2013-03-24

On Accounts and Passwords

I have some well-formed opinions on account security.  They have evolved over time as I have better understood the risks.  Unfortunately, I think the following list is good for all users everywhere.

The basic principle is to assume that nothing is secure.  Even if you keep your username and passwords secure doesn't mean that your bank, ISP, or Email provider keeps its systems secure.


Login Practices
  • Always check for proper HTTPS/SSL security.
  • Never use a link published in an email.
  • Use disposable accounts whenever possible.  Your account for your knitting forum shouldn't have any relationship to your account for your bank.
  • Only access sites with a good reputation, and a reputation that they need to uphold.

Password Practices

  • Never use the same password more than once.   If a hacker steals your password from DumbCo, you don't want that hacker to try that password at BigBucksBank.
  • Change your passwords.  People steal encrypted passwords.  Over time, they could crack those encrypted passwords.  By changing your passwords occasionally, you diminish that attack vector.
  • Use two-factor authentication whenever possible.
  • Never let anyone know your passwords.
  • Long and complicated passwords are better.
  • Avoid on-line account managers that result in a large store of passwords.
Email Practices
  • Keep your email accounts very secure.  If you can reset your passwords over email, then so can a bad person.
  • Use more than one email account.  Don't use the same email account for your knitting forum or Facebook that you use for your bank.
  • Never open or read junk mail.  Assume that it will infect your computer.
  • Never trust email from your friends.  Their accounts could have been compromised.
  • Avoid webmail services
Computer Practices
  • Minimize the number of devices you use.  The more devices you use, the more work is required to keep them secure and the higher the odds are that one of them is compromised.
  • Trust less trustworthy computers less.  Your home Windows XP machine is more vulnerable than your iPad.  Be more skeptical of less secure environments.
  • Never log in from an unknown machine.  That means you should never trust the computer in the hotel lobby, the computer at school, or even the computer at work.  Assume that there are keyloggers and screen-sharing technologies on each device you use.
  • Do not let others use or maintain your computer without strict oversight.
  • Use a quality browser that has anti-phishing capabilities.  Keep that browser up-to-date.  Avoid browser plugins.
  • Encrypt your computer's hard drive, and use a long and complicated password.
  • Put a password on your computer's login screen.  Do not let users share accounts.
  • Do not give day-to-day user accounts administrative privileges.
  • Shutdown your devices when not in use.
  • Scan for malware on all of your devices often.
  • Keep your software and OS up-to-date.
  • Do not install any software that hasn't been fully validated by a reputable party.
  • Be very hesitant in giving administrative rights to any software.
  • Back up your devices often, and keep control of your backups.  Keep your backups elsewhere (assume your neighborhood will burn down).
  • For encrypted files, use very long and complex passwords in order to minimize the odds that someone will be able to crack the file in years to come.
  • Use WPA2/AES security on your home WIFI network.  If your devices don't support WPA2/AES, upgrade your devices.

General Practices
  • Keep an off-line list of your accounts so you can easily take action if one account is compromised.
  • Watch over your account activity.
  • Be very concerned about account access issues or "odd behavior".
  • Remember that your network is compromised - your ISP, in combination with web site providers can access nearly all your network communications.
  • Do not trust the manufacturer of your home wireless router, handset, operating system, or third party software.  Again, all your data runs through these devices.
  • Never trust a 3rd party that can send you an email with your password within it.
  • Keep in tune with security vulnerabilities and compromises.


No comments:


Share