I thought I would begin to summarize some of the lessons I have learned after my Facebook account was hijacked last week.
A couple of quick tips related to password security that I recommend to all Frequent Facebook Fliers (FFF). Start doing this immediately:
More lessons learned in future posts.
- Change Your Password Frequently. If you have not changed your password recently, go to Accounts and then Account Settings in Facebook to change your password.
- Use a Strong Password. The name of your cat or dog is not a strong password. I recommend reading the article: Strong Passwords: How to Create and Use Them. Use a Password Checker to verify the strength of your password. (Note: don't try your actual passwords against these password checker sites because most of them accept passwords in the clear. This means your passwords might be intercepted even as you are checking the password! Experiment with password checkers to see what kinds of passwords are the strongest.)
- Use a Password That's Unique to Facebook. If you are a Frequent Facebook Flier (FFF), then try to develop and use a password that's unique to the Facebook site. I know we want to limit the number of passwords we need to remember and keep track of, but this is a way of spreading your risk if either your Facebook account or another account is compromised.
- Don't Use the Default Facebook Login Page. Facebook's default login page (http://facebook.com) is insecure and can be easily spoofed. Instead, set your bookmark to (http://login.facebook.com). In general, whenever you are transmitting passwords or sensitive information such as credit card numbers of social security numbers, don't trust the website unless you see a secure padlock and the name of the web site published at the bottom right hand of your browser. (Note: There is a subtlety here. The padlock and name of the website should not be in the web page but in the browser border. I will illustrate the difference with some visuals later.) In the meantime, make sure that you always use http://login.facebook.com to login to Facebook. Facebook should be condemned for not taking care of this easy fix. It's just plain inexcusable that users have to resort to a workaround.