It's against my nature to link to PDF files, so here's the article that made me aware of it:

http://www.cio.com/article/688230/Facebook_Issues_Security_Guide_for_Teens_Parents_Teachers

Some things of it I didn't like (it doesn't explicitly tell you to use a different password for every site), but other things were awesome (KeePass recommendation!)

This comes on the heels of the statement that http://news.cnet.com/8301-1009_3-20093487-83/more-cyberattacks-hitting-social-networks/ Shame that since it's longer than 420 characters, no Facebook user is actually going to read it (also it's super-surprising that it doesn't cover the privacy features in-depth :rolleyes:).

So basically put a giant "Common Sense" slapped on as the title?

Common sense aint as common as it used to be. That's why I'm glad Facebook released this, but I have serious doubts that it'll actually get read (and taken to heart) by those that need to most.

Facebook...
Security...


DOES NOT COMPUTE

Well I doubt anyone but us nerds will read this anyway. Lol.

THIS!

Making a unique password for each site is very easy if you do it right. Don't know why everyone complains.

Make a rule for yourself, such as, the first two and last two letters of the website, plus a normal password for all of your sites.



For example. If your password is 12345, your new password for google would be:
gole12345

For Youtube it would be:
yobe12345

us nerds probably already know that facebook has privacy settings (ones that can be made to be quite restrictive too!).

That's cool, I suppose. Hopefully those that should read it will. Unfortunately, I think the reason they're the kind of people who should read is is because they're the kind of people who won't read this.

Yummmy, alphanumeric and under 12 characters in length, I think I have a rainbow table of that somewhere

(I know you were only giving an example, but your example doesn't offer much in the form of entropy)

Anyway, algorithm-based passwords are great, but there are some caveats:

You need a minimum of the following:

6 different algorithms: one for 8-character limit sites (that still exist...), one for 15-character limit sites, one for 20 character limit sites, one for greater than 20 characters, one for your primary email address, and one for your bank (if applicable)

That number grows if any site you use has special rules that limit the characters you can use if one of those characters is in your algorithm.

Once again algorithm-based passwords can prove problematic if you have a site that forces password changes after a set length of time.

It's a great system, but a secure implementation of it isn't always easy.


You can always post it on your wall and stuff to make others aware of it. Spread the knowledge (directed at all Facebook users, just quoting you)

hey thats a good idea. mind if i borrow that? so this site my password will be beda12345.

just out of curiosity you arent a hacker by any chance are you? otherwise ill have to use something besides 12345

And ruin my Facebook rep? For shame, Defron!

Take a line from a song you know, replacing certain numbers with letters. The song being the mnemonic for the site.

This forum for instance could be "Ic4ntg3tn0s4tisf4cti0n" "Girlsjustw4nn4h4v3fun" or "3v3rythingih4t34b0uty0u". If you want to change the password, go down one and use the next line in the song.

Since every song text in existence is on the web, I figured I'd use 'em.

As for 20 pages of security booklet.. try it in two words... stay away.

I typically tend to just generate my passwords. Something like for I in $(seq 1 30); do mkpasswd -2 -C 10 -l 24 -s 0 | grep -v '[iIl0O]'; done on my CentOS server works well, and prints stuff like ...

jrNsyQJEkCPcug7Qp4NaLckF
vnzm2HQURLWLc7qKQnzyvjWk
cUELdyAKVhFybKf9vL3uvuZn

... which then get put into an encrypted file with a complicated and, above all, long (on the order of about 50 characters) phrase-based password and get copy & pasted as needed afterwards.

Only worry to have is then keyloggers, but that's a whole other kettle of piranhas ...

Common sense is often the product of experience, and this sort of experience is the sort of thing most people would want to avoid if at all possible. I'm all for giving hints and tips so that people don't have to learn the hard way, though at 20 pages, it's debatable as to how many will actually read it. Perhaps some common sense for the writers is to first educate the masses regarding the importance of privacy and security, something which is best done concisely: but it could be argued that Facebook has a rather conflicted interest in that regard.

I'd think that any such pamphlet would start with:

get.a.new.email.

isolate.it.COMPLETELY.from.your.original.address.

DO.NOT.import.anything.from.your.real.life.you.want.to.keep.private

become.friends.with.no-one.

don't.get.poked

stay.away.from.farmville



have I missed anything? :ermm:

What about this? Facebook is not your friend. Neither is Google, for that matter. To them, you're not the customer, you - along with all the details about your preferences and your life - are a resource. Their advertisers are their customers.

I know, but google already has me by the short and curlies, and I never pay any attention to google ads anyway

which is why I find facebook so redundant as well.. what, they want my info twice

To be fair, it does explicitly tell you not to use your Facebook password for any other site, and it's only a guide for Facebook security rather than net security in general.

That said, the guide is far from perfect. From my experience talking to friends about stuff like this - it seems to require an implicit level of basic knowledge that a lot of people just don't have... It's all very well to say that the people who should be reading this wont bother, but actually I think if they did they wouldn't understand a lot of it.

Still, it's good that they've gone out of the way to produce a guide like this. I hope they go out of their way to push it to their users...