P: (888) 954-3900
F: (248) 637-5984
Contact Us
Law Firm Web Design and Services

SEO University»

Credentials Protection

Do not store the credentials (username and password) in an unsecure place.

This includes when your browser asks you if you want to save your password.  Stored passwords are not fully protected.

This includes in plain text in a password file.

This includes in an email account.

This includes on a left out piece of paper

Lock a written password away.

This includes in an unlocked rolodex or file cabinet.

Do not send credentials to others over email.

If you need to give someone the login credentials, call them, but limit the information as much as possible.

Try to be as obscure as possible because phone calls can be intercepted. If you give out the username, password, and web address, anyone who hears that information doesn't just have the credentials, but they have the location as well.  They can log in and make changes, cause damage, download sensitive information, etc.

Do not text (SMS) the information.

It is a little known fact that employees at cell phone companies can read all text messages in plain text.

It is also a fact that your text messages can be intercepted by a third party with the correct software and a configured wireless router.

People can also listen to your call from nearby.  Make sure that no one is listening before giving out sensitive information.

Change your passwords periodically.

At least twice a year, preferably every three months.

Choose passwords that are difficult to guess.

When selecting passwords, use a combination of uppercase and lowercase letters.

Use at least 8 characters.

Include at least one number.

Adding a punctuation character greatly increases password security.

So does using more than one word, or eliminating vowels from single words.

When implementing these procedures, use something memorable, but do not be obvious.

Making your password "password" is extremely obvious.

Password1 is obvious.

#PssWrd5 is far less obvious.

#CellarDoors5 is memorable and not obvious.

#cLLrDrs5 is very secure, while still being memorable.

Do not use any of the suggested passwords in this memo.

Using your name or username as your password is obvious.

Ensure that no one is watching you as you type in your credentials.

This includes cameras, coworkers, family members, friends, guys with binoculars, and little robotic insects.

Email
  1. Never send usernames or passwords in emails.
    • Email traffic is not necessarily secure from viewing by a third party.
      • Any email program that does not send emails with https in the address is able to be seen by other people on the web.
  2. When logging on to webmail, make sure the address is in this format: https://www.domain.com:2096.
    • This ensures that any passwords or emails are secure.
    • If any information transmission is intercepted, it is encrypted and therefore unusable by a third party.
  3. If using an email program, ensure in the settings that you are using a secure connection on port 587.
    • If you do not understand this, please consult an IT person or look through the Help section for your program.
  4. Do not send emails or log in to your email on a computer that you are not certain you can trust, even if it is your own.
    • If you suspect that your computer may be infected by malicious software, programs such as a keylogger may not only share your credentials with a third party, but may also log other personal information such as social security numbers and credit cards.
      • Just because you are on a secure website, or just because your password is hidden in the password field, does not prevent a keylogger from recording everything you type and sending it to someone else.
  5. Do not give out your email address and password to websites that will "add contacts" from your address book.
    • There may be reputable sites that offer this service, but it is always safer just to add your contacts yourself.
Browsing The Internet From Your Work Computer
"Work computer" is defined as any computer that you use to log into work related websites, services, or networks.  This includes, but is not limited to, shopping cart admin areas, merchant accounts, content management systems, domain management accounts, FTP, VPN, remote desktop connections, databases, and control panels. The best policy for browsing the internet in terms unrelated to work from your work computer is: don't.  If you accidentally download a virus or malware, then a third party have may access to all of your information, passwords, customer information, programs, etc. If you must browse the internet, see the rules below.
  1. Any website that asks for your username and password to an account other than the one on the website is automatically suspect.  If you come across one of these, leave immediately.
    • For example, if you're on UntrustableWebsite.com, and they ask for your Facebook Username and Password in order to add an app to your page, even if you have an account with UntrustableWebsite.com, you should pass on providing the information, and possibly never return to that site again.
  2. Limit browsing to known websites.
    • It is a good idea not to click on links to websites you have never been to before.  If you do not know what is on the other side of a link, you may compromise your work computer.
  3. Avoid downloading executable files from the internet.
    • A work computer is intended for performing work.  If you are going to use it for that purpose, downloading a program from an unknown author because you want to play online tennis is an unnecessary risk to your computer's integrity that doesn't meet the intended purpose of the machine in the first place.
    • Just because a program comes from it's own website, doesn't mean the program is trustworthy.  BikiniTennisMasters.com can still provide spyware for you to download with the lure of a flashy tennis game.  Only download programs from well known companies.
  4. Do not transmit sensitive information on nonsecure websites.
    • A website is generally secure if it has https:// in the web address.
      • Unfortunately, many forms exist on pages that are not secure, but the locations that the forms send the information to are.  This is still secure, but without knowing how to determine where the form is sending to before sending it makes it difficult to know whether you can trust the site.  If in doubt, consult your IT department.
  5. If a browser does not recognize the certificate for a website, do not use the site to transmit sensitive information.
    • There are some sites that issue what is called a server certificate to themselves.  A server certificates only purpose is to provide encryption for data and you can be sure that the information you send is definitely going to that server.  However, there is no way to know who the server belongs to.  This is why a self issued server certificate is not recognized by the browser.  If you definitely know who the server belongs to, you can proceed.
      • An example would be our webmail service.  If you log into https://www.yourdomain.com:2083, you will see an unrecognized certificate.  Since the website belongs to you, you can rest assured that you can trust yourself not to send your own sensitive information to a third party or use it for malicious purposes.  Further, the information you transmit will be encrypted.
  6. Do not surf for or download pirated software, music, movies, e-books, whatever.
    • It is not our responsibility to judge what you do.  We do however, need to advise you that many places that provide these services do not have any qualms about invading your computer.
  7. When you are done making changes to the admin area, viewing emails, or using other web applications that require a login, log off, close the browser completely (this includes ALL browser windows), or both.
 
