Six easy web security tips for non-techies
If you consider yourself a non-techie, read these and incorporate them into your online life. They’ll bring you a lot more security and peace of mind. If these are things you already know, I’d love to hear from you in the comments. What things have you done to persuade non-techies to be safer? And what additional tips do you have?
- Get a good password
- When your account is sending spam, change your password immediately
- Know what websites you’re logging into
- When in doubt, don’t click or enter your password
- Know the basics of how web addresses (URLs) work
- Use search to find out more if you’re wary of a site
1. Get a good passwordThe only thing that amazes me more than seeing some of the weak passwords people have is how much people stress out when it’s suggested they should have better passwords, as though they were asked to memorize a 28-digit number needed to defuse a bomb.
A good, single password is as simple as this: come up with one strong password and then come up with a simple convention so that the password is unique to each site you log into.
For example, start with your strong core password¹ that is, say, your first pet’s name with the first three digits of your first phone number: cocoa347. Then you need a convention, say the second and third letters of the site you’re using, so when you log into Facebook, you’d use cocoa347ac, and for your Google account, you’d use cocoa347oo.
For additional security, replace letters with numbers (zeros for 0s, threes for Es, etc) and have different core passwords for different types of sites (financial gets one core password, social sites gets another, etc).
The main goal of a strong password is simply to have something that a spammer using a program that randomly generates and tries passwords can’t guess. The chances of someone researching you and trying to figure out your password are very, very slim, so the most important thing is that you have something that would be tough for a computer to guess. Easy things for a computer to guess are strings of numbers (like your birthday) or extremely common words like “password”.
But don’t stress out about it. You can remember one password and one convention, right? So there’s no reason not to make it a good one.
Get more info on this great guide to strong passwords at Lifehacker.
2. When your account is sending spam, change your password immediatelyThe same advice goes whether it’s on Facebook, on Twitter, in your email account or any service: if you find that spam messages are being sent using your account, you should immediately change your password. Somehow, a spammer’s computer program got ahold of your username and password and is using it to send out messages. Simply changing your password will prevent that program from automatically sending out more messages through your account.
As a slightly picky but important note: people that this happens to often say that their account has been “hacked”, but this isn’t the case. Spammers use a process called “phishing”, where they trick users into thinking they’re simply logging in to a safe site, when they’re actually just giving their username and password over to the spammers to use as they wish. If this happens to you, this is almost certainly what happened.
3. Know what websites you’re logging intoVery simple, but very important: when you enter in your username and password into a website, be absolutely sure that it’s the website you think you’re logging into. How can you be absolutely sure? For starters, make sure that the web address (URL) matches exactly what it’s supposed to be. See point five below on how to identify the right site.
It can be a little confusing sometimes, since many sites that have login now have ways that you can use your account from another service, but Facebook, Twitter and Gmail now have ways that you can login using your account on those services where you are only entering your info on pages that are part of their site, so if you’re signing into a site that tells you that you can login with your Facebook account, you should be redirected to a facebook.com page to enter in your username and password. If you’re not, don’t enter in your username and password.
4. When in doubt, don’t click or enter your passwordSpammers and hackers like to use other people’s accounts precisely because they want to send you messages from people you trust. Even if it comes from a close friend of family member, if it seems suspicious, trust your instincts and don’t click, and certainly don’t enter your password. True, you might miss out some funny video, but you also might miss out getting a virus or having your account information stolen.
Related, when you’re sending friends a link, make sure you make it’s clear that it’s you and that there’s a good reason you’re sending it along. DO NOT send a link with the subject “Really cool!” and then nothing but a link in the message.
5. Know the basics of how web addresses (URLs) workDon’t panic here. This is a little more complex, but a little knowledge can go a very long way.
In a web address, the two most important parts are domain name (facebook, twitter, google, etc) and the part that immediately follows (.com, .edu, .org, etc) that identifies what type of domain it is.
The basics on identifying a correct domain name are:
- Making sure that the domain name has either a dot or nothing (ie, just reads “http://”) in front of it
- Making sure that the identifier (.com, etc) has either nothing or a slash immediately after it
http://www.facebook.com.583889.cn/pagename/member/7897890The only safe one here is the second one. In the first one, there’s a dot immediately after .com, and the site you’re actually going to is 583889.cn, which you can see by where that first slash is. In the second URL (the correct one), it’s identifiable as the right one because there’s a slash immediately following the .com and nothing in front of facebook, and in the third one, notice that there’s no dot in between www and facebook, which means that the domain is actually wwwfacebook.com. Don’t get distracted by all the page names and sections after the domain. The only thing you need to be concerned with is what’s immediately before and immediately after the domain that you want: facebook.com
If you’re still confused, it’s very simple: if you’re ever at all wary of a link, just type in the address yourself and go to the section of the site that the link was directing you to. For example, if you get an email from Suntrust that tells you to follow a link to verify your information, don’t click on the link, and instead, type suntrust.com into your browser and log in there. That’s the simplest way to ensure you’re logging in to the site you think you’re logging in to.
6. Use search to find out more if you’re wary of a siteSometimes, even reputable companies use other domains besides the one you’re used to seeing. If you see one of those and don’t know if it’s part of the reputable organization, you can put it into a search on Google or Bing and almost always get information on what it is. For instance, today I noticed my iGoogle page asking for permission to send information to gmodules.com. I put that into a search and pretty quickly found that it was part of Google itself and was used for the modules on iGoogle. I had figured that, but wanted to be sure. There’s a lot of information. Use it.
And hey…let’s be careful out there.
¹ It should probably go without saying that this is not even remotely close to any of my passwords.