Skip to main content

Six easy web security tips for non-techies

In the last couple of months, I've seen friends of mine have their email, Twitter and/or Facebook accounts used to send out spam, and I've had a couple of conversations with friends and family about how to increase their security online. This post, as you've probably already guessed, is a package of those conversations to help out those folks that still think of these issues as "computer stuff", when they are simple and necessary steps to living a more secure online life.

If you consider yourself a non-techie, read these and incorporate them into your online life. They'll bring you a lot more security and peace of mind. If these are things you already know, I'd love to hear from you in the comments. What things have you done to persuade non-techies to be safer? And what additional tips do you have?

The sum:
  1. Get a good password
  2. When your account is sending spam, change your password immediately
  3. Know what websites you're logging into
  4. When in doubt, don't click or enter your password
  5. Know the basics of how web addresses (URLs) work
  6. Use search to find out more if you're wary of a site
And the detail:

1. Get a good password

The only thing that amazes me more than seeing some of the weak passwords people have is how much people stress out when it's suggested they should have better passwords, as though they were asked to memorize a 28-digit number needed to defuse a bomb.

A good, single password is as simple as this: come up with one strong password and then come up with a simple convention so that the password is unique to each site you log into.

For example, start with your strong core password¹ that is, say, your first pet's name with the first three digits of your first phone number: cocoa347. Then you need a convention, say the second and third letters of the site you're using, so when you log into Facebook, you'd use cocoa347ac, and for your Google account, you'd use cocoa347oo.

For additional security, replace letters with numbers (zeros for 0s, threes for Es, etc) and have different core passwords for different types of sites (financial gets one core password, social sites gets another, etc).

The main goal of a strong password is simply to have something that a spammer using a program that randomly generates and tries passwords can't guess. The chances of someone researching you and trying to figure out your password are very, very slim, so the most important thing is that you have something that would be tough for a computer to guess. Easy things for a computer to guess are strings of numbers (like your birthday) or extremely common words like "password".

But don't stress out about it. You can remember one password and one convention, right? So there's no reason not to make it a good one.

Get more info on this great guide to strong passwords at Lifehacker.

2. When your account is sending spam, change your password immediately

The same advice goes whether it's on Facebook, on Twitter, in your email account or any service: if you find that spam messages are being sent using your account, you should immediately change your password. Somehow, a spammer's computer program got ahold of your username and password and is using it to send out messages. Simply changing your password will prevent that program from automatically sending out more messages through your account.

As a slightly picky but important note: people that this happens to often say that their account has been "hacked", but this isn't the case. Spammers use a process called "phishing", where they trick users into thinking they're simply logging in to a safe site, when they're actually just giving their username and password over to the spammers to use as they wish. If this happens to you, this is almost certainly what happened.

3. Know what websites you're logging into

Very simple, but very important: when you enter in your username and password into a website, be absolutely sure that it's the website you think you're logging into. How can you be absolutely sure? For starters, make sure that the web address (URL) matches exactly what it's supposed to be. See point five below on how to identify the right site.

It can be a little confusing sometimes, since many sites that have login now have ways that you can use your account from another service, but Facebook, Twitter and Gmail now have ways that you can login using your account on those services where you are only entering your info on pages that are part of their site, so if you're signing into a site that tells you that you can login with your Facebook account, you should be redirected to a facebook.com page to enter in your username and password. If you're not, don't enter in your username and password.

4. When in doubt, don't click or enter your password

Spammers and hackers like to use other people's accounts precisely because they want to send you messages from people you trust. Even if it comes from a close friend of family member, if it seems suspicious, trust your instincts and don't click, and certainly don't enter your password. True, you might miss out some funny video, but you also might miss out getting a virus or having your account information stolen.

Related, when you're sending friends a link, make sure you make it's clear that it's you and that there's a good reason you're sending it along. DO NOT send a link with the subject "Really cool!" and then nothing but a link in the message.

5. Know the basics of how web addresses (URLs) work

Don't panic here. This is a little more complex, but a little knowledge can go a very long way.

In a web address, the two most important parts are domain name (facebook, twitter, google, etc) and the part that immediately follows (.com, .edu, .org, etc) that identifies what type of domain it is.

