Important security settings on Facebook
Information security is important. Remember that: Without security there is no privacy!Today, E-Crime Expert presents several security measures Facebook has in place for securing your private data and account.
1. Change your password (Frequently)
i. Log on your Facebook Account, go to (click) “Settings” (1)and then click on “Account settings” (2) from the fold down menu(Fig.1).
Fig. 1
ii. Go to and select the “General Settings” menu on the left and then click on the “Edit” tab from the Password field (on the right side of the page). See Fig.2.
Fig. 2
iii. Now, you have to follow the three steps bellow:
-type your current password (for security reasons);
-type your new password (check this blog post here on how to have a strong password);
-type your new password again.
Click “Change password” and your password will be changed. (Fig.3).
Fig.3.
iv. In order to be sure your password is effectively changed on all your devices, select the “Log me out of other devices” box, click on the “Submit” button from the displayed message that appears after you changed your password. That will enable you to sign out from all the devices you are automaticaley logged on. In this way, once you use them again, you will be prompted to type your new password. This is an extra security measure which enables you to protect your information if one of your devices got lost or stollen or when it is shared with other people (Fig. 4).
Fig. 4.
2. Check your active sessions
i. You can also check from where you logged on your account lately.
Click on the “Security settings” tab (see pictures above for how to get there) on the left and then go to the right-bottom of the page and select “Edit” from the “Active sessions” menu (Fig.5)
Fig.5
ii. Now, you can check from where you are logged on during the current session (top of the page) and also, you can check bellow from where you were logged on in your previous sessions.
*Note: if you notice that you appeared logged on from countries you never been or you have not been lately or from devices you do not use that means someone else logged on your account without authorization (Fig.6).
**If you notice any unfamiliar devices or locations, click ‘End Activity’ to end the session and automatically log out someone who’s using your account fraudulently.
Change your password immediately as explained under section 1 of this Blog post!
Fig.6
3. Secure browsing.
i. Go to “Security settings“, as explained above, find the “Login Notifications” menu and click “Edit“. (Fig.7)
Fig.7
ii. Then you can select either “Email” or “Text message“. Or you can always select both! Click “Save changes“.
This will enable you to be notified via email or text message when your Facebook account is accessed from a device that you do not recognize (Fig.8).
Fig.8
iii. Furthermore, you could set up a Log in approval used when login into your account from unknown devices.
Go to “Security settings” (see above) and from there to “Login approvals” (bellow to “Login Notifications”). Click “Edit” and then select the box that reads: “Require a security code to access my account from unknown browsers“. Don’t forget to click “Save changes“. Now you are set for receiving notifications or be prompted a code (that will be delivered via your email or text message as a one-time token) before logging into your Facebook account, from unknown devices (Fig.9).
In order to learn what an unknown or unrecognized device means, keep reading this post bellow.
Fig.9
4. Recognized devices.
You can always set up the devices of your choice when using Facebook.
Go to “Security Settings” (as explained above), click “Edit” on the “Recognized Devices” menu and see which your recognized devices are. Devices will be assigned to your account as recognized when you will first time log on your Facebook account (using a new password) from a certain device (You will be prompted with a message whether you would like to save a certain devices as a recognized device or not). Be careful; do not select as a “Recognized Devices” a computer from school, work, public library or hotel. For this reason and in order to check which are your recognized devices check that menu and see if the devices listed there are the one you trust. If not, you just simply click “Remove” on the right side of a particular device (for example when there is listed a device you used once in a library).
Don’t forget to click “Save changes” as usually (Fig.10).
Fig.10
5. Trusted friends
i. To get set up, visit your “Security Settings” (as explained above), where you can select three to five friends to be your trusted contacts.
Find “Trusted contacts” and click on “Edit” and then on “Chose trusted contacts“(Fig. 11).
Fig.11
ii. Type the names of 3-5 of your trusted friends. You can select them one by one.
Don’t forget to click “Confirm” (Fig.12).
To select good trusted contacts:
– Choose people you trust, like friends you’d give a spare key to your house.
– Choose people you can reach without using Facebook, ideally over the phone or in person, since you’ll need to contact them when you can’t log in.
– Choose more people to help you. The more friends you choose, the more people who can help you when you need it.
Fig.12
iii. As a security measures you’ll be prompted to introduce your account password (even if you are already logged on). Click “Submit” after you are done ( Fig. 13).
Fig. 13
iv. Immediately after, your trusted friends will appear under “Trusted Contacts“. You can now use them all, remove one or all if not pleased with your choice (Fig.14).
Fig.14
v. In order to make sure you are the one who made the selection of your trusted friends, Facebook sends you a message (check your mailbox linked to your Facebook account) confirming you added trusted friends (Fig.15).
If you did not do it, then someone most likely hacked into your account. Change your password immediately!
Fig.15
vi. Using Trusted Contacts
Once you’ve set up your trusted contacts, if you ever have trouble logging in, you’ll have your trusted contacts as an option to help. You just need to call your trusted contacts and let them know you need their help to regain access to your account. Each of them can get a security code for you with instructions on how to help you. Once you get three security codes from your trusted contacts, you can enter them into Facebook to recover your account.
With trusted contacts, there’s no need to worry about remembering the answer to your security question or filling out long web forms to prove who you are. You can recover your account with help from your friends.
***Note: If you have set up your secure browsing, login notifications and chose your recognized devices and you receive an email from Facebook notifying you that someone tried to log on your account on X day from Y location using Z device (and none of those are related to you), then Change your password immediately (as explained under section 1 of this Blog post), because definitely someone tried or succeeded to fraudulently log into your account! (See example in Fig.16).
