Twitter Phishing Scam Alert, Password Safety

I’d heard this was going on, but I just received my first one of these, so I figured I’d better share it with everybody. I received an email that looks like a Twitter direct message notification:

TwitterPhishing

I was a bit suspicious of the message and URL (http://twitterblog.access-logins.com/login), and Google Chrome (my new default browser since Firefox went crazy on me) was kind enough to give me a possible phishing alert when I went to the site.

The site looks exactly like Twitter — the URL is the only give-away. But if you put your user name and password in, you’ve just let someone hack your Twitter account.

The notification will appear to be from someone you know — the follower data is publicly available if your profile is open. It doesn’t necessarily mean their account has been hacked. If uou only get an email notification, not an actual Twitter DM, then their account is probably OK. If you receive one of these as an actual Twitter DM, then they’ve probably been hacked and should immediately change their password.

On the topic of passwords, I know a lot of people use the same password everywhere. BAD IDEA!!!

I hope it’s obvious why you shouldn’t do it. The problem, of course, is trying to manage/remember multiple passwords. One approach is to use some kind of password management software, but that only works from your own computer, and you’re in trouble if you want to log on from somewhere else.

In