SANS ISC: Typo-Squatting and Password Best Practices

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Michael asked what to tell his sister, who recently visited a webmail site with a similar name to her regular webmail site, and she entered her username and password at the wrong website. This is actually a multi-layered question, and I am trying to cover the different issues related to this.

First of all, in order to avoid falling for typo-squatters, use bookmarks. Using bookmarks to reach trusted sites is probably the safest method. Never click on any e-mail link to reach a trusted site. In addition, avoid typing long and sometimes easy to misspell host names.

If you use a lot of different computers, you could use one of the personalized home page sites. At least, this leaves you with only one hostname to type, the name of the homepage. However, unless you setup your own homepage/web server, there is a problem with privacy. You trust that the site you use to store your links is safe.

A USB stick with your favorite bookmarks may work if you are able to plug a USB stick into the system you are using. Trust is again an issue, as the computer you use may modify the content of the USB stick (could even add a virus). But its probably an illusion to expect secure computing while you use a PC you don't trust. A few people tried to solve this issue, but its tricky (bootable CD is probably the best option, but not everybody will allow you to reboot a PC).

Once you know you fell for a typo-squatting site, change the password you surrendered as fast as possible. Which brings up another important point: Password security. I usually recommend a 2+n password approach:

• use 1 password for "throwaway" registrations. This password should be used for sites that require you to register, but they don't store any sensitive information (e.g. some newspapers that require you to register).
• use a second password for sites that you visit infrequently, and that don't store any personal information, but impersonation may be a problem. For example, think about bulletin boards. Someone may be able to post insults in your name if your password is lost. The same password may also work for e-commerce sites that do not store. your credit card number (its a bad idea to let them store it anyway). But this is a question of personal preference. How much do you care if someone can see your amazon.com orders (and addresses that go with it)?
  
• The 'n' is for all other sites. These sites require specific, hard to guess passwords. Examples are online banking sites, or e-commerce sites with personal information which you want to protect very well.

For personal/home use, I do recommend stronger passwords, and write them down. Yes, you may use a Post-it and tape it below your keyboard. It all depends on what you consider a threat. In my opinion: If someone breaks into my house and steals the computer (or has access to it for some time), lost passwords are not a huge issue and can be reset.

Lastly: What is a trusted/trustworthy website? isc.sans.org is! I know. I administer it. For all other sites: Decide for yourself. I can't make that decision for you, as I don't know how well the site is maintained.
I mentioned before that the commonly used line "don't visit unsecure web sites" is nonsense.


I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019