100
Considering the recent compromises of different accounts on different sites, I believe that we all need a nice reminder about account security.
Thanks to citricsquid over at MinecraftForum for writing most of this article for their internal moderation team.
Basic
Password security is very important and a lot of common wisdom around passwords is incorrect. A password used for multiple accounts, regardless of complexity, is not a good password, a good password is a password that is only used to access a single service. Every account you use must have a **unique** password, when a password is used for multiple accounts the integrity of that password is compromised.
Database Leak
The most common way that you will be compromised is through a database leak, this is when an attacker obtains a copy of a database from a website (such as myspace.com). A database leak will usually be used to target high value accounts, like PayPal accounts and email accounts.
Leaked databases are often found available for sale and are eventually published online, meaning that it is only a matter of time before your account credentials become public knowledge, and shortly following that every account you hold will be targeted with those credentials. If the username "Lord_Ralex" appears in a leaked database, you can be confident that at some point someone will google "Lord_Ralex" and identify that the Minecraft Forum account Lord_Ralex is high value and attempt to compromise it with the leaked credentials.
The only protection against this sort of attack is a unique password for each service. A unique password for every service that you use is absolutely essential, as any password reuse greatly weakens the security of the password, as it takes just one compromised website to leak that password to the world, which can then be used by malicious third parties to takeover your accounts on other websites.
The website haveibeenpwned.com provides a tool that allows you to see if your email address has been included in any previous leaks, they also provide a service called NotifyMe that will notify you any time a new database leak contains your email address. This service is a great way to understand how much of a threat database leaks are, they are becoming more and more frequent and as time passes you are more and more likely to be included in one.
Targeted Attack
A targeted attack can involve a number of different attack methods, including phishing, social engineering and using publicly available information to take over accounts. Protecting yourself against targeted attack is important, and unfortunately not an exact science because social engineering attacks are constantly evolving, however there are some good steps you can take:
1. **Do not use real information in security questions**, when asked "what was the name of your first pet?" or "what is your mother's maiden name?" you should enter fake information because real information can be found through social media profiles, public records and social engineering.
2. **Always enable 2 Factor Authentication on your email account**, if your email address password is compromised then all of your online accounts become compromised because access to an email inbox is often all that is needed to reset an account's password, 2 Factor Authentication gives you a second line of defense against password compromises. Any reputable email provider will support 2 Factor Authentication, Google Account users can learn more here. If your email provider doesn't support 2 Factor Authentication: switch to one that does.
3. **Always verify that you are logging into the correct website**. After clicking on a link to a website you should verify that you are on the correct website if you are asked to login, targeted phishing via Private Messages and emails is common.
4. **Never run files from untrusted sources**. If you do not know where the file comes from, don't run it. Chances are, you will get some of your data stolen, and that will be enough to start compromising you.
Password Security Best Practices
**A password must be unique** to a service, you must never use the same email and password combination for more than one account. There a few ways to manage this, you can create your own password formula based on the name of the service your account is for, you can randomly generate passwords and write them down in a book (kept in a secure location) or you can use a password manager.
A password manager is an application that stores a database of your passwords for every service you use, these applications are available for a variety of platforms, they can be local only (you store the database on your computer) or they can be cloud hosted (your passwords are accessible from anywhere). A password manager is the recommended way to manage your passwords, they will generate secure unique passwords for each service you log in to, too.
A password manager should be protected by a unique password that you have memorised, and where possible you should also enable 2 Factor Authentication on your password manager. A password does not need to contain a jumble of random characters, a good password can be a sentence or a combination of random words, this online generator provides examples of passwords you could use.
Password Managers
Dashlane - A password manager and secure digital wallet with a free service that will allow you to use the password manager on one device, for $40 per year you can sync your passwords, payment details and secure information across any number of devices. Dashlane supports 2 Factor Authentication.
Keepass - A free desktop application that **does not** offer any syncing across devices, users can use a service like Dropbox to keep their password database synced across their devices.
1Password - A password manager and secure digital wallet available across any device with cloud sync for $36 a year. 1Password has native support for 2 Factor Authentication.
LastPass - A free password manager with a browser extension that syncs your passwords in *the cloud* and provides a premium service for $12 a year that will sync to your mobile devices too. LastPass supports 2 Factor Authentication. This is what I use, and even paid for premium.
Summary
You should always take your account security seriously. Make passwords as hard to guess, but simple for you to remember. Never re-use passwords on sites. Password managers help alleviate this, but are only as secure as the password you used to secure them.
Recent compromises
MinecraftForge accounts were compromised and reports are that data from that is being used to compromise accounts elsewhere - http://www.minecraftforge.net/forum/index.php?topic=39636.0
Thanks to citricsquid over at MinecraftForum for writing most of this article for their internal moderation team.