Fig.16
Any questions can be submitted to: dan@e-crimeexpert.com
Additional information can be found at: http://www.e-crimeexppert.com
To find out more about Dan Manolescu, visit his LinkedIn page here.
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog
Beyond Data Protection – published today!
Dan Manolescu is glad to announce his contribution to the Beyond Data Protection book, published by Springer and available to the public from today, January 31, 2013. You could find Dan’s contribution under the “Data Protection Enforcement: The European Experience – Case Law” chapter.
This book provides practical approach to address data protection issues in businesses and daily life. It also compares, contrasts and substantiates the different principles and approaches in Asia, Europe and America and recommends leading best practices to practitioners and stakeholders based on divergent of technologies involved.
I strongly recommend you to purchase this book considering the excellent material and contribution of several top scholars in the privacy and data protection fields.
You could find more info about this book here.
This great opportunity would not have been possible without the tremendous work of Noriswadi Ismail, an excellent data protection and privacy scholar and practitioner. He is also the Mastermind behind Quotient Consulting, a boutique firm, which focuses on array of data protection and privacy consulting services such as: Data Diagnosis, Privacy Impact Assessment, Data Protection & Privacy Strategy, Training, Data Protection & Privacy Certification, Public & Private Consultations
In addition, Philipp Fischer’s contribution to this book is remarkable. Philipp is also an outstanding data protection and privacy scholar and professional and he is the CEO of SuiGeneris Consulting, which provides privacy and data security practice, data-use business models and how data flows generate profits. He has extensive underlying subject matter experience at the interface between information security requirements, data protection & – privacy law and economics; especially in information security, quality management, consumer protection, intellectual property, software programming and risk assessment. That enables him to provide strategic business consulting on all aspects of information policy, including privacy, information security and records management.
Last but not least, E-Crime Expert signed strategic partnerships with Quotient Consulting (with subsidiary in London, UK), and withSuiGeneris Consulting (based in Munich, Germany).
If you have additional questions, please contact us: dan@e-crimeexpert.com
Password Authentication security: using HASH and SALT
E-Crime Expert presented sometime ago, a video tutorial (click here) on how to create strong passwords. That material it was addressed to regular users.
Today, E-Crime Expert tries to help regular users understand (not the information security professionals), how HASH and SALT help protect their passwords in a database (e.g. online stores, web applications, email-service providers, online service providers, etc).
I. HASH
The HASH value is common for password authentication and security that stores only a “hashed” form of the plaintext password. When a user types in a password on a such system, the password handling software runs through a cryptographic hash (e.g. readable data like a name, transformed into a fixed-size bit string like a combination of random letters and numbers) algorithm, and if the hash value generated from the user’s entry matches the hash stored in the password database, the user is permitted access.
The password itself is not stored in a database but just the hash. Once the user enters the password in a database, the authentication software compares the user’s corresponding hash (for his password) to the exiting hash in the database. If they match, the user is granted access.
Example:
Password: Dan
Cryptographic hash function: ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4
The above hash is the corespondent for the user’s password (which is never stored into the database)
Note: the hash string provided above is pure illustrative.
This information security technique is useful for staying protected against dictionary attacks (dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying likely possibilities, such as words in a dictionary).
II. SALT
When using cryptography for authentication purpose, SALT consists of random bits (random sequence of numbers and letters), creating one of the inputs to a one-way function (this function makes easy for an authentication software to recognize the legitimated sequence of numbers and letters attached to a password but hard for a hacker to guess these bits by inverting the letter and numbers string). The other input is usually a password or passphrase (which is hashed).
Usually the simple SALT comes before the HASH but when double SALTING there will be one SALT before the HASH (password transformed in a bit string) and another after the HASH.
Example:
Password: Dan
HASH : ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4
Adding…SALT: (SALT) aB1cD2eF3G + (
HASH) ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4 = aB1cD2eF3G
ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4
Double SALTING: (SALT) aB1cD2eF3G + (
HASH) ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4 +(Different SALT) Ba23Dg54R9G = aB1cD2eF3G
ABCD 1234 EFG1 2541 H2MN 4567 BDVS 4451 AAM2 A2A3A4 Ba23Dg54R9G
Note: the HASH string and SALT provided above are pure illustrative
Without a SALT, a successful SQL injection (it is a code injection technique that exploits a security vulnerability in a website’s software to retrieve the database contents to the attacker) attack may yield easily crackable passwords. Because many users re-use passwords for multiple sites, the use of a salt is an important component of overall web application security. The benefit provided by using a salted password is also making a lookup table assisted dictionary attack against the stored values impractical.
SALT also makes brute-force attacks (the technique for checking all possible keys until the correct key is found in a database) for cracking large numbers of passwords much slower. Without salts, an attacker who is cracking many passwords at the same time only needs to hash (the random bit string) each password guess once, and compare it to all the hashes. Using SALT, each password will likely have a different bit; so each guess would have to be hashed separately for each SALT, which is much slower since hashing is generally computationally expensive.
Note: This Article is not intended to offer advice to information security professionals but to help regular readers/users understand how their passwords are protected when using online stores, online services, web-based applications, etc, by presenting a basic and general concept of these key features used for authentication security).
Any questions can be submitted to: dan@e-crimeexpert.com
Additional information can be found at: www.e-crimeexppert.com
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog