Aryeh,

 

Great suggestions.   One of the things I find troubling is that many of these free services - facebook, gmail, etc, ask for additional personal information to help validate your identity.  I struggle with this a bit as it seems counter-intuitive to me.  If some of these sites can be hacked, do I want them to store additional information about me ?

 

So far, I resist adding an more information.   Am I being too cautious?

 

Mark

Quote from Mark_Lenovo:
"...One of the things I find troubling is that many of these free services - facebook, gmail, etc, ask for additional personal information to help validate your identity. I struggle with this a bit as it seems counter-intuitive to me. If some of these sites can be hacked, do I want them to store additional information about me ?



So far, I resist adding an more information. Am I being too cautious?



Mark"

...Not at all Mark.

A very well known fellow, Benjamin Franklin, said long ago, "An ounce of prevention is worth a pound of cure" which, I believe, is noteworthy with regard to your question. In addition, it should be noted, that same fellow, mentioned above, also said "three can keep a secret, if two of them are dead".

Most web site registration requests require a valid email address and the member's name. Anything beyond that is intrusive for a simple web site "registration" membership just to play a game or view and send email.

There are some other aspects to web site membership you should consider before offering any other information regarding your identity. Some of these would be relative to the "purpose" behind your registration, and what type of web site.

For example...let's say you decide to perform your banking online. Your bank's web site is going to require much more personal information than just an email address and your name. In that example, you can see the need for providing such information. Before you do however, you should make certain the web site has protective features available, starting with the web site protocol itself.

When registering at a web site that requires personal information, look in the address bar of your browser. Make sure the web site address line starts with "HTTPS://".

If it does not, then your personal information is at risk which should bring to mind the above quoted remarks from Mr. Franklin.

Hi, PeterTWJ.

 

Although Aryeh addressed your question on the why and how password compromises occur, I'd like to add additional information about the issue you raised regarding compromised Hotmail accounts.

 

Quote:

"Some of my friends, their Hotmail account were being hacked and use to send spam mails. Some of their account password were even being changed and they are unable to access it."

 

The Hotmail team has incorporated security features designed to protect and recover a Hotmail account.  These features include those listed below.  In addition, the Hotmail team has rolled out a new security feature that will prevent choosing a very common password when recovering a compromised Hotmail account, signing up for a Hotmail account or when changing your password. Also, if you are already using a common password, you may, at some point in the future, be asked to change it to a stronger password. 

 

1) Designate an alternate e-mail address.  Be careful when entering the alternate e-mail address as it will need to be confirmed.

Hello,

 

When the questions one is asked seem to be... intrusive, I'm a firm believer in providing an answer that I can remember, but is not necessarily truthful.  For example, if asked for my birth date, I may give the year I was born, but specify January 1st for the date. 

 

More elaborate answers can be given to questions, especially those required to reset a password, but it is important to store those answers safely offline someplace, so in the event you have forgotten your password or need to change it, you will be able to do so.

 

In a home environment, I personally feel that an address book—the actual paper kind that you write in with a pen—stored near the computer (but not at it, or at least, out of sight from it) is a great place to keep mnemonics and tips to help you answer password recovery questions for web sites.  Keep in mind, though, that you should not write the actual answers to the questions in there, just something that helps you remember your answer.

 

Regards,

 

Aryeh Goretsky

 

Goretsky Wrote:

 

"In a home environment, I personally feel that an address book—the actual paper kind that you write in with a pen—stored near the computer (but not at it, or at least, out of sight from it) is a great place to keep mnemonics and tips to help you answer password recovery questions for web sites.  Keep in mind, though, that you should not write the actual answers to the questions in there, just something that helps you remember your answer."

 

I've been using this method at home for many years, not only as a reminder for password recovery questions but also as a reminder for web site passwords.  Never use the same password at every site.  If that site should be compromised, your account information could be readily available to the hacker.  Although there are password generating programs, I got into the habit of creating my own unique password for each web site.  (This is probably a result a work environment that necessitated changing the password every 30 days. )

 

 

Hello,

 

Let me add other techniques that are being used by the bad guys to hack or steal other people's email accounts:

 

Phishing - is a form of social engineering broadcast attack focused on stealing credentials or identity information from any potential target.  You've already cited an example of this technique -- when you received friend invitations from unknown people with suspicious email addresses.  That's how others start their phishing attack.

 

Weak passwords - some users use common words as their passwords -- which is not a good practice.  Avoid using simple words like "password", "12345", "admin", "54321", etc. as your password.  It will be easy for the bad guys to guess your password if you use a weak password. 
 
Dictionary attack - this is somewhat related to weak passwords.  The bad guys will try to use common words to try to guess the password of your account.

Other technques are quite old-fashioned already, but they still work.  So you should still be aware of the following:

 

Eavesdropping - is the act of secretly listening to the private conversation of others without their consent.  One example is if you're in a public place, the person besides you might be "secretly" listening to the things that you're saying while you're talking to a friend via your mobile phone, face to face conversation, etc. -- waiting for some important information that you may say that might be of use to them.

 

Shoulder surfing - this is (or should I say was) very common on Internet cafes wherein the person besides you is waiting for you to type in your password and will monitor the movement of your fingers so that they will determine your credentials.

If you're the kind of person that writes their passwords or important information on a piece of paper, make sure that you store it on a safe place (not under the keyboard, on a ref/monitor post it, etc.).  Also, be wary of the "dumpster diving" technique that's still being used by some bad guys.

 

Dumpster diving - is the act of digging through trash in order to obtain information about a target organization or individual.  To prevent dumpster diving (or at least reduce its value), all important documents should be shredded or incinerated before being discarded.

 

And of course, the last and most important thing is end-user education or awareness.  There's a good saying that is very common on social networking sites:  "Think before you click" 

 

Hope these help.

 

Regards,
Cyrus