You probably use strong and unique passwords to prevent hackers from taking over your online accounts but is that enough? Maybe yes but I can’t say that with enough confidence because my Google and Facebook accounts have been compromised in the past despite using very complex passwords that can’t be easily guessed.
Like most other people, I have a few dozen online accounts now and have spent the last few days evaluating the security and recovery options for each one of them. In response, I have taken a few extra steps, listed below, that I think may help improve the overall security of these accounts. If you find anything useful in the list, do try implementing it in your own workflow for better piece of mind.
A Security Checklist for Online Accounts
#1. I have enabled the “Always use HTTPS” setting for Facebook, Twitter, Gmail, Google and all the other online services that support secure HTTP. This is especially important when accessing Internet over a Wi-Fi network because without HTTPS, anyone (and not just skilled hackers) can capture your login details using Firesheep, a simple Firefox extension.#2. I have a few Google Accounts and they all use 2-step verification now. That means if someone tries to log into my Google account from a different computer, they’ll have to type an additional code that is sent directly to my mobile phone as an SMS text message or over a voice call.
#3. The 2-step verification can also alert you to potential hacking activity. If I ever get an SMS (or a voice call) from Google with the verification code but without requesting one, it is an immediate hint that someone knows my password though they won’t be able to get in without entering the verification code.
#4. I have connected my mobile number with my Facebook account. This is extremely important because I get an instant SMS and an email alert whenever my Facebook account is accessed from a different computer or another mobile phone.
#5. I carefully reviewed third-party sites that have access to my online accounts and revoked access to all the unwanted apps that I no longer use. In case you wish to do the same for your accounts, here are the direct links for Facebook, Google and Twitter.
#6. I maintain two email addresses – one is public that is displayed on the blog while the other email address is known to a select few. Why?
6a. The public email address is associated with services like Twitter, YouTube, Facebook, Foursquare, LinkedIn, Flickr, Tumblr, Posterous, Skype and a couple of other social sites where I want people to find me if they have my email address in their address book.
6b. I use the other “secret” email address with services like Dropbox, Amazon, Google Apps, my bank, my hosting service, Apple iTunes, PayPal and few other places where account security is even more critical and where I am not looking to get social.
#7. If I am testing a new online service, I almost always use a disposable email address to create a test account with that service. Some online services reject disposable addresses to prevent fake registrations but the one I use goes through as it is only an alias (or nickname) of my main email address.
#8. I prefer using a virtual credit card with shopping sites that I am either using for the first time or where the fine print is too long and there’s a risk that I could be billed again if I don’t cancel the account. This also helps keep my credit card safe from relatively unknown sites.
#9. Once in a while, I do mock drill with my most important online accounts to test the various recovery options I would have in case I forget my password or if I lose access to my secondary email address or misplace my mobile phone.
#10. The last point - how do I remember and manage so many different passwords?
Some people prefer to use password managers which are very convenient but at this time, all I use is a simple 1-page document (see sample) to store information of all my online accounts and the corresponding passwords. This file is password-protected and I put it on Dropbox so the information is available on all my computers.
This may surprise some but I also have a hard copy of this file that family members can refer to in case I am travelling and they need urgent access to any of my online accounts. Also, since they would need my mobile phone to access my Gmail or Google account, I have included backup verification codes in the printed document itself – thus the Google account can be used without requiring the phone.
One more thing. If you have two email accounts, never ever set one emails as the secondary (or recovery) email address of the other. That’s because if one of your email accounts gets compromised, the hacker can easily take over the other account as well.