Here’s a set of guides I’ve put together to help you understand your online security posture and how you might improve it.
Stop using the same password everywhere!
Weak passwords and how to choose a strong complex memorable password
Setting up and using a Password Manager
Setting up and using Two/Multi Factor Authentication (2FA/MFA)
Everyone uses Social Media these days and we’re trusting it with more and more of our personally identifiable information (PII).
Our interests, comments, check-ins, likes and the network of friends and family we build-up all contribute to a context-heavy online identity.
If an attacker gains control of your online identity, they can easily:
In this guide, I’ll focus on the social media platform Facebook and talk about how to review your security settings.
It’s important to review exactly what information you’ve entered as part of your Facebook Public Profile – as it’s exactly that: Public.
You may have entered something personal, inappropriate, misleading, regrettable or just incorrect without realising it’s being broadcast to the world. The settings controlling what’s displayed as part of your public profile are separate from Facebook’s general security settings so must be reviewed independently.
To configure your Public Profile, do this:
Examine all photos and read all text and options in this window from top to bottom. Whatever you see here is publicly visible to the whole world.
After making a change, remember to click the Save button that appears.
IMPORTANT: Make sure you click on the Edit your About Info link at the bottom of the Edit Profile window.
The About Info section can contain a huge amount of personal information you might want to keep private.
Go down the navigation items on the left and examine each panel of information on the right. Examine everything here. If there’s something you’d rather keep private or don’t want the world to see or know about – such as your mobile phone number or your relationship status, change it here.
Facebook security settings can be accessed via the Facebook. Accessing the Facebook security settings:
There are lots of security-related settings here, so to save you time I’ve use the following colour coding:
[QUICK WIN] = You should address these straight away
[EFFORT] = Require a bit more thought and effort but will definitely improve your security posture
[REVIEW] = Items for you to review. These are mainly about privacy but also cover notifications and alerting.
This is a list of all devices and locations that are currently logged into your Facebook account.
If you have a home PC, a laptop, a smart phone, a tablet etc. you’ll see multiple entries here. Facebook will try and identify the type of device and where geographically it’s logged in from.
Make sure you click on the ▼ See more button to display everything.
Look down the list and if there’s anything there you don’t recognise, click the three dots menu icon on the right and select Not you?. This tells Facebook that you are not responsible for this login and will help Facebook block this connection in the future.
If you’re knowingly using a VPN or routing your traffic via a different country, you’ll see that reflected here.
Seeing anything unexpected here can indicate that your Facebook account has been compromised and someone else is logging into your account without your knowledge. Is this is the case, I would recommend that you immediately do the following:
This will cause every device on the list to be logged out. If they try and log in again, they’ll be prompted to enter your password which you’ve just changed.
This works hand-in-hand with the Where you’re logged in list (explained above).
Facebook can send you a notification if it sees a login that’s from a previously unknown device, browser or location. This is really important so you can react quickly if your account is compromised.
If this isn’t already On, click the Edit button and make sure notifications are enabled for all alert types. Remember to click Save Changes.
If you’ve just turned something on, you’ll get an alert saying so.
You can learn more about the concept of Two Factor Authentication (2FA) by reading my guide here.
TL;DR; In order for a new device or browser to log into your Facebook account, a person will need to know not just your username and password (which might have been leaked) but also have access to your unlocked mobile device and use its code generator app.
If you enable 2FA in Facebook, it requires a minimum of your mobile phone number and a code generator of some sort.
The Facebook smartphone app will serve as a code generator, but if you’re embracing the concept of 2FA to protect your online identity across multiple online services, you should take the option to set up a third-party app as a code generator.
After you’ve read my guide to 2FA, adding Facebook’s QR code to your code generator app will be a breeze.
Your Facebook account can be locked-out if someone is trying to brute-force your login credentials or someone has reported your account behaving maliciously – usually after it’s been compromised.
You can choose a few trusted Facebook contacts to help you out if your account becomes locked-out. They will be contacted by Facebook to help your identity to prove you are who you say you are.
Unless you are a public figure and want everyone to know exactly what you had for lunch or where you went last night and with whom, I would strongly recommend making sure only your Friends can see your future posts.
