Wednesday, October 03, 2018

Security Breaches and My Password Thoughts

Facebook security breaches have been in the news every day lately.  Are you concerned?  No, because you think you're a smarty pants and have changed your Facebook password, so there!  Well, that might not be enough.  Have you ever went to a new website and they asked you to sign up and offered you the convenience of using your Facebook, LinkedIn, Twitter or Google account?  If you elected for convenience then you opened yourself up to the Facebook breach.  Never choose Facebook or Google as a login for accounts, always use your email address.  There is always another choice although often it is a little harder to find.  

What is the Facebook or Google or LinkedIn convenience login called?  In the tech industry we call this the "you as" login or officially OpenID.  We'll log you in as.....your xxxxx account.  

How does it work?  How do it know?  When you click the button for the app to log in as, that website goes out and queries the app (Facebook, Linkedin, Google, whoever) and asks for a token.  The website then stores that token forever for when you come back and login.  That token contains your password from the app.  

What does the Facebook security breach have to do with that token?  If your account info and/or password was stolen from Facebook then the bad guys have access to any site you used the "You as" login on.  That means you've spread your vulnerability across multiple entities.  

Do you believe that the Facebook breach only affected 50,000,000 users?  Of course not silly! Facebook has 2.23 billion user accounts.  

What are the best practices i should follow?


    Never use the "You as" feature for new sign ups to 3rd party apps
  • If you’re using an easy to see pattern for customizing your passwords for each site or service, then change that pattern (and all of those passwords) 
  • always a good idea to have different passwords for accounts involving money, those passwords should be complex.  Pet + a number is NOT complex.  A password CAN be complex but easy to remember.  Here's an example --  a sentence -- Dawn is the best person I know and funny too.   Take that sentence and convert it ---  DitbpIk&f2      That's a complex password but easy to remember for you.  It's the first letter of each word and convert things like and to a symbol and the too to a 2.  Complex passwords should have lower case, upper case, special symbols/characters, and number(s)
  • Implement 2 factor authentication on your important accounts, like brokerage, banks, credit cards, etc.  Also called MFA or 2FA (Multi Factor authentication) - basically, it texts you a code that you put in after your password.  Here is an excellent short video explaining 2FA
  • Change your birth year on Facebook.  If you put all your personal information on Facebook and someone hacks your Facebook could they use that to get in to other accounts?  Your pet is Fido.  You were born in 1980, your dog was born in 2016, the hacker knows that because you put his birthday party on Facebook.  So chances are really good that some of your passwords are Fido1980 or Fido2016.  Change them!
  • Personally, I go as far as putting an incorrect day, month and year as my birthday on Facebook.  My friends know it's my birthday when it's my real  birthday.  I don't care about anyone else....

Trouble remembering all your passwords?  There are many alternatives.  One is the free version of lastpass.com which I use, to store and populate passwords online.  It's free for personal version, costs $$ for companies.  There are other password 
That book is small enough to hide.  Has tabs with alphabet to quickly find things.  oh and let me state the obvious, if you write them down, don't take the book with you, ANYWHERE

Want more information? Here are some links
What is this "You as" feature?  here

These opinions are my own.  You are responsible for your own account security.