Basic
Password security is very important and a lot of common wisdom around passwords is incorrect. A password used for multiple accounts, regardless of complexity, is not a good password, a good password is a password that is only used to access a single service. Every account you use must have a **unique** password, when a password is used for multiple accounts the integrity of that password is compromised.
Database Leak
The most common way that you will be compromised is through a database leak, this is when an attacker obtains a copy of a database from a website (such as myspace.com). A database leak will usually be used to target high value accounts, like PayPal accounts and email accounts.
Leaked databases are often found available for sale and are eventually published online, meaning that it is only a matter of time before your account credentials become public knowledge, and shortly following that every account you hold will be targeted with those credentials. If the username "Lord_Ralex" appears in a leaked database, you can be confident that at some point someone will google "Lord_Ralex" and identify that the Minecraft Forum account Lord_Ralex is high value and attempt to compromise it with the leaked credentials.
The only protection against this sort of attack is a unique password for each service. A unique password for every service that you use is absolutely essential, as any password reuse greatly weakens the security of the password, as it takes just one compromised website to leak that password to the world, which can then be used by malicious third parties to takeover your accounts on other websites.
The website haveibeenpwned.com provides a tool that allows you to see if your email address has been included in any previous leaks, they also provide a service called NotifyMe that will notify you any time a new database leak contains your email address. This service is a great way to understand how much of a threat database leaks are, they are becoming more and more frequent and as time passes you are more and more likely to be included in one.
Targeted Attack
A targeted attack can involve a number of different attack methods, including phishing, social engineering and using publicly available information to take over accounts. Protecting yourself against targeted attack is important, and unfortunately not an exact science because social engineering attacks are constantly evolving, however there are some good steps you can take:
1. **Do not use real information in security questions**, when asked "what was the name of your first pet?" or "what is your mother's maiden name?" you should enter fake information because real information can be found through social media profiles, public records and social engineering.
2. **Always enable 2 Factor Authentication on your email account**, if your email address password is compromised then all of your online accounts become compromised because access to an email inbox is often all that is needed to reset an account's password, 2 Factor Authentication gives you a second line of defense against password compromises. Any reputable email provider will support 2 Factor Authentication, Google Account users can learn more here. If your email provider doesn't support 2 Factor Authentication: switch to one that does.
3. **Always verify that you are logging into the correct website**. After clicking on a link to a website you should verify that you are on the correct website if you are asked to login, targeted phishing via Private Messages and emails is common.
4. **Never run files from untrusted sources**. If you do not know where the file comes from, don't run it. Chances are, you will get some of your data stolen, and that will be enough to start compromising you.
Password Security Best Practices
**A password must be unique** to a service, you must never use the same email and password combination for more than one account. There a few ways to manage this, you can create your own password formula based on the name of the service your account is for, you can randomly generate passwords and write them down in a book (kept in a secure location) or you can use a password manager.
A password manager is an application that stores a database of your passwords for every service you use, these applications are available for a variety of platforms, they can be local only (you store the database on your computer) or they can be cloud hosted (your passwords are accessible from anywhere). A password manager is the recommended way to manage your passwords, they will generate secure unique passwords for each service you log in to, too.
A password manager should be protected by a unique password that you have memorised, and where possible you should also enable 2 Factor Authentication on your password manager. A password does not need to contain a jumble of random characters, a good password can be a sentence or a combination of random words, this online generator provides examples of passwords you could use.
Password Managers
Dashlane - A password manager and secure digital wallet with a free service that will allow you to use the password manager on one device, for $40 per year you can sync your passwords, payment details and secure information across any number of devices. Dashlane supports 2 Factor Authentication.
Keepass - A free desktop application that **does not** offer any syncing across devices, users can use a service like Dropbox to keep their password database synced across their devices.
1Password - A password manager and secure digital wallet available across any device with cloud sync for $36 a year. 1Password has native support for 2 Factor Authentication.
LastPass - A free password manager with a browser extension that syncs your passwords in *the cloud* and provides a premium service for $12 a year that will sync to your mobile devices too. LastPass supports 2 Factor Authentication. This is what I use, and even paid for premium.
Summary
You should always take your account security seriously. Make passwords as hard to guess, but simple for you to remember. Never re-use passwords on sites. Password managers help alleviate this, but are only as secure as the password you used to secure them.
Recent compromises
MinecraftForge accounts were compromised and reports are that data from that is being used to compromise accounts elsewhere - http://www.minecraftforge.net/forum/index.php?topic=39636.0
| Credit | citricsquid |
| Tags |
tools/tracking
2796009
6
account-security---its-important
MaximusPrime23
Triloms
BluleDude_966
Team UNNAMED
PrestonMinecraf
Superrio321
WhisperOfTheWild
hotsuop
Diehard90
IGEBM
Henry04alcalino
The Gamers Club
minecraftwikipt
KEIKYU production
Create an account or sign in to comment.
dun't yu dare steal my steam account hakers!