In this article, I will give you the ultimate online log in security password tips. Tips I don’t see anywhere else (except in large business security procedures).
First I will recap the basic good password practice. Also, read my article on password basics.
By now I hope everyone has heard of
Heart Bleed any of the almost weekly security breaches; from banks to Yahoo having half a Billion of their user accounts compromised – and not telling us about it for 2 years! and know to change all your passwords to something long and complicated.
I hope you have taken the advice that every article and newscast has given you about using a password manager like LastPass, 1Password, KeyPass, or Dashlane. With a password manager, you can have a different, complicated, and long password for each website. The password should be one that you can not remember. Make it 15 or 20 characters long, with special characters, CAPS, and numbers. All you need is to remember the password to the password manager and keep it secure.
I recomend and use LastPass. It has been around for a long time, is reliable, and vetted by security experts like Steve Gibson. Last Pass is free for use on computers and only $12 a year for premium features like the ability to work on phones and tablets. I have experimented with Dashlane and liked its user interface, but it was less reliable on Android. Dashlane is $20 a year. update: Dashlane now works well on Android and I am currently using it on my phone.
That should be enough. But it is not. Not anymore.
For the Ultimate in online login security, you can do 4 or even 5 more things. One of which you will not see anywhere else! an exclusive right here on TechBreakdown.tv (as far as I know).
Lie on your security questions a website has you make when you first create an account. This first one you may have heard or read somewhere else and is easy enough for everyone to do. If someone knows you or can read your Facebook page… They can probably answer the questions you answered. What is your maiden name? Where did you go to high school? what was your high school mascot?… all probably on Facebook. So Lie on your security questions. Pick a question and put in the opposite as the answer, type in something totally unrelated, create another random password, or a short phrase. Keep this info in your password manager. All password managers let you put notes in each password you create or it has a separate secured notes section.
Use Two Factor Authentication. You have probably heard of this one too, but are not sure what it is or sounds to hard. It is a little bit of a pain to set up (on the sites that offer it), but once it is set up it will be much harder for someone else to use those accounts even if they did get your password. Sites like Google, Facebook, Twitter, and others offer a way to send a text message to your phone or let you enter a special pin number generated by an app when those sites are accessed by a device that has not logged in before. For example: you usually log in on your home computer. When you try to log in on your work computer, you will be prompted to enter a code from a text or app – or you wont be able to log in! Its that simple. This uses the idea that your phone is something physical that only the account owner will have. P.S. you should password protect your phone too. Google and Facebook both offer this service that can be used on many other sites. I use Google Authenticator as much as possible – because I still don’t trust Facebook.
Two Factor Authentication – with a USB key. This is an extra step of two factor authentication that adds another physical component of a USB key you get from the company that needs to be plugged into the computer you are using . It also generates a security code the site has to verify before you would be able to log in. Only a couple of companies or services offer this option and it would be reserved for the most sensitive information / security conscious user. LastPass offers this, as well as a company called yubikey.
Here it is, the ultimate suggestion for adding security to your online log ins….
Use a unique and complicated user name for each site – NOT YOUR EMAIL!
(At least for the real important sites). Most notably I’m talking about your banking and credit card sites. Most people use their email address as their log in to most sites. STOP DOING THIS NOW!
Many sites allow you to sign in with a user name / nickname that is not an email address. Your email address is everywhere. If a site like Yahoo gets hacked (again or again), the hacker will get a list of email address, and they can use them as user names to the most popular bank and credit card sites. So if you use your email address for log in to these sites, that gets the hacker in the front door. Most bank and credit card sites now have you enter your user name and password on different pages to make it harder for hackers to access your account. If they don’t have a valid user name they are stopped at the front door. If your log in is something like kz9vuM1G, then the hacker will not even get a chance to try any passwords.
I started doing this when I realized one of my credit card log ins was being attacked. I kept getting notices that the account was locked for too many failed attempts. After 2 or 3 notices I realized that someone had my email address that I used as the log on. It was not random. Changing the password was fine, (You get annoyed after the 3rd time) but they kept trying because they had a valid user log on. So I realized I had to make it so they could not even try. I have not had a problem with that site or any other since I started this practice. Now it is time to share it with the world.
STOP USING YAHOO EMAIL! – Yahoo has proven that they do not give a shit about you – their customers – security or privacy. They have been hacked several times in the past couple of years AND NOT TOLD ANYONE ABOUT IT!
Start changing all of your contact or login email to Google or Microsoft. – If you use your internet service email (Comcast) and leave them, then you may lose that email too. So use another trusted permanent email.