This setting usually defaults to Friends, but can switch if you’ve recently changed the visibility of a post to Public.
If this is set to anything other than Friends, click the Edit button, change to Friends then click Close. This setting doesn’t have a Save Changes button and takes effect immediately.
If you’ve posted stuff in the past that you might have thought was a good idea to make Public, or may have accidentally made Public, you can fix this and set everything you’ve done back to Friends.
Click Limit Past Posts then click the Limit Past Posts button that appears below, then click the Limit Past Posts button in the window that appears, then click Close. The change will take effect immediately.
If you want to stop people you don’t know seeing a list of your Facebook Friends, you can change that here.
Click Edit, then change the visibility button to Friends. The change takes effect immediately.
If you’re happy for people you don’t know to see your list of Facebook friends, leave it as Public.
If you want to prevent people you don’t know from finding your Facebook Profile via your email address, you can change that here.
Click Edit, then change the visibility button to either Friends or Friends of friends. The change takes effect immediately.
If you’re happy for people you don’t know to find you by your email address, leave it as Everyone.
If you want to prevent people you don’t know from finding your Facebook Profile via your mobile phone number, you can change that here.
Click Edit, then change the visibility button to either Friends or Friends of friends. The change takes effect immediately.
If you’re happy for people you don’t know to find you by your mobile phone number, leave it as Everyone.
You can stop your Facebook Profile page from appearing in search engine results by changing this option.
Click the Edit button and either tick or un-tick Allow search engines outside of Facebook to link to your Profile, then click Close.
It can take days or weeks for your profile to disappear from search engine results, so don’t expect an immediate effect. If you’re still seeing your profile coming up in search engine results, you’ll need to contact the search engine company directly and request your profile to be removed.
TO DO
TO DO
TO DO
TO DO
TO DO
TO DO
TO DO
TO DO
TO DO
Every time you interact with a Facebook app, you grant it access to one or more elements of your profile. This can include your personal profile i.e. age, sex, religion, address, email etc and your friends list.
Some apps, also demand permissions to post on your behalf.
This page is split into 3 tabs: “Active”, “Expired” and “Removed”.
Apps under “Active” have continued access to your data.
Apps under “Expired” previously had access to your data but their access has now expired.
Apps under “Removed” are those that have had access to your data removed manually by yourself.
For all “Active” apps, you can check exactly what privileges it has by clicking “View and edit”.
If you’re certain you don’t want an “Active” app to access your data any more, tick it’s box and click the “remove” button.
You should perform this simple check regularly – especially if you’re in the habit of completing Facebook quizzes, questionnaires or playing Facebook games.
TO DO
TO DO
Typical online authentication requires a username and a password – this is something a user has to know.
These can be (and are frequently) written down, shared with other people or leaked from hacked sites to the world by malicious third parties..
Users will often setup the same username and password with multiple online services. This is super-convenient because they only have to remember one set of credentials, but if those credentials get leaked, hackers will have access to all services where that set of credentials have been used.
This could be your mailbox, your social media accounts, online shops, dating sites (!) etc. and once an attacker has access to your mailbox, they can use the “forgot password” function of any website to reset your password and control your account.
To remedy all this, you can add an additional layer of security called Two Factor Authentication (2FA), sometimes called Multi Factor Authentication (MFA).
This is so-called because it adds an additional factor to the authentication process. In additional to what a user knows (their username and password), it adds the requirements of something a user has.
MFA requires a physical device to deliver you a security “token” to enter alongside your username and password. This is typically a 6 to 8 digit number or sometimes a random text string. Here are some ways a code can be made available to you:
Not all online services, support MFA… but a growing number do. twofactorauth.org is a really useful site that tries to keep an up-to-date list of services that do offer MFA, and if they don’t, it (rather cheekily) provides a link to the service’s twitter page so you can ask them to.
For sites that support Software Tokens, I’d like to recommend an solution called Authy. This is a free system that has the following benefits:
What makes a password weak?A weak password is one that can be easily guessed or broken.
This might be because it’s made up of public information associated with you. For example:
Your password might be a known default password.
