Being a happily married woman, the news of a hack on the E-Harmony dating site was not much of a concern for me. However, as an avid LinkedIn user, the hack that occurred on that particular business/social networking site caught my attention. Fortunately, my need for concern was small because I follow a few simple password rules. In light of the number of people asking me about these hacks, I thought it might be a good time to share my rules to help others. A quick caveat: The advice in this post could certainly be disputed by security industry experts; however, this post is intended for the beginner/novice/basic internet user in an effort to help them avoid the most fundamental attacks based in the reality of what people actually do; not best practices.
My first rule is that I never attach my work email to anything other than work-related sites. Just imagine the horror that LinkedIn users felt if their LinkedIn username and password was the same as their online banking account! Your LinkedIn account was likely set up with your professional email address; therefore, if the site is hacked, it’s reasonable to assume that the hackers will get that email address. While many would consider this “quasi-public” information since a simple Google search would reveal it to most, it is still a piece of the puzzle that hackers can use. If the same email address for a social networking site is the same as your online financial and/or shopping sites, a hacker now has an important piece of personal information about you that may be used to access those sites. A good practice is to have at least two personal email accounts – one used for important, sensitive, highly confidential sites like online banking and shopping and another used for things like newsletters, personal hobby sites, friends and family contacts, and personal social networking.
My second rule is that I never use the same password for social networking sites that I use for important, sensitive personal accounts, and certainly not the same password as for my work account. Most security experts will tell you that you should have a different, complex password for every site you use and change it frequently. While these are certainly best practices, and are/should be strictly enforced in business environments, the reality is that far too many of us don’t practice these rules in our personal online activities. If you are one of the untold millions who use the same password for every online account, I implore you to use a special complex password for your financial and online shopping accounts, a different complex password for your social networking sites, and a different complex password for your non-sensitive, online accounts. Examples of non-sensitive online accounts would be a recipe website, a sports team website, or a website that provides research or other white papers relevant to your profession.
My final rule is that I never, ever use unsecured public Wi-Fi networks for anything other than simply browsing to pass time. Never, ever use unsecured “free” Wi-Fi to check email, log-in to work accounts, or financial or shopping websites. While many people have been trained to look for the “HTTPS” in the URL address bar and the little lock at the bottom of the screen, there can be browser vulnerabilities that allow the HTTPS to be faked or “spoofed”, fooling the user into thinking it is safe to log-in to a site. As a general rule, HTTPS is safe, but for the novice or basic internet user, exercise extra caution on unsecured Wi-Fi and just don’t do anything that requires a username and password, especially if you aren’t following my two rules above about account segregation and passwords.
Simple rule #1 – Do NOT use your professional email address for your personal financial or shopping online accounts. Use separate email accounts for your personal financial accounts and your personal hobby/social sites. I know…now you need to have THREE email accounts with THREE different passwords; what a pain! But believe me, this segregation of your online financial, personal and professional lives goes a long way when a site is hacked in keeping you safe.
Simple rule #2 – Never use the same password for social networking sites that you use for your work account or important, sensitive personal accounts, such as online banking or any site where your financial information could be accessed.
Simple rule #3 – Never use unsecured “free” Wi-Fi to check email, log-in to work accounts, or financial or shopping websites.
Suffering financial losses due to poor password practices is one of the most preventable types of scams out there. Don’t be an easy target and victim.