Translate this page...

Sunday, 20 January 2013

Some Security and Password tips


NOTE: These are purely my opinions and should be investigated further by individuals prior to following any of them.

Also, where I have referenced a site - I've included links to said sites at the bottom of the post.

  • Use 2 factor authentication - such as Google Authenticator where available.
    Facebook, Google, and more already offer 2 factor authentication.
    Most banks should also offer 2 factor authentication via mobile phone or similar - if not, ditch them for another bank.
    NOTE: There is a fairly decent overhead that follows for initial setup of 2 factor authentication. You'll need to configure single use passwords for mobile devices, etc. and 'trust' certain devices...or not. The security benefits are worth the extra hassle up front IMO. 
  • Regularly check what devices are currently logged into your various sites that offer that facility - e.g. Facebook (at time of writing - "Account settings" -> "Security" -> "Active Sessions"). End any activity of old sessions - particularly work or shared PC's. If there's a session there you don't recognise - your account may possibly have been breached in which case you should reset your password and the password of any associated email addresses too.
  • Try to make sure that your passwords are MORE than 14 characters long. Site/service permitting, I tend to have passwords in excess of 25 characters.
  • Avoid starting your passwords with an upper case character and ending with numbers. Rather use the upper case, special characters, and numbers throughout the password.
  • Avoid using real words or phrases/quotes in your passwords as they are susceptible to dictionary attack.
  • You are better off to take the first or 2nd (or whichever) letter from a sentence and mix up the letters with upper/lower case, numbers, and special characters. 
  • By way of a small example (don't use this as it is one that is commonly and foolishly used, not to mention very short) -
    "The quick brown fox jumps over the lazy dog"
    Could be converted to a password as follows:
    "tQbFj0t!D" ...the 1st letter of each word in the phrase mixed up with upper/lower case/some letters replaced with numbers = e.g. "o" with zero/some replaced with special characters - e.g. "l" with exclamation.
    or..
    "hUr0uVh@o" ... the second letter of each word in the phrase, mixed up with upper/lower case/numbers/special characters.
    Try avoid using famous phrases as your starting point - try come up with random stuff like "The weather impacts my desire to drink water. When it is hot, I drink more water. When it is cold, I drink less water" - yields a 24 letter password if you don't include punctuation (which can be included if a site allows special characters in the password).
  • Use a password manager such as Lastpass to manage your passwords and help discourage you from using 1 password for all sites. Password managers also generally offer random password generators (better than using the phrase letters). 
  • Don't use the same password across sites - particularly your most vital accounts. Anther reason to use a password manager.
  • When inputting answers for secret questions during an account setup - do NOT use real answers.
    A lot of this info finds its way into the public domain or can be socially engineered out of people/companies. Not to mention close friends/family/partners that you have a falling out with - they're likely to know this information.
    Use unique answers for all questions - keep them in a password manager like LastPass/Keepass for safe keeping.
    As an example... "What is the name of your first pet?" answer "t!RuU53T" - which is the third letter of each word in the sentence "To think for yourself you must question authority". This would be very tricky to guess or find out even if the person knows you intimately.
    Another note on this is that some sites will limit the type of characters used - in which case it would still be better to use Tiruuset (same answer as before without numbers or special characters) than to answer truthfully.
  • When prompted to enter credentials into a website - check the address bar and confirm that the website address is the website you believe you're entering your password into. E.g. If facebook - make sure it says facebook.com - not something like "facebook.com.dodgybrothers.net" - phishing sites will quite often be setup on similar names or use the website name as part of the name.
  • Always log out of sites when you're finished with them - simply closing the browser window is not always enough and can leave your accounts exposed.
  • Set a calendar reminder for a certain day every so often to set aside and change your passwords. With things like LastPass, this is quite simply done. This will help you to keep changing passwords for sites that you rarely visit and forget about. It is probably good practice to change your passwords at least every 3 months for regularly used or critical accounts.
  • Sign up with/check at regular intervals sites like PWNEDLIST which try to keep a copy of all publicly released hacked information and see if your email address/es appear on their list. NOTE: If you are using LastPass - they have a feature called Sentry which already checks PWNEDLIST lists.
    If have a particularly large amount of free time... also occasional visits to sites like DATABREACHES which advise of known breaches.
  • If you have any influence on the password storage mechanisms of your company services/sites - recommend they use bCrypt - it slows down the process of hashing passwords which makes them less susceptible to brute force attacks. This "slowing" process also caters for a future where hardware performance increases - allowing you to increase the delay in hashing.
  • With respect to privacy - regularly check your "Privacy" settings on social media websites such as Facebook. These sites regularly add new features and tend to lean towards the more open "social" setting of letting it all hang out as the default setting for these new features.
    Additionally - it is recommended that if the sites offer the opportunity to NOT allow search engines to find your information - activate it. You DON'T want your information searchable by search engines, it exposes you unnecessarily.
  • If you are concerned with privacy or live in a country where you are heavily monitored and are fairly new to the concepts of doing things privately online - check out CrytoParty. They also have a hand book/guide available. 
I hope to flesh out some of these points and add to this page as and when time permits.

LINKS

Lifehacker article about 2 factor authentication:


LastPass video:


PWNEDLIST:


LastPass Sentry details:

DATABREACHES:


bCrypt:


CryptoParty:




There was an error in this gadget

Mandala el Ubby

Mandala el Ubby
Acrylic on canvas ~75cm x 75cm

Lateralus Vinyl Picture Disc

Lateralus Vinyl Picture Disc
Best album ever....ever.....ever....ehem

I procure heaps o fashizniz from Amazon, why don't you?