only download data from your mail server. This also helps to reduce spam mails since you are not easily trackable.
- Updates, updates, updates! Always check operating system and application updates since they mostly include security patches and protect you against yet another security holes.
- Check sites like haveibeenpwned.com every once in a while if your email address and login data have already been leaked in some larger data breach! I guarantee you, you will find your name on some lists! In that case: Change your password and (see above) username immediately in that service!
- Never store Username & Password in an App, Browser or Website! N E V E R S T O R E U S E R N A M E & P A S S W O R D! No, really, Never! No, just no! Clear? 😉
Many of these tips and tricks may seem over the top and many of you might think “I have nothing to hide!” or “I’m not that interesting”. But that is not true! Every one of us has sensitive information that can do severe damage if leaked to the public or used against us. It can damage our private life, our professional career or cause at least vexations. It can even do immediate financial harm. And if it’s not for yourselves, then do it for the data you store from others – contact data, email conversations, pictures, etc. The recent data leakage shows which harm can be done. Again, only 50 people were really hacked, over 1000 of them were affected by just 50 insecure accounts!
Feel free to add further ideas and suggestions in the comments. I am curious about a living discussion.