dangerous with social media because everything you do will be sent to all
your friends and probably replicated by them. It is a snowball effect.
In my perfect world, no form has a “Keep me logged in” option, which of
course would be a nuisance to end users. I would love to see a clever,
usable solution to this problem. I use a Flex client for Twitter, not a browser,
which means I am not vulnerable even on websites with clickjacking and
cross-site request forgery (the latter only if people do not abuse the API to
phish my followers; see the presentations at the end of this article for a
demo of that).
Use Clever Passwords, and Entice Users to Do the Same
Even on bullet-proof systems, one attack vector is users whose passwords
are very easy to guess. I change my passwords every few weeks, and I take
inspiration from a book I am reading or a movie I have just seen. I also
replace some characters with numbers to make dictionary attacks harder.
There are two ways to crack a password (other than social engineering,
which is making you tell me your password by tricking you or phishing):
brute force and dictionary attacks. Brute force entails writing a loop that
tries all of the different options (much like playing hangman), which can
take ages and uses a lot of computing power. Dictionary attacks use a
dictionary database to attempt common words instead of going letter by
letter.
Say I am reading a Sherlock Holmes book or have just seen the new screen
adaptation, my password could be Sh3rl0ckW4t50n or b4sk3rv!ll3.
That may be a bit hardcore for most people but is generally a good idea.
Another strategy is to take a sentence that you can memorize easily and