phishing - how do I protect myself from account theft
Lately I've seen a lot of warnings about phishing attempts on the Steem blockchain. Phishing has the intention of obtaining account logins about fraudulent practices. A popular method is to simulate an official e-mail or website.
So I would like to briefly explain how I protect myself from account theft.
Dieser Beitrag ist aus dem deutschen übersetzt. Die deutsche Fassung findet ihr hier.
the safest password possible
The most important thing to protect yourself against account theft is a secure password. A password is safe when it is as difficult as possible to "guess". There are essentially two criteria for this:
- the length of the password
- the uniqueness of the password
The password length should be self-explanatory, but what exactly is a unique password? You regularly hear about "hacked" password databases at large corporations. I'm talking about corporations like "Sony". The probability that one of your passwords already appears in any captured password database is very high if you have ever registered somewhere. Therefore it makes sense not to use the same password for different accounts. In the best case a password is different to every other passwords that has ever been used.
Since you do not know which passwords were used by others, you cannot guarantee this theoretically, but you can minimize the probability of a duplication by using a randomly generated password with sufficient length to such an extent that it is practically negligible.
how to achieve
So how do I generate the most secure password?
First I search for an Open Source password generator. I check its code to see if any suspicious things occur during password generation.
Then I transfer the program to an offline computer. I make sure that I am in a room that cannot be seen, so that nobody can copy the password from the screen or the like.
Then I execute the program and memorize the generated password.
Now I have a password that is secured to the best of my ability. Nobody could see the password during generation and the only place where it is stored is my memory.
Personally, I have trouble remembering four-digit number pins. Memorizing one of these passwords alone is a challenge. To remember Steem-Master, -Active and -Posting Key is, for me, practically simply not feasible.
The safest password in the world is of no use if I enter it in the wrong place. Especially when we are looking at phishing it is important to make sure that the password is only used where it belongs. However, it is often not easy to guarantee this. I may be briefly unfocused or the fraudulent website is so well done that I just didn't realize that I was sending my password to the wrong person here. Entering passwords manually only offers the "human" protection mechanism, which unfortunately tends to make mistakes.
I make a cost-effectiveness assessment and decide how much effort I want to make to secure my passwords sufficiently. I used the value of the password as one of my criteria. If my Steem Master-Password would allow a third party to inflict high financial damage on me, a bank account in Switzerland may be worthwhile.
So that's how I do it:
I print out my master password and keep it in a safe place.
For Active- and Post-Key I use a password manager. This can also be the one in the browser that is now contained everywhere.
A password manager ensures that the password is only entered where I have allowed it. So I have to pay a lot of attention and check if I am on the right website and whether I want to transmit my password there only once. If I now land on a fraudulent site, my password is simply not inserted and I am immediately alerted.
My passwords are never stored in plain text but are encrypted. An attacker can access the encrypted password, but must make additional effort to convert it into a usable form.
The password manager allows me to generate secure passwords. Ideally without them ever appearing on my screen. As a result, screen-capture techniques also fail as attack vectors. Also, you should be reasonably protected from Keyloggers.
I personally prefer a third party software. I want access to my passwords everywhere. Whether Firefox, Chrome or Safari. Whether at home or on the road. I even take a risk and upload the password file to the cloud to sync it between all my devices.
The risk I take by managing my passwords manually is just too big. If the effort to enter a password is too much, I start doing stupid things that are much more risky.
I have been using 1Password for several years now because I like its iOS integration. I am completely satisfied and think that every cent I have put into it is more than justified.
My handling of passwords has changed significantly. Instead of a few e-mail - password combinations, I now have a new password created for each registration. The passwords themselves are much stronger and more important, an attacker who cracks a password can never access any other account of mine with the same email/password combination.
The methods described are by no means a guarantee of safety and merely reflect my views. Everyone has their own requirements for (account-)security and must decide for themselves how to proceed. Furthermore I described methods clearly endanger the security of your account. Please inform yourself and make your own decisions. I'm just offering a starting point here.
This post was tranlated by using DeepL with some adjustments by me.