What are the most important steps to protect a web account and prevent its content from being accessible by third parties? Online identity theft is one of the incidents that unfortunately occur more frequently. Unauthorized access to one of the many accounts created online by the user can then act as a bridgehead to launch targeted and potentially destructive attacks.
Protecting web accounts and making them secure is an operation that should always be noticed. Think of the Google account: if an attacker could access it, he could consult the user’s email, open all the attachments, and, for example, view the documents saved in Drive.
This information would allow the user-victim to be attacked on several fronts, obtaining immediate access to other services (email is often an inexhaustible source of access credentials and other strictly personal data…).
But there’s no need to “inconvenience” Google: if the user forgets to protect web accounts that are less “rich” in data, their content could still be exploited to gain access to other accounts. Below we present what are the ten most effective methodologies for improving the security of web accounts. We have many accounts today: email addresses of various providers, Google, Microsoft, Apple, Facebook, Twitter, PayPal, eBay, Amazon, Dropbox accounts and so on.
Protecting accounts adequately means avoiding any risk of attack.
Table of Contents
How To Secure Web Accounts In A Few Steps
Never, For Any Reason, Use The Same Credentials For Multiple Accounts
This is “rule number one”. Unfortunately, even today, most users still don’t realize how important it is to choose a different password for each online service you use. If an account is unfortunately violated or there is data theft on the server side, an attacker would easily access other accounts of the same user that “share” the same password.
Carefully Choose The Password To Protect Your Account
When choosing the password to protect any account, you should always carefully avoid all “weak” passwords and, above all, contain references to your person, important dates, relatives, anniversaries, pets, etc. The information is useful for violating an account “raked” on social networks and exploited to gain unauthorized access. Passwords should always be long (preferably at least 14 characters) and complex; use alphanumeric characters and at least one symbol. These precautions make it possible to avoid any risk of brute force or dictionary-based attacks.
Use Two-Factor Authentication
Especially for the protection of accounts that contain a lot of personal data (think Facebook, Google Drive/Gmail, Microsoft OneDrive/Outlook.com, and Dropbox), we recommend turning on two-factor authentication factors. To access the account, you will not have to know and enter only the normal credentials (username and password) but must use a device you own (on which a confirmation code will be sent) or a biometric parameter.
To protect your Google account, we suggest activating the excellent Google Prompt mechanism. It allows you to activate a two-factor authentication system, dispensing the user from manually entering any confirmation code. Thanks to a Message from Google, whenever a new attempt to access your Google account is detected, a screen will appear on your Android device with the warning ” Are you trying to access? “.
You can authorize or deny access to your Google account from the same screen. Facebook, Google, and Dropbox support using U2F (Fido) sticks as an alternative for two-factor authentication: Access Google, Gmail and Dropbox without typing a password. In the case of Microsoft accounts, to activate two-factor authentication, access this page and then choose Set up two-step verification in the Two-step verification section.
Request Notifications For Suspicious Or Unauthorized Logins
Google automatically sends notifications about any suspicious or unauthorized login attempts. On Facebook, on the other hand, it is advisable to manually verify the activation of this setting by accessing this configuration page and selecting the options Receive notifications and Login alerts by email.
Don’t Use Online Password Managers
Although some products are now popular and widely used, we prefer to rely on something other than cloud password managers. Many solutions ensure that your credentials are stored securely using encryption on the server side while sending and receiving usernames and passwords.
Periodically, however, independent researchers and companies active in the security sector identify some gaps in the online password managers or, in any case, in the applications used to interface with the various services: Android password managers are vulnerable, according to the Fraunhofer Institute. Of course, in most cases, the vulnerabilities are promptly resolved, but it seems unreasonable to entrust the management of all one’s access credentials, some of which are very sensitive, to third parties.
Also Read: Data Security Between Confidentiality, Availability, And Integrity
Check The Last Accessed To Your Account
In the case of Google, by accessing this page, you can check the security level of your account.
The step-by-step procedure helps you review, from a single screen, all the most important settings that allow you to protect your account properly. In the control connected devices section, Google displays the full list of devices you’re signed in from. You will find similar information in the Facebook settings screen under Where you logged in.
Check The Applications Authorized To Access
The content of Google, Facebook, Microsoft, Dropbox, and so on allow the user’s account to interface with applications developed by third parties. The access credentials to the various accounts are never shared, and instead, the OAuth protocol is generally used, which – through a software token – allows an application to be enabled to use part of the account data.
Users, over time, grant access to many applications. These will have the opportunity to use the permissions granted by the user and use the information in the account. We recommend using the following pages to control which apps have access to your account and revoke permissions for apps you no longer use:
- Apps linked to Google account
- Apps and services that can access Microsoft account
- Apps that can access Facebook data
- Apps that are entitled to access content saved in a Dropbox account (scroll the screen to the Connected Applications section)
Don’t Rely On “Secret Questions.”
As early as 2015, Google highlighted how secret questions are now an outdated and, often, counterproductive protection system: Security questions: need to be more secure. Setting a “discounted” security question answer can seriously put your account security at risk. Many users set the answer to the security question rashly, providing information that can often be found, for example, by other users, on their Facebook wall. Our advice is, therefore, to put aside the use of the “security question”, preferring the use of two-factor authentication, as seen previously.
Do Not Log Into Your Accounts On Other Users’ Systems
It is true that all major websites use an HTTPS connection which prevents the theft of login data and other data exchanged with the remote server. However, logging into your accounts using someone else’s system is always inadvisable. The presence of a malicious component or a keylogger could be cleverly concealed and thus expose you to a substantial risk of theft of your digital identity.
Suppose you have logged in on a computer or other device and even need to log out of your account. In that case, we suggest you follow the instructions in the article Logging out Gmail, Google and Facebook remotely. For security, it would be good to proceed with a password change.
Use Email Accounts That Support The Use Of Encryption (TLS Protocol)
Email messages often contain sensitive information and strictly personal data. If you use an account that does not support data encryption (it does not matter if emails are received via POP3 or IMAP and sent via SMTP) and therefore do not allow the use of the TLS protocol to be combined with any malicious people connected to the same network they could easily intercept not only the contents of the emails but also the username and password for accessing the email account.
Especially if you use WiFi networks managed by third parties, the TLS protocol for sending and receiving emails is essential: Email: SSL, TLS and STARTTLS. Differences and why to use them. When choosing the best email service provider, we placed the availability of authenticated access via TLS at the top of the list: Creating an email address: which service to choose.
It would be important for the email service provider to use the TLS protocol and communicate with the other providers’ mail servers (MTA, mail transfer agent).
When the server of the other provider also supports TLS, the emails will be encrypted along their entire path, offering maximum guarantees in terms of security and privacy (Google Gmail supports this type of approach). By visiting this page and entering the domain name of the mail provider you are using in the Explore data box, you can immediately ascertain whether or not the chosen provider activates the encryption of messages along their journey.
The Gmail web interface highlights an icon depicting an “open” red padlock when an email – in all likelihood – will not be encrypted before reaching the recipient’s inbox. By clicking the icon, Gmail displays a message similar to the one in the below-mentioned image. Google clarifies that the destination mail server does not support encryption and recommends caution when sending personal information and sensitive data.
Also Read: Corporate Security: What Are Clients And Servers?