If Macworld were suddenly to post an unexpected message to our Twitter account—say, “Our @lexfri says the Blackberry PlayBook is much better than the iPad!”—you’d suspect something was amiss. But it’s far more troublesome when an organization like NBC News wrongly tweets shocking headlines, like one that appeared just a few days before September 11th alleging that Ground Zero was under attack.
NBC said at the time that its Twitter account had been hacked. Generally speaking, when Twitter accounts are compromised and begin sending unwanted tweets or spammy Direct Messages, the Twitter password in question has been compromised. Just as NBC should, you can ensure that your own Twitter account is safe by following a few simple steps.
1. Use a strong, unique password
You’ve heard this advice dozens of times, and I’m here to tell you that it’s not as hard or annoying as it sounds to create (and memorize!) strong, secure passwords. My preferred method is to use longer passwords based on memorable, multi-word phrases. Pick a favorite song lyric, for example—like
Wake me up before you go-go.
Then, rather than simply using that Wham lyric as your password across the Web, use customized variants depending upon the site you’re visiting. You can create your own pattern; one method might be to use the first three letters of a site’s name as a prefix for your password. Thus, at Twitter, you’d use
twi Wake me up before you go-go; at Macworld you’d use
mac Wake me up before you go-go instead.
Such passwords can and should include capital and lowercase letters alike, punctuation (I used a hyphen here; you could just as easily use a period or exclamation point), and perhaps a number, too:
Wake me up before you g0-g0. And yes, it’s totally legitimate to use spaces in your password. You can use a variant of your base password for sites that (foolishly) limit your password character options; if Example.com offered such a limitation, you might use
exa Wmubyg0-g0 as your password there.
By using a customized version of your memorable but difficult-to-crack password on each site, you keep yourself much safer. How much safer? Launch Keychain Access (in Applications/Utilities), and choose File -> New Password Item. Ignore the top two fields, and just try entering your new password into the Password field. Keychain Access updates a measurement of how secure your password is as you type. It suggests that
wmubygg is weak;
wmubyg0g0 is fair;
wmubyg0-go is a bit better; and
Wake me up before you g0-g0 is excellent.
2. Know where you’re typing that password
In a currently active case of Direct Message spamming, your friend will appear to send you a link to a funny story about you. I only realized the DM I received from a good friend was phony because of the “lol” at the end of the message, which was completely out of character for my buddy. The link included in the DM spam links to a page that looks exactly like the Twitter login page, pixel for pixel.
Of course, it’s not actually Twitter at all. The phishing page is hosted at a similar looking URL (one example: itwitier.com), and grabs your username and password when you enter it there. When you click links from friends, and those links in turn prompt you to log in, alarm bells should start dinging in your head. Triple-check the URL asking for your password, and verify that your friend sent you the link intentionally. No matter how secure your password, it’s easy for a malfeasant to get it if you simply type it into a bogus form.
3. Use Twitter’s HTTPS option
Most Web traffic uses the HTTP protocol, which passes data back and forth from your computer to the Web server unencrypted. That’s not a big deal when, say, you’re typing in your zipcode to get a weather forecast. It’s far more significant if the data you’re sending includes your login credentials. That’s because it’s trivial for a malicious attacker to “sniff” your Web traffic, and literally see—unencrypted—your username and password as you submit them. If you’re on a secured network that you trust, this is less worrisome. If you’re using a public Wi-Fi network, however, any other user sharing that network could theoretically snoop on all your unencrypted Web traffic. Caveat surfer.
That’s where HTTPS comes in. It adds encryption to the data you pass back to a trusted Web server. Twitter offers an HTTPS option, but you need to ensure it’s turned on for your account. Log in to Twitter’s website, click on your username at the upper right, and choose Settings. At the bottom of the account tab, verify that Always Use HTTPS is checked and click Save.
It’s worth noting that these basic security strategies are useful beyond Twitter. Facebook too offers an HTTPS option, and the same password best practices apply. In general, the best way to keep your accounts safe is to create strong, unique passwords—and then to protect them.