Zzzzzecurity!

A boring but hopefully helpful post today, for those of you who have been subjected to attempted account hacking, or suspect you have or may be in the future, or just plain want to secure your account a bit more. Twitter offers a few options to help, as always the balance is between making your account secure enough to keep unwanted people out (naming no names), but not tying yourself up in knots with unwieldy processes every time you want to log in. Forgive me if you already know all of this stuff, it’s aimed at helping those who haven’t explored the security options yet and may not know what they can do to help protect themselves. So, here are a few options for you to take or leave as you wish:

  • Have a good password

Oh, thanks Greg for stating the bleeding obvious! Why, you’re welcome!

It’s amazing how many people choose a weak password and use the same one for all of their accounts. It’s human nature, because you can’t remember a bazillion passwords for your bazillion different accounts, but there are a few tricks that might help. First off, if your password is a word I can find in the dictionary or a person’s name, you need to change it right away. You ideally want your password to be reasonably long and use a combination of letters, numbers and special characters. And you want it to be different for your different accounts. Does that make it too hard to remember? Too much hassle? Not really.

How about this for a password?

19Tw1GaLb0C!W

Intel says (https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html) that it would take about 222 years for that password to be cracked. That ought to keep our wannabe hacker busy for a while (Hi, wannabe hacker, that isn’t my password by the way but feel free to try if you think I’m double-bluffing). Too hard to remember though? Not really:

password

You’ll be surprised how quickly you’re typing a password like that out after using it a few times, and you’ll not forget it any more than your current one. And anybody trying to guess it is going to be VERY frustrated.

  • Use Two-Factor Authentication

“Two-factor authentication” just means that you need something else in addition to your password before Twitter believes it’s really you and lets you log in. It’s the same as when you withdraw money from a cashpoint; you need two things – the physical card in your possession, and the knowledge of what the PIN number is. Fortunately, Twitter has made it pretty easy to use two-factor authentication, especially if you have an Android or iPhone.

Go to Settings then “Security and Privacy.” You’ll see something like this, unless you’ve already registered your phone with Twitter.

loginverif

Click the “add a phone” link under “Send login verification requests to my phone” and tell Twitter your phone number. It will send you a text message to confirm that you have given the correct number; when you get the text, type the confirmation code into Twitter. It will confirm that you have activated your phone and you can set some preferences for whether you want Twitter to send you text message notifications for various things (mentions, retweets etc.). Save your preferences, go back to your security settings and you should now see your number appear in the verification settings.

yournumber

One thing to note is that adding your phone number, by default, allows people to search for you on Twitter using your phone number. If you don’t want that to happen (e.g. if someone has your phone number but you don’t want them to know who you are on Twitter), scroll down the Security settings to the “Discoverability” section and untick the options that allow people to do that. You can also untick the option allowing people to find you by your email address too if you wish.

If you don’t have an iPhone or Android, you can ask for Twitter to send verification messages by text. Select “Send login verification requests to [your number]” Twitter will send you a test message to make sure you receive it ok.  If you get it, click yes, re-enter your password to confirm and you are good to go. Next time you try to log in, you’ll get a text message with a login code. Until you type that login code into Twitter you won’t be logged in. Which means that a wannabe hacker can’t get in even if they’ve guessed your password, because they don’t have your phone too.

If you have an Android or iPhone, it’s even easier. After you’ve told Twitter your phone number, go to the Twitter app on your phone, go to settings, tap your account name then select the “Security” option. Tick the box marked “Login verification.” Now, instead of receiving a text message when you try to log in, you’ll see a notification on your phone informing you of an attempted login.

verif

It’ll look a bit like this screenshot…you just need to press the tick and you’ll be logged in to Twitter. As a little bonus, you can even see where the login attempt was made from and using which software. So any potential attackers will have their locations exposed too.

When you sign up for this service, Twitter will also give you a passcode which you can copy and paste to your phone’s gallery just in case you need to login somewhere that your phone doesn’t have an internet signal. You can then use that passcode instead.

It’s really quite simple and straightforward to use and only adds half a second to your login, assuming that, like me, you always have your phone with you.

This also has the benefit of automatically changing another privacy setting that means that you can only ever log in using your password. By default Twitter will allow you to request a login code by email or text if you forget your password; potentially if somebody intercepted that email or text, they could log in as you using that login code without ever having to know your password. Turning on login verification on your phone stops this happening anyway, but even if you decided not to use two-factor authentication, you might want to remove the option to login with a code.

code

  • Don’t let just anyone request a password reset for you

If you forget your password, and want to reset it, you simply type in your user name and Twitter will offer you one or more options for sending you a reset link. These will be mostly obscured so that people can’t see your full email address or phone number just by typing in your username. You can then ask for an email to your registered email address, or a text to your phone, with reset instructions.

This is a fairly simple process, but it has three potential drawbacks:

  1. People can just keep requesting password resets for you, which doesn’t directly affect your security but can be annoying and worrisome.
  1. People may be able to guess your email address, even from the obscured version. So, if mine appears, for example as ‘g*****y****d@y**o*.com’ it wouldn’t take a genius to guess my email address as gregoryherod@yahoo.com – it isn’t that by the way. If someone has your email address, they can attempt to find further details about you elsewhere (e.g. by finding a facebook account or Google+ account using that email address, it might give them clues to your full name, or they may attempt to hack your email account directly).
  1. Less likely, but still possible, if somebody has a suspicion that a particular account is you but doesn’t know for sure, but they know your email address or phone number, they may be able to confirm their suspicions by using the partial details that Twitter shows.

You may or may not be bothered by these issues, but if you want to avoid any or all of them, you can select this option in the security settings.

reset

With this box selected, if someone clicks “Forgot password” and then types in your username, they won’t be able to see any of your partial contact details, or request a password reset, until they type in your full email address or the phone number you registered with Twitter. Of course, if somebody does know your email address, they can get around that so if you suspect somebody malicious does know it (e.g. they might have guessed it previously by seeing your partial details), you could create a new, disposable gmail or outlook account just for Twitter and nothing else, and change your contact email in settings.

Sorry if that took a while to read, but I hope it gave some useful tips to people who may not have known them before. Probably 10-15 minutes of work to change these settings will likely make your account considerably more secure.

A reminder also that abuse and violations of the Twitter rules can be reported at https://support.twitter.com/forms/abusiveuser more effectively than by tweeting @support as multiple accounts can be reported simultaneously, and that, under those rules, abuse can take the form of creating multiple accounts “for disruptive or abusive purposes,” or “sending messages to a user from multiple accounts.” They do NOT need to be direct threats or even insulting to constitute abuse under the terms of use.

Happy Tweeting…leave a comment if you have any more tips.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s