Many items of computer hardware which connect to the Internet have factory default usernames and passwords. These are often variations of the words admin and password.
Recently installed, but unconfigured software or content management systems will often use a default password which is publicly known and published in online manuals.
So far these are examples of public information being used as passwords.
For passwords made up of secret information, brute-force methods can be used to guess a password.
You might think your password is so easy to remember and type but so obscure, that no-one else would have ever thought of it, but you’re probably wrong.
Here are the top 100 most popular passwords that crop up on the leaked lists:
| 123456 | hello | 12341234 | chelsea | admin123 |
| password | freedom | ferrari | summer | pussy |
| 12345678 | whatever | cheese | 1990 | pass |
| qwerty | qazwsx | computer | 1991 | asdf |
| 12345 | trustno1 | corvette | phoenix | william |
| 123456789 | 654321 | blahblah | amanda | soccer |
| letmein | jordan23 | george | cookie | london |
| 1234567 | password1 | mercedes | ashley | 1q2w3e |
| football | 1234 | 121212 | bandit | 1992 |
| iloveyou | robert | maverick | killer | biteme |
| admin | matthew | fuckyou | meandyou | maggie |
| welcome | jordan | nicole | pepper | querty |
| monkey | asshole | hunter | jessica | rangers |
| login | daniel | sunshine | zaq1zaq1 | charlie |
| abc123 | andrew | tigger | jennifer | martin |
| starwars | lakers | 1989 | test | ginger |
| 123123 | andrea | merlin | hockey | yankees |
| dragon | buster | ranger | dallas | thunder |
| passw0rd | joshwa | solo | password | Michelle |
| master’s degree | 1qaz2wsx | banana | fuckyouasshole | aaaaaa |
In 2017, it was estimated that almost 10% of people used at least one of the 100 most popular passwords and almost 3% of people have used 123456 as their password.
These lists are regularly used for brute-forcing passwords, so anything on this this list should be avoided.
You can check whether your password is on one of the leaked lists using this website: https://haveibeenpwned.com/Passwords
The more complex a password is, the more difficult it will be for brute-force methods to succeed.
Password complexity can be improved by doing one or more (or all) of the following:
It used to be popular to replace letters with numbers that look like their alphabetic counterparts. For example, replace O (oh) with 0 (zero), L with 1 (one), A with 4, S with 5 etc. to created words like:
Baseball = b455b411 password = pa55w0rd secret = s3cr3t
However, the brute-force algorithms have long been wise to this, so this sort of character replacement is one of the first things they try.
The most secure form of password is a long string of random uppercase and lowercase letters, numbers and symbols like this:
zKa4zD#5 (8 chars) $f4qX6rxBU&B (12 chars) 1!^B5qUA$t0iU7l% (16 chars)
The disadvantage of these un-guessable context-free, complex passwords, is that they’re almost impossible to remember and as a result are then written-down – which completely defeats their purpose.
Passwords are often found written on Post-it notes and stuck under keyboards, in front or back covers of notebooks or on computer monitors.
I would always recommend the use of long strong complex passwords in conjunction with a Password Manager. A password manager will generate, remember and enter long strong complex passwords for you, so you don’t need to remember them or write them down.
Read my guide about setting up and using a password manager.
Of course, you’ll still need at least one strong complex memorable password to protect your password manager, so read-on.
If you’re forced to use special characters by someone’s password policy:
Here’s a fun cartoon from xkcd.com
This is a really popular cartoon, so please don’t use correcthorsebatterystaple as your password as I’m certain its now in every password cracking dictionary 🙂
A Password Manager (PM) is a service or app that stores and enters usernames and passwords for you into online services or mobile apps. A good PM will also generate strong passwords for you and also help you identify weak or compromised passwords.
The core concept is that you have a single strong but memorable Master Password that secures your PM. All the passwords for everything else should be complex and impossible to remember or guess (and often tricky to type). This makes them secure. In theory, the only passwords you ever need to remember is the Master Password of your PM and any passwords that can’t be entered for you by your PM. For example, an online banking site that asks you to enter the 3rd, 4th and 8th characters of your password.
