It is very easy for an individual to maintain a good online hygiene. The amazing thing about it is that most online service providers for example, Facebook, Twitter, Gmail, Yahoo and even WhatsApp want to maintain their customers’ confidence, comply with privacy and security regulations, and most importantly don’t want to shed off their reputation and financial benefits as a result of a data breach. As a result, they make certain security measures available for users to protect their account without asking the users to pay for those security measures. Of course, you don’t need a soothsayer to know that any online service that offers services for free is making you (your information) the product that they are selling to others. It is said that “if you weren’t paying for a service it was a sure sign that you were the product rather than the consumer.”
Some service providers provide such measures just for compliance sake and not because they care about the users. As such, most of them do not even inform the users of the security measures available; it is left for the users to discover those measures themselves and start using them. Most people don’t know that Facebook, WhatsApp, Yahoo, and Google etc. all have better ways to secure their accounts other than username and password. The reason why service providers choose the latter option goes thus: all that service providers care about is “convenience” and not security. They want users to be able to access their services without any difficulty. And if they were to make security a priority, it would be less convenient for users to access the services they provide. And if it is less convenient for users, the service providers will incur financial loss.
Service providers don’t force you to secure your account(s) because you are the one that will be affected if your account is hacked. Even if their database/server is breached, it is your information that will be stolen and not theirs. It costs them more to carter for the additional security measures for users. So, it is to their advantage that you don’t use it provided they have fulfilled their due care and due diligence obligations.
The bottom line is that it is left for you to search for the best security measure supported by any online service you are using and enable them for your own safety.
Below are the simple things you could do to ensure a good online hygiene:
- Never re-use one password on two different services. For example, don’t use the same password for your email address and Facebook accounts. This is because if your email is hacked and the password is discovered then your Facebook is also in trouble;
- Make sure that your password recovery option is far more secure than the service you use it to recover. The reason is that if the service like Facebook has a very strong password but your email that you use to recovery your Facebook account if you forget the password is weak, then an attacker will just hack your email and utilise it in recovering your Facebook password.
- Don’t share an account with anyone. If you share an account with someone, you have to give the person whom the account is shared with the password. The reason behind not sharing account is that you cannot control where the person will keep the password and they can even use it as a password on another service. Instead of sharing a password let them create their own account.
- Choose a password you can remember, but make sure that is at least 8 characters, and that it is not a word that could be found in a dictionary. If your password is a word in the dictionary, with dictionary attack, the password would be discovered in milliseconds.
- Don’t choose a hard-to-remember password. You will tend to use the same format or to just change one letter or two when you want to create other passwords, so that you won’t forget. The fact is: the strength of a password is not how difficult it is; not how many characters you combined but how long (entropy) it is. The entropy is what will make it more difficult to be discovered and not how many letters you combined.
- Don’t write your passwords down and label it “password.”
- Use a password manager to store your password, this will help you to choose good password as you don’t need to remember them.
- Never use your name, name of a relative or an acquaintance, date of birth etc. as your password. It is funny that some use their date of birth for ATM card PIN.
- Don’t click on any link you see to enter your password. Hackers could design a fake website to look exactly as the original site. If you enter your password on the fake one, the hacker would then use it to access your real account – this called phishing attack.
- Don’t create an account you know you don’t need.
- Never read your account credentials to anyone on phone, email, chat, SMS etc., as some hackers pretend to be someone you know in order to con you to give them your credentials – this is called social engineering.
- Never trust, and always verify links, emails, SMS, even phone calls. If you can’t verify, then reject them, unless you’re sure that the risk is worth taking.
- Most importantly, enable two-factor authentication on all your accounts that supports it. Two-factor (2FA) authentication means that you must present two different independent credentials (e.g. password and one-time code, password and biometric, a physical hardware token such as ATM card and the PIN etc.) to access your account. This will make it very difficult to access your account with just your stolen password. The attacker still needs a code sent to your phone or generated on a One Time Password (OTP) software. You don’t pay for the code sent via SMS. Also, there are many free OTP softwares to download and use for example Google authenticator, Microsoft authenticator. Facebook, emails, Dropbox, WhatsApp and others supports two-factor authentication, but you have to go to security/privacy settings to turn them on.
Non adherence to the above-stated safety measures could wreck damaging havoc on a service user, and spell costly consequences.