Keeping Your Accounts Secure
Friday, November 27th, 2009 2:03PM UTC
There’s too many passwords to manage and most people resort to is using the Spaceballs luggage combination. You need one for your web site control panel, one for your free Email provider, one for your bank, another for your E-mail address, another for your bank ATM PIN, etc.. While making the password the same makes your life easier, it also makes it easier for the hacker. Once they gain access to one account, they can then pick off other accounts you may have. In addition, many individuals use simple passwords; a common dictionary word, their dogs name, their spouse’s name, or their first born child’s name. There has to be a better way and there is. Here are some tips in keeping your accounts secure.
By monitoring our hosting customers, we’ve seen many FTP, SSH and E-mail accounts broken into via brute force alone. While we do have measures to block these types of attacks and monitor for any unusual activity, we recommend using strong passwords. Strong passwords are completely random (at least 8 preferably 12 characters in length and includes numbers and different case) and then use a different password for each account.
OK you’ve followed our recommendation and use a different password per site. How do you manage them all? Put Post-It notes on your computer monitor? That’s a surefire method to announce your passwords to the world. Your best method is using a password manager. Password managers are an excellent way to store, create and manage your online and offline accounts. Even better, many offer synchronization to a smart phone so you can take your passwords anywhere with you. Depending upon your operating system and needs, you have many options. Here are a few of the more popular applications and we’ve used all of them at one point in time:
- 1Password (OS X, iPhone, iPod Touch, and Palm support)
- MiniSafe (Windows with Blackberry support)
- SplashID (Windows and OS X, with support to many smart phones)
Out of the above mentioned, personally I like 1Password the best. It works great on OS X and now has a web browser app that works on MS Windows and even Linux! So you are able to get your passwords from any platform.
By default web surfing, E-mail, and FTP are sending your password unencrypted. This also means any content (E-mails, HTML, personal data, etc.) is also insecure. If communication from desktop to server is not encrypted, it’s possible someone along the way can intercept it. To encrypt this communication you are best in enabling SSL. With the multitude of applications available, I cannot go into details but will summarize what’s needed:
- E-mail client – Enable SSL for IMAP or POP3 and SMTP communication
- FTP – Use FTP/SSL or SFTP instead
- Web browser – Make sure the web site certificate is valid and communication is secure via SSL (otherwise known as https:// in your browser URL)
If unsure and using Empowering Media for these services, check with us. We’ll be more than happy to discuss how to encrypt your communications.
Two Factor Authentication
You are now using random passwords, and you want more security, so what’s the next step? Two factor authentication is the answer. It’s military grade security. In simple terms, it means you need two forms of identification before granting access. It’s something you know (your password) with something on your person (typically a fingerprint, retina scan, or key fob). How can this be done via web sites? The answer is OpenID. It’s a relatively new method for web site authentication, and allows for a unified method to login to multiple web sites. Unfortunately Empowering Media does not yet support OpenID.
We recommend creating an OpenID account with Verisign’s FREE Personal Identity Portal (PIP). It has a great OpenID implementation and it supports two factor authentication. Any sites that do offer OpenID you can use the same OpenID for login. Verisign offers a key fob option with either software you install on your smartphone or by purchasing a RSA based key fob.
For SSH logins you can create poor man’s two factor authentication. First create an SSH based key to login to your account, details can be found here. Once created move your private key on a USB flash drive. Your private SSH key is only available when the drive is plugged into your computer.
For an additional layer of security, we can disable SSH login via password and allow for SSH key only. SSH Keys are a much more secure method than using passwords. This option is available with our dedicated VPS and server customers.
Securing Your Computer
If you get infected by a virus you might be in trouble. Many viruses today capture keystrokes from your computer. Unfortunately most individuals don’t even know they have been infected. If you’ve been infected, assume any password typed in on the computer has been compromised. The goal should be to prevent this from occurring to begin with. First and foremost keep your anti-virus, anti-spyware and operating system software updated. Just by keeping your software updated thwarts most attacks. Both Microsoft’s Windows and Apple’s OS X have a automated updates. I recommend setting this option to check daily for updates.
Anti-virus software is a must. For Windows systems we recommend: ESET’s NOD32 Antivirus, and on the Apple Macintosh platform we recommend Symantec’s Notron Anti-Virus. While on the Macintosh it is not attacked as much as Windows machines, expect this to increase with Apple’s increase in market share.
For the truly paranoid how can you make sure no other unauthorized people use your account? You do this by creating a feedback loop.
Let’s discuss a personal example. At Empowering Media, we have a corporate credit card that someone stole (more than likely via some insecure web site I ordered merchandise from). The person then proceeded to call the credit card company, pretend to be me, to change my business address to their location and then modify the web site password. How did we find out of this change? Via an E-mail from the credit card’s web site. Most financial web sites have methods to contact you if any unusual activity or changes occur. For at least financial web sites, I recommend you setup all available notifications.
In Summary Use
- Random generated passwords at least 8 characters in length (over 12 characters preferred). Common passwords should not be used
- A different password for each account
- Encryption (SSL) when communicating to web sites asking for your password or other sensitive information
- A password manager that offers syncing a smart phone
- If available, two factor authentication
- Use OpenID
- Feedback loops to notify you of unauthorized usage
By doing all suggested best practices, for the most part, will ensure your online and offline accounts are kept secure.