Read my post titled Stop using the same password everywhere!
Obvious stuff:
Important stuff:
Scary stuff:
There are a few password managers out there and at time of writing, two popular ones are LastPass and 1Password. Both offer their basic features as a free service. They both also offer a paid-for service for more advanced users.
I’ve been using LastPass for many years and this guide continues assuming you’re using the free service offered by LastPass.
I have personally paid for the more advanced services provided by LastPass and have not received any incentives or payments from either of the two PMs mentioned in this post.
These are non-negotiable tenets that must be adhered-to if you are to realise the protection a PM can offer:
Ignoring any of these Golden Rules will greatly reduce the security of your passwords and the effectiveness of a PM.
Here’s are the steps you’ll be going through to switch over to using a PM:
Choose a strong un-guessable password for your Master Password.
Read my guide here about weak passwords.
content to follow
content to follow
content to follow
content to follow
content to follow
Using the same password everywhere makes everyone’s life easier. It means you can log into your bank, your online shopping, your mailbox and social media without having to remember dozens of passwords.
However, using the same password on multiple online services is like using the same key to unlock your front door, your car, your suitcase and your safety deposit box.
If someone sees your key and makes a copy of it, they can now unlock everything. They can not only steal whatever you’re protecting with that key (money, personal information etc), but they can also impersonate you to steal your friends and family’s money and personal information buy abusing their trust in you.
You might think your password is secure because you’ve not told anyone about it.
You might be guilty of writing it down somewhere, but you’ve kept that private too. So there’s no problem right?
Wrong.
Every time you use a password, it gets sent over the internet. If it’s correct, you get logged in.
In order for an online service to validate your login, it has to know your password – or at least enough about it to ensure what you’ve provided is a match.
If an online service contains security vulnerabilities, it won’t be long before all the usernames and passwords of all its customers will be stolen and end end up online for all to see. Hackers do this for fun and commercial gain.
Yes you can. Check out the website of Troy Hunt: https://haveibeenpwned.com
Troy is a reputable and professional Information Security advisor. He’s been collecting published usernames and password lists over the last few years and has built a free service where anyone can check to see if their email address or username has been leaked.
At time of writing, Troy’s database has over four billion unique username and passwords.
His site also allows you to check whether your password has been publicised. It doesn’t give anything away other than saying that it’s known and that it should never be changed immediately.
The first step is to make a conscious decision to never ever use the same password for any online service ever again. This means having a unique password for every one.
You can do this by enlisting the help of a Password Manager and being tidy and disciplined.
Here’s my guide for setting up and using a Password Manager.
Your password manager is the only place you should store your passwords.
To avoid storing (potentially different) passwords in different places, you should:
More and more online services also give you the option to add an extra layer of security called Two Factor Authentication (2FA) – sometimes called Multi Factor Authentication (MFA).
It sounds complicated, but is actually very straightforward and relatively friction-free.
Here’s my guide to setting up and using Multi Factor Authentication (MFA)
Facebook (this is fixable)
another service such as your mailbox (gmail, outlook etc) that an attacker has used with Facebook’s “forgot password” function (really bad)
your password manager (worst case)
Start using a password manager.
This will ensure you never inadvertently use the same password mire than once. When your login credentials are leaked (because they will be) the damage is then restricted to a single online service which can then be quickly fixed.
The password manager will install an extension or plugin into all detected browsers on you desktop/laptop. This is used to interact with the password managers central store and to enter your credentials for you into your web pages.
For mobile devices, go to your App Store and install the app for your chosen password manager. This will provide the same functionality on your mobile device.
Go through all your commonly used online services and all those where you suspect you might have used the same password.
Change your password on each of these services and use your password manager to generate and store a new secure password.
Your chosen password manager now looks after your passwords. Go into your browser settings and disable “remember passwords”.
Purge any passwords your browser has remembered so it’s list is empty.
Go through the browsers on all your devices and make sure this has been done.
If an online service allows the use of two factor (or multi factor) authentication, turn it on.
This means an attacker not only needs to KNOW your username and password, they also need to HAVE your mobile device in order to log in as you.