The basics on identifying a correct domain name are:
  1. Making sure that the domain name has either a dot or nothing (ie, just reads "http://") in front of it
  2. Making sure that the identifier (.com, etc) has either nothing or a slash immediately after it
See if you can spot the differences between these three URLs and pick which one is the safe one:
http://www.facebook.com.583889.cn/pagename/member/7897890
http://facebook.com/pagename/member/7897890
http://wwwfacebook.com/pagename/member/7897890
The only safe one here is the second one. In the first one, there's a dot immediately after .com, and the site you're actually going to is 583889.cn, which you can see by where that first slash is. In the second URL (the correct one), it's identifiable as the right one because there's a slash immediately following the .com and nothing in front of facebook, and in the third one, notice that there's no dot in between www and facebook, which means that the domain is actually wwwfacebook.com. Don't get distracted by all the page names and sections after the domain. The only thing you need to be concerned with is what's immediately before and immediately after the domain that you want: facebook.com

If you're still confused, it's very simple: if you're ever at all wary of a link, just type in the address yourself and go to the section of the site that the link was directing you to. For example, if you get an email from Suntrust that tells you to follow a link to verify your information, don't click on the link, and instead, type suntrust.com into your browser and log in there. That's the simplest way to ensure you're logging in to the site you think you're logging in to.

6. Use search to find out more if you're wary of a site

Sometimes, even reputable companies use other domains besides the one you're used to seeing. If you see one of those and don't know if it's part of the reputable organization, you can put it into a search on Google or Bing and almost always get information on what it is. For instance, today I noticed my iGoogle page asking for permission to send information to gmodules.com. I put that into a search and pretty quickly found that it was part of Google itself and was used for the modules on iGoogle. I had figured that, but wanted to be sure. There's a lot of information. Use it.

And hey...let's be careful out there.

¹ It should probably go without saying that this is not even remotely close to any of my passwords.
Labels:

Comments

Post a Comment

Popular posts from this blog

Why are we still judging work done by time spent?

Every morning, when I fill in the hours on my work's electronic timesheet, I'm struck by how odd it is that we're still judging our work by the time spent on it. It's odd because it's old-fashioned. In the paper and phone world, you could really only do work when you were at work. But we do work all the time now. I check my email when I first wake up. Does that mean I start my day at 6:30 am? Should that be reflected on my timesheet? How about when I respond to an email or check Basecamp when I'm on the bus? Does my work day start then? How about when I look at Google Analytics at night or think about email newsletters when I'm in the shower (which I'm somewhat ashamed to admit I did this morning)? On the other side, if someone finishes the work that they're meant to do, why should they feel like they need to stay at work until 5:00, just because that's the official time of the work day? I don't think anyone would argue that time spent ...
Post a Comment
Read more

Some scattered thoughts on the money of digital music

If you haven't already read Digital Audio Insider's interview with Camper Van Beethoven's Jonathan Segal ¹, it's a must read for anyone with even a slight interest in digital music and the money of the industry. Segal has tons of thoughts on just about every aspect of digital music, but best of all, he brings in these thoughts as someone whose initial music industry experience was in the days of purely-physical media, when "pirating" meant copying something onto a blank tape. My main takeway is general and obvious but an important reminder: we are in a transition time for music, and what it will become is anyone's guess. I think Segal's take on merchandise and live performances taking the place as artist's primary source of income as "asinine" is too harsh to be true, but I do think that we're in such a state of transition that any shot at predicting artistic income in the future is completely in the dark. Such predictions are really ...
Post a Comment
Read more

Sentiment Measurement Beyond Metrics

You know, headlines like that one really put me on the fence, balancing between "Ooh! Metrics!" and "Wow, no wonder people think it's boring and geeky." ANYWAY...today I'm definitely in the former camp, in the sense that it's exciting because it's a philosophical puzzle: how can you solve a problem that can never really be solved? Yesterday, I commented on Avinash Kaushik's post where he asked, "If you were to measure the success of a company’s social media efforts how would you do it?" My answer: For social media, the obvious metrics still hold: referrals and conversions from referrals. But being from a nonprofit background, where the higher-ups are often skeptical of social media, the real metrics are the words. There’s nothing more valuable than the tweet that says "I love that {your org} is on Twitter" or the time you respond to a comment on Facebook addressing a wide concern about your organization or when you comment ...
Post a Comment
Read more