The Hitchhiker’s Guide to Security
(Don’t) Know Thy Password
If you know what your password is, it’s insecure. Let me clarify, if your password is simple enough to memorize, you probably use it for multiple services. This creates vulnerabilities for attack should a compromise in security occur for even one of the services using the password. Password managers are all around us today (LastPass or Dashlane) and even baked into our computers (Keychain app on Macs). They make it easier than ever to generate, save, and use super secure passwords. Here are some dos and don’ts from How-To Geek on how to create strong passwords.
- Create a password with at least 12 characters
- Include numbers, symbols, capital and lower-case letters and mix them up
- Don’t use a simple word or a combination of simple words (e.g., bicycle or red bicycle)
- Don’t rely obvious substitutions for letters (e.g., b!cycle or r3d b1cycle)
Here’s a link to that article for more info and ideas.
Organize and Index Your Website Stuff
As a digital agency, many of the business owners we work with don’t know how to access their domains. Some of the first questions we ask before starting a project include: Do you know where your domain is? Do you know how long until it (hopefully) automatically renews itself? What about your hosting? Is DNS managed at your registrar? What about email?
If you manage your business’ website or if you work with an agency like ours to manage your website, you NEED TO KNOW this information. Have it readily available in a secure place. Paper can catch fire or get lost, put this information somewhere digitally (like in one of the password managers mentioned above) where it can be easily found. Just to be extra safe, back it up somewhere else too. Even if services like domain registration, management, and hosting are delegated to trusted vendors, be sure to keep an active relationship with them. When the time comes, you know exactly who to call for what.
Avoid Phishy Things
Phishing is essentially someone bad trying to disguise themselves as someone you trust. Luckily there are tell-tale signs that you can check for that will help you identify stranger danger. It’s rare to receive phishing attempts that simply tell you something. Phishing almost always involves a scary call to action. They need information from you; that’s their game. Here are a few common examples of phishy emails.
- Your domain is about to expire forever.
- We’ve noticed some suspicious activity from your account.
- Your account is past due or payment information has expired.
- Something has happened and you need to randomly reset your password.
- The Prince of Kazakhstan wants to make you rich but needs to verify your bank account before sending funds.
They always want some kind of information from you – payment or account login/identification information. What’s tricky is that sometimes a request comes through that is real. Here are a few other ways to recognize a phishing email:
- Real companies know how to spell. See big typos, don’t click on anything.
- Real companies won’t ask for sensitive account or personal information by email.
- Real companies have domain emails that match their web address.
If you’re interested in learning more about how to spot phishy emails, visit phishing.org.
I personally make it a point to visit the website and navigate from there, rather than following links from the email. That way, I know I landed on the legitimate website and not a decoy. If you do follow a potentially phishy link from a phishy email, slow down and explore a bit. Make sure to review the target website and note the URL in the browser. Is it the right domain? Does the link take you to one domain, but hyperlinks from the page take you elsewhere? Stranger danger! Slow down. Take a closer look.
In general a good rule of thumb is; do not share your payment information or login information or enter it into anything unless you are absolutely certain it’s legitimate.
When in doubt, ask us! Our customers do it all the time. We’re happy to help.