Deliberate use of entropy, randomness, even changing routines can provide a layer of defense for cybersecurity.
More Steps for Cybersecurity
Here are three more steps (in addition to Three Steps for IndieWeb Cybersecurity) that you can take to add obstacles to any would be attackers, and further secure your online presence.
- Different email address for each account, AKA email masking. Use or create a different email alias for each service you sign-up for. With a single email inbox, like any username at Gmail, you can often append a plus sign (+) and a brief random string. If you use your own #indieweb domain for email addresses, pick a different name at that domain for each service, with a bit of entropy like a short number. Lastly, another option is to use an email masking service — try a web search for that phrase for options to check out. Each of these works to limit or at least slow down an attacker, because even if they gain control of one email alias or account, any “forgot password” (AKA password reset or account reset, or sometimes called recovery) attempts with that same email on other services won’t work, since each service only knows about an email address unique to it.
- Different password for each account. This is a well known security technique against credential stuffing attacks. I.e. if someone retrieves your username and password from a data breach, or guesses them, or tricks (phishes) you into entering them for one service, they may try to “stuff” those “credentials” into other services. Using different passwords for all online services you use can thwart that attack. Note however that different passwords with the same email address will not stop an account reset attack, which is why this tip is second to email masking.
- Use a password manager to autofill. All modern browsers and many operating systems have built-in password managers, most of which also offer free sync services across devices. There is also third party password manager software and third party password manager services which are designed to work across devices, browsers, and operating systems. Regardless of which option you choose, always using a password manager to autofill your login username (or email) and password can be a very effective method of reducing the chances of being phished. Password managers will not autofill forms on fake phishing domains that are pretending to be a legitimate service. Password managers can also help with keeping track of unique email addresses and passwords for each service. Most will also auto-generate long and random (high entropy) passwords for you.
I’ll close with a reminder that Perfect is the enemy of good. This post has been a draft for a while so I decided to publish it as a summary, rather than continuing to iterate on it. I’m sure others have written much longer posts. Similarly, even if you cannot take all these actions immediately everywhere, you can benefit by incrementally taking some of these steps on some accounts. Prioritize important accounts and take steps to increase their security.
Previous post in this series: CSF_01: Three Steps for IndieWeb Cybersecurity
Glossary
Glossary for some terms, phrases, and further reading on each.
- credential stuffing
- https://en.wikipedia.org/wiki/Credential_stuffing
- data breach
- https://en.wikipedia.org/wiki/Data_breach
- entropy
- https://en.wikipedia.org/wiki/Entropy_(information_theory)
- password manager
- https://en.wikipedia.org/wiki/Password_manager
- phish, phished, phishes, phishing
- https://en.wikipedia.org/wiki/Phishing
Syndicated to: IndieNews