Cyber Security Basics: The Strong Login
What is the easiest way a hacker can break into your website or network? Being able to easily guess a valid user login and gain access to a registered account. Once a hacker has gained access to an account, even one with only limited access, the hacker can use methods to escalate that account's access even up to full admin level! Having a strong login on all accounts is your first and best line of defense against getting hacked.
What the Login Consists Of
The login typically consists of a User ID and a Password. Sometimes there may be an email address, phone number or set of security questions also attached to it. Some other types of data can also be used here, but the User ID and Password are the minimum and the most common.
The User ID
This identifies who the user is, and it has to be unique. The User ID can be an email address, an ID number or a unique name. It can be assigned to the user, or chosen by the user. It is one of the critical bits of information needed to access that user's account.
Because the User ID is part of logging into the system (website, network, etc) it does need to be protected. Sadly, most websites and networks don't give any priority to protecting this info. In fact, many will even show it off all over the place, such as showing it as the author of content, for example. This means a hacker can just scan the website for valid User IDs and be one step closer to gaining unauthorized access.
I have previously written about what makes a good User ID before and you can read the section “What Is a Good Username?” from my earlier article “How to Keep Your Website Site Secure From Hackers” to find out more about how to be secure in your User ID.
This is another part of accessing a user's account. It is the way of deciding if the person or device attempting to access that account or system should be allowed to. This is done as a secret code that can be made of words, names, numbers, and symbols. In a good system, it should be anything you can type on your keyboard. Unfortunately, some systems will limit you to just letters, or numbers and not allow you to type certain things in.
The idea is that only the account's owner knows this code so if anything uses it, then it must be the owner. This is often the final step in a process called “Authentication” which means verifying that anyone or anything attempting to access a secured system, should be allowed to.
Passwords are thankfully given the attention to secrecy they should be by the vast majority of systems. Where they tend to break down is with the people. People will reveal their password to someone else, or will make it too easy to guess. Now it's not just the owner who knows it, but others too know it too, or can figure it out. Once a secret is out, it's not a secret any more.
To find out more about how to make sure your password is a good one, you can read the section “What Makes a Strong Password?” in “How to Keep Your Website Site Secure From Hackers”.
2 Step Authentication (2-Factor Authentication)
You may have heard this term before from other websites. Usually, this would be when they recommend that you add it in to make your account more secure. They will typically ask for such info as your cell number to send a verification code to.
The idea behind this is that whenever anyone attempts to log in to your account, you get sent a temporary verification code or password that's only valid for a few minutes. This is often sent as a text message to a phone you registered for this purpose, but other methods also exist. Anyone attempting to log in then has to enter this code in as well as your password, creating a second layer of verification that makes it harder for a hacker to log in.
This is based on the fact that you will have the phone (or other device) that this code goes to. So a hacker attempting to break in will not be able to get this second password. He also will not have enough time to brute force it with all possible variations the system could generate. While it's not infallible, it does make your account significantly harder to break into. This can also serve as an early warning system that someone is trying to hack your account. If you start getting verification codes when you're not attempting to log in yourself, someone else must be!
One of the main areas where this system can fail is again in the human equation. For example, a hacker can call your cell company pretending to be you, and get an employee who's overly eager to help to redirect calls/text messages to their own device. Now you don't get the notice, the hacker does.
That is why it's so vital that you be patient with your service providers when they're being strict about verifying who is calling. When they do that, they're only trying to protect you from a scammer calling and impersonating you for some nefarious purpose. Insist that they have good verification policies and that they enforce them. Even if it may be a hassle to you sometimes, it sure is an immensely greater hassle to have an overly easy customer support team give away your account to a hacker pretending to be you!
What to Protect
Anything that can be used to gain access to your accounts. Period. If possible, have the publicly displayed username be different from the one you log in with.
I'd love to hear about it in the comments below.
In short, use every bit of security features your accounts have to offer and keep all info that can be used to log in to your accounts secret.
Do you have any stories about being hacked? Do you have any questions about how to prevent getting hacked? I'd love to hear about it in the comments below.