Other Account Settings

Protecting your passwords

Passwords are not the only way for criminals to break into accounts - if they can't crack those they'll look for other weaknesses instead.

They might exploit the forgotten password process, gain access via your mobile phone, or maybe even find your password written down somewhere.

Make sure your accounts are secure - don't let hackers in by the back door!

Use non-obvious answers to security questions

When creating online accounts have you ever been asked for answers to questions such as:

  • What was your mum's maiden name?
  • What was the first school you attended?
  • What is your favourite colour?

These questions are often used to help prove your identity if you forget your password. Unfortunately though many of the answers we're encouraged to give are often trivial to guess or research - gifting hackers with an easy way to break into your account.

Don't use obvious answers for your password reset questions

Consider how few answers there are to "What is your favourite colour?". Even if a first guess of "red" is wrong it probably wouldn't take too many tries to get it right. And does your public Facebook or LinkedIn profile answer the question "Which university did you attend?".

Strong passwords are worthless if hackers can just use this easy backdoor route.

The email account of the US Presidential Candidate Sarah Palin was hacked this way in 2008, & nude photos of Scarlett Johansson were accessed by this method too.

Instead, to protect yourself just follow this simple rule:

Never provide a direct answer to the question.

If any website asks you these types of questions you could either provide a completely irrelevant answer, or if that's not so easy to remember then answer the question but add something random after it, such as "bathtub" (well we did say it has to be random!!). This something can be the same for each account with these questions in order to help you remember it.

Facebook fun? Or a scam?

Do you ever see those Facebook posts that get shared thousands of times -

  • "What's your pornstar name? Type the name of your first pet and your favourite colour now!", or
  • "Discover your Star Wars character name! Enter the name of your favourite teacher and the name of the street you grew up on."

A bit of harmless fun? Maybe - or maybe not.

Think the questions look familiar? That's because they're often the very same ones that websites use as security questions to reset your password - and you might just be giving the answers away for all to see!

Even fun questionnaires that are just between friends can give information away to fraudsters. When was the last time you reviewed your Facebook privacy settings?

Don't use obvious answers for your password reset questions

Be careful with what you post on social media - and who can see your posts. Those fun viral posts may not always be quite so fun & innocent after all...

Many websites now use stronger password reset processes, such as emailing a password reset link or texting a security code to your phone, but there are still many sites where a simple question is all that's stopping an attacker from accessing your account.

Make sure you protect yourself from this type of attack!

Your mobile phone

Always set a good pin for your mobile phone

Do you read and send email from your phone? And do you access Facebook, Twitter, and other accounts from it too?

Whilst it's convenient to log straight into these apps without needing a password, if your phone is ever stolen then the thief will also be able to access these too. To help avoid this it's a good idea to do the following:

Add a screen lock

The best defence is always to require a PIN when unlocking your phone (or pattern, fingerprint scan, or facial recognition instead - these are equally good). You can often make this less intrusive by only asking for your PIN if your phone has been left locked for 5 minutes or more.

Enable the "Find my phone" feature

Many modern phones come with a "Find My Phone" feature to help locate it if it's ever lost (for as long as it has power & a phone signal).

This feature also often allows you to remotely delete all data, preventing anyone from accessing whatever you have on your phone.

For help setting this up (before you lose your phone!) see these pages: iPhone | Android.

Add a SIM pin

For even better defence, you can set a PIN for your SIM card too. This will prevent any phone thief from being able to transfer your SIM card into another phone to receive text messages (for example that may have security codes in if the thief is trying to reset passwords on any internet accounts). Make sure you remember this PIN - you'll also need to enter it every time you restart your phone (if you enter it incorrectly too many times you'll need to contact your network provider).

To set this up see these pages: iPhone | Samsung | HTC | Sony.

Disable notification previews

Some phones will, if set up to do this, display new messages on screen even when the phone is locked. Whilst this can be convenient (so you don't have to unlock your phone just to read a message) it can also be a huge help for thieves. If they try to hack into any of your accounts they'll still be able to read any security codes that get sent as a text message - even without needing to unlock your phone!

To disable notification previews on the lock screen see these pages: iPhone | Android.

If you've lost your phone

If you ever lose your phone then you should get to a computer and change the passwords for your different accounts straight away, just in case a thief does manage to access your phone. For more details see our Help! I've lost my phone page.

We have more in-depth advice to looking after your phone on our page here.

Avoid getting locked out

Whilst you're reviewing your security settings, you might also want to check any settings for proving your identity should you ever get locked out.

Most of us forget our passwords every now and then. Normally we can easily regain access by following a simple password reset process, but what if we forget the answers to the security question, or if we don’t have access to our email to get the password reset link?

A little forward planning can help here - see if your favourite websites offer these options:

1)  Set up extra contact info:

  • Adding contact details, such as a phone number or extra email address, can help you prove your identity if you ever find yourself locked out.
  • Remember to review these regularly in case your details change.

2)  Trusted Friends:

  • Facebook also offers a "Trusted Contacts" feature, where you nominate 3 (or more) friends to prove your identity and help you regain access.
  • Don’t worry, Facebook have checks in place to stop cheeky friends from abusing this & getting access to your account without your permission!

3)  Recovery codes:

  • Recovery codes are effectively a secondary password that you keep securely locked away (in the care of your solicitor for example) and use to reset your main password.
  • You must make sure you look after this code and treat it at least as securely as you would any other password.

Take a look in the "Account" or "Security Settings" sections of your favourite websites – see what they recommend and if there’s anything you can set up today.

You might also be interested in what happens to our online accounts when we die. A little forward planning of your digital legacy now can save our loved ones a lot of hassle later on.

How else can I keep my accounts secure?

Virus protection

Protect yourself from password-stealing viruses

A good antivirus package on your PC can help prevent some viruses from silently stealing the passwords to our online accounts. You should also keep the software of your computer up to date too, and never open any email attachments that you're not expecting.

BeCyberSafe.com have a lot of practical information about how to protect your computer from viruses - it's definitely worth a read.

Enabling activity notifictions

Enable activity notifications on your accounts

Many websites have the ability to send you an alert if they ever detect any suspicious activity, such as if someone tries to log into your account from a new device or tries to change your password.

Knowing that someone is trying to access your account will serve as an immediate call to check all your security settings & to perhaps change your password. Search the help section for "activity notifications" on your favourite websites for how to enable this.

Have any feedback on this page? Let us know - feedback@becybersafe.com