Virus/Malware/Spyware Protection
You have to be sure that the computer you use to process sensitive information, payments, credentials, or anything else you would not want a third party to see has protection.  We can provide protection for your website and any sensitive information it stores or essential business services it provides from hackers on the web, but if your computer is not safe then our efforts are completely undermined.
  1. You must maintain security software on any computer you use to perform work with sensitive information, accounts, programs.
    • An antivirus program is requisite.
      • Contrary to colloquial wisdom resulting from effective marketing from Apple, Apple computers are not infallible to malicious software.  Apple computers have fewer infections because they have less market share.  They still need an antivirus program for real protection.
        • Let me reiterate: Even if you own a Mac, you still need virus protection.
    • If the antivirus program you have does not explicitly include malware/spyware protection, you will need to install a seperate program that handles these types of intrusions.
  2. You should periodically scan your computer.
    • At least once a month, preferably once a week.
    • Most antivirus, anti-malware/spyware programs offer settings to complete automatic scans.
      • Usually these programs allow you to set them to automatically scan during hours when you will not be using your computer.
        • You will need to be sure the computer will be on during the auto scan time or else the scan will not take place.
  3. Keep all of your software up to date.  This is inclusive of all programs on your computer, not just Antivirus.
    • This, too, can usually be a setting in the program to automatically perform.
    • Do not forget to keep your Operating System up to date as well.
Work Computer Security
  1. Use only your own Windows/Mac/Ubuntu/Linux/other user account that is password protected.
    • Other members of your office should not have access to your computer account.
  2. Do not walk away from the computer with your user account open.
  3. If using wireless, send your credentials only to a secure wireless router (secure means the transmissions are encrypted).
  4. You must be absolutely sure that the wireless router you are using is transmitting secure communications or you are allowing anyone within range to intercept and view the information you are sending or receiving.
  5. If you are not sure that the wireless router you are attempting to connect to is not secure, either do not use it or consult an IT professional.
  6. If you are using a laptop, ensure full laptop security.
    • Do not leave the laptop unattended, especially in public places.
    • Lock up the laptop when you leave the office.
      • Cleaning crews or coworkers could have access to your laptop after hours.
    • Do not leave the laptop in your vehicle.
Logging Into Your Website Outside Of Work
If you have to log in to your email, admin sections, merchant account, control panel, ftp account, or any other sensitive area that you would not want a third-party getting into, then you should avoid doing this at home, but especially from any computer you don't not know with 100% certainty that you can trust is clean.  Even if there is an emergency, logging into your site from, for example, a library computer, a friend's, or from an internet cafe will probably only add to your problems.  If you have to log in from a computer other than your work computer, then you will want to follow these guidelines.
  1. Ensure there is Virus/Malware/Spyware Protection on the computer you are going to use.
    • If you are unsure of the regularity of the virus software scanning and/or updating, run an update and then scan the computer before proceeding.
    • Just because it is an Apple does not mean it is inherently secure.  You still need protection from malicious software.
  2. Follow the rules in the Credentials Protection Section
  3. It is a good policy that, if you are going to regularly connect to your website from home, to follow the same guidelines on your home computer as if it were your work computer.
    • This includes having your own Windows/Mac/Ubuntu/Linux/other user account that is password protected.
      • Other members of your household should not have access to your computer account.
      • Do not walk away from the computer with your user account open.
  4. If using wireless, send your credentials only to a secure wireless router (secure means the transmissions are encrypted).
    • You must be absolutely sure that the wireless router you are using is transmitting secure communications or you are allowing anyone within range to intercept and view the information you are sending or receiving.
    • If you are not sure that the wireless router you are attempting to connect to is not secure, either do not use it or consult an IT professional.
Immediate Clients
Name:*
E-mail:*
Subject
Message*
Our Clients
Follow Ottaway Digital Communications Internet Marketing and Web Design Advertising Agency on FaceBook Follow Ottaway Digital Communications Internet Marketing and Web Design Advertising Agency on Twitter Follow Ottaway Digital Communications Internet Marketing and Web Design Advertising Agency on LinedIn
Google Adwords Qualified Individual

Come join our community and be a part of everything that's happening!

© Copyright 2007-2012 Ottaway Communications, Inc. | 3250 W. Big Beaver Rd. Suite 230 Troy, Michigan 48084 | Phone: (888) 954-3900 | Fax: (248) 637-5984