I occasionally receive questions from folks wanting to know how to secure their Facebook accounts due to them being being compromised. I am no expert on such matters, but here’s what I do (which seems to have worked so far) …
Password
Make sure you have a kick butt password. 12 characters with a mixture of upper and lower cases, numbers and special characters ought to do the trick. You Norwegians should inject an Γ₯, ΓΈ or Γ¦ in there to boost your protection. To be sure you aren’t using a mind numbingly dumb password (I can guarantee many of you will be), go test it on Steve Gibson’s password haystacks page. If you have real words in there, make sure it’s longer than 12 characters as real words or names are much easier to crack.
If you think that these passwords are ridiculously long, think again.
Multi-factor authentication
This is something I have been lazy on. I have been protecting my Google account with this for years and for the past six months or so have been using it on my website login, but I always figured my Facebook account was of minimal value so never bothered. This evening I decided that was a bit silly and implemented this myself. By setting up multifactor authentication, you will be forced to use your phone as a method of authenticating to Facebook. You will need to punch a code in that you generate via your phone. You can also use third party apps to do this, which is really handy as it means you can use things like the Google Authenticator app. for your phone which avoids having to load the silly Facebook app. just to login.
https
There’s a setting in Facebook which allows you to force it to use https, or at least there used to be. Last I heard, this does not actually work as well as it should, but in theory it should mean that any time you access anything from Facebook.com, that it should be sent via an https connection, which means that no one between you and Facebook itself can snoop in on what you are looking at. There is a possibility of a “man in the middle” attack, but this should be obvious as the little green lock icon should disappear from your browser and you may see security warnings appearing.
Conclusion
The above advice should keep your account under wraps. These don’t protect against certain types of attacks, in particular it does not protect against click jacking. There’s not much you can do about that apart from being careful what you click on.
No security system is fool-proof, but these basic precautions should at least allow you to avoid entirely losing your whole account (hopefully).
If you have any other tips, please post them in the comments below π
PS: One last tip … don’t use Windows. It’s possible that malware on your computer is causing problems and since malware is most prevalent on Windows, then changing to another operating system will likely avoid that issue.
Nice one Ryan π Great link too.
Personally, I choose a word that means something to me and a word that represents the website I’m accessing, then merge the two together with some random symbols before, between and after. Then I capitalise a subset of the alphabet, and numericise (?) some of the letters than can like numbers. This makes it pretty easy to remember a password when I reach a site.
The only problem is some of the archaic sites that limit password length or regularly require a new, different password. Other than that, its a pretty solid routine π
Oops, I missed your comment until now.
Those stupid password limiting sites are highly annoying. That is often a sign that they aren’t hashing the password, since hashes are limited in length automatically, so it shouldn’t matter how long your password is if it’s hashed.