The Info Sec Factory

View Original

Top Identity Tips for Home Users

- Info Sec Factory

Below are our top 6 tips for protecting your user identity.

  1. Use unique and complex passwords. Don’t reuse username and password combinations between online services.  If one site is compromised and those credentials are shared across all your subscriptions/services the chances of your other accounts being compromised grows exponentially. If you have trouble remembering credentials use a Password Locker.  

  2. Use Multi-Factor Authentication: Authenticator apps and Hard Tokens are best, but SMS is effective against all but targeted attacks.  Most services, from Investing sites to Amazon, support some form of MFA.

  3. On home PC’s, do not use an Admin account for day-to-day use. Create a separate user account for browsing the web and checking email.  Many attacks require elevated privilege to be effective.  If you click a malicious link, but your account doesn’t have access to install software, there is a fair chance the threat ends right then and there. Reserve the Admin account for the special times when you need it.

  4. For most consumer/home users, your email address serves as your identity for all your services (social media, banking, health care, insurance).  Now think about how many of those services use your email for password recovery.  If a bad actor has access to your email its quite plausible, he/she can leverage that access to pivot into another online service.  Make sure you have MFA enabled on your Email.  The big email providers like Microsoft and Google offer free MFA as well as access reports to see when your account is accessed and from where. It may also make sense to have a separate account for critical services and one everything else. 

  5. This tip could easily fall under Web and Email Safety but it’s worth including here. Be aware of where you are entering your credentials. Be extremely wary of entering your username and password based on an Email you received imploring you to take immediate action. In most cases unsolicited login requests are phishing emails that bring you to a bogus site where a bad actor will capture your credentials. It is always best to type in the known URL before you enter your username and password. Look at these two bogus URL’s: www.liefakesite123456.com and www.Iiefakesitel23456.com, you probably did not notice the first character is different between the two. One is an lowercase “L” the other is a capital “i”. At quick glance you probably didn’t notice the number “1” was replaced with the lowercase letter “L” too.

  6. Explicitly log out of online services when you are done. 

  7. If you suspect an account has been compromised, change the account password immediately and review steps 1-6.