Welcome to day four of Tweet Week. Today, we’ll cover security.
I touched on passwords in yesterday’s “Tweet Week: Gone Phishing” post. Today, we’ll take a deeper look at passwords and password security. Some of these don’t specifically apply to Twitter, but I am including them as general security information as well.
Use a Different Login Username Where Possible
One line of defense, which is often overlooked, is your login username. On many services, your login username and your public username are the same, so there’s no benefit there. On others, they can be different. If that’s the case, make sure your login username and your public username are different. For example, you might have a public username of “jsmith” but, instead of using the same for your login username, you might use something like “jsmith793″. Be sure not to use an easily guessed number, such as a birthdate or graduation year or age.
By using a different login username, that offers an extra layer of protection because someone trying to access your account would not only need to know your password but your username as well!
Of course, this is not always effective, simply because many sites are not designed with security in mind. Some sites may let you have a login username that differs from your public username, but also let you login using your eMail address. That defeats the security benefits of having a private login name, since someone could simply use your eMail address instead of trying to figure out your private login name!
Since a private login is not possible with Twitter, what you’ll want to do is make sure you don’t use your Twitter username as your login username on any important account, such as a banking account. If people know your username is “jsmith,” you don’t want to make it a step easier for them to login to your banking account using “jsmith” and guessing at a password!
Use a Special eMail Address When Possible
As mentioned yesterday, when possible, use different eMail addresses for different purposes. If you use “firstname.lastname@example.org” for your primary eMail—one that many people will see—use something different for accounts you want to keep more secure. For your banking, for example, you might want to use something like “email@example.com”. Make it hard for people to guess your username, what eMail address you are using and your password!
Use a Strong Password!
A “strong” password is not your cat’s name. It is not your birthdate. And, it is most definitely not “password”! Ideally, your password should be a mixture of upper and lower case letters, numbers and special characters. On some sites, you are limited to letters and numbers only. Some sites may not even have case-sensitive letters in passwords, but most modern sites do.
Make the password as long as possible too. If you can have an 8 character password, use an 8 character password. If you can use 16 characters, use 16 characters. If you can use 256 characters, well, that’s a lot to type, so that’s up to you! But, bottom line is to make the password as long as possible.
Don’t use words as passwords either. Dictionary attacks and such can be used to break these!
It is also important to use different passwords for different sites and services. Many banking and financial institutions, as well as numerous other sites, will place a limit on the number of times you can enter an incorrect password to log into an account. That provides extra protection for you. But, some sites don’t have those security measures and will let you keep trying until you successfully login.
So, if you use the same password on multiple sites, all someone needs to do is utilize the sites with poor security measures to discover your password. Then, they can use your password to login to your banking account, if you are using the same password everywhere!
What does a secure password look like? It looks something like this: 8u!@*Jhwn+092lK#2g
Hard to guess. Hard to crack.
Watch Out for Keyloggers!
Even with weak security measures, it can be a time-consuming task to find out someone’s password. And, with limits on erroneous logins used by some services, it’s not easy to keep trying. So, some would-be thieves will use alternate, easier methods of gaining your password: they “watch” you type it!
Keylogging applications can be secretly installed on your computer (typically when visiting a bad website). They keep track of what keys you press and send that data to the thief. So, when you login to your banking account, the keylogging software sends that information to the thief. Now, he can log into your account!
If your computer system is harboring one of these applications, it doesn’t matter how secure your password is!
Change Your Password Regularly
On top of having secure passwords, change those passwords regularly! That way, even if someone should stumble upon your password, it won’t be useful for very long.
Where Available, Get a Secure Login Key
Some services offer an extra layer of protection through a security key. Twitter does not currently offer this, but sites like PayPal and eBay do. You can purchase a special key or use your cell phone. When you go to login, in addition to your username and password, you also have to enter a special keycode. This will be generated by your key or can be sent via text message to your cell phone. Without that keycode, you cannot login, except by answering security questions, which I covered yesterday. So, even if a thief had used a keylogger or something to get your username and password, in all likelihood, they will not be able to get a valid keycode to login. The keycode expires after 30 seconds, so that makes for a very small window for a keylogger to transmit the data in time for the thief to try to use it!
Be Careful to Whom You Give Your Twitter Password
Of course, you should be careful with any password, especially those for important accounts like your eMail account or bank account. But, you also need to be careful with your Twitter password, especially if your security efforts are lax elsewhere!
Many sites and services ask for your Twitter password, and many people hand it right over!
The first thing you should do is question why they need your password. To validate that you own the account? That’s not a good reason! I can validate account ownership by sending a tweet or a direct message. In my opinion, no one needs your Twitter password to validate your account. If they say they do, that should raise a red flag!
Some will try to break down your defenses by offering money or prizes. They want to pay you money so, you think, validating your account makes sense. But, again, account validation can be done through a tweet or DM. They don’t need your password and the offer of money or prizes may just be a scheme to loosen your fingers!
Of course, some services will need your Twitter password. If a service is going to be sending out tweets for you, such as sending out tweets at scheduled intervals, then that service will need access to your account to do so. If you want to manage your Twitter account through a different website service or through a desktop application, those services and applications will also need your Twitter password.
But, you always need to be careful. Be especially careful of new and unknown sites that pop up with Twitter tools and whatnot. Even if the service itself is perfectly legit, if it has poor security measures and someone can hack into their website and grab your username and password details, you’re toast!
Carefully screen any application or service that wants or needs your Twitter password. And think about whether it really needs your password.
That’s all for today. Please come back tomorrow for day five of Tweet Week!