Basic web security precautions you can take to limit phishing damage

So you may have heard around 30 high profile twitter users got phished.

This is a regular occurance on may different sites and generally seem to aimed towards financial services (a.k.a. banks) and high profile online shopping (ebay, amazon and the like).

What makes this more of a big deal is that generally people have a hard time remembering passwords, so tend to use the same password for everything,  bank(s), ebay,  paypal, twitter, flickr, yahoo!, google, facebook, etc..  So if you get the username and password for one user, you may well be able to compromise that user all over the web.

However one thing that you can do to protect your web presence is NOT USE THE SAME PASSWORD EVERYWHERE!

Now I use a firefox plugin called PasswordMaker.

This creates a hash of a password of your choice with the domain name of the site you are currently browsing and will add a content menu link to your browser to allow you to easilt populate web forms when you need your password.

It has lots of options, but here’s a quick screen grab of the main page:

PassswordMaker main panel, showing generated password for this site. No not my real one, you think I'm dumb!

PasswordMaker main panel, showing generated password for this site. No not my real one, you think I'm dumb!

As you can see, using the master password, i.e. your one password you can remember, it will generate a unique password for each website you visit.

You can also cache you master password for one browser session (store master password: in memory) or permanently (store master password: on disk & in memory).

You can choose the password length, hashing algorithm, obfuscator (i.e. leet), character set to use (see below).

PasswordMaker Settings

PasswordMaker Settings

All of these can be altered for specific sites, e.g. use longer password lengths for banking sites etc..

If you’re not a fireFox user, there is a downloadable version for your desktop, or a JavaScript version you can save, or an online version (which also uses JavaScript they don’t post your details to a service! That would be nuts!).

PasswordMaker is a SourceForge project, so if you want to look under the hood, lend a hand or even get ideas for other neat ways to do something similar, you can.

I suspect we will see more of this social sites targeted for phishing as people are getting wise to the paypal, ebay, bank phishing and more browsers or browser toolbars are detecting these and blocking them. Leaving social sites that are perceived as low threat, for now, as a possible exploit vector.

So use different passwords for different sites, or you may be liable to one phish compromising your whole online life. There are tools to help!

This entry was posted in Security, Software and tagged , , , . Bookmark the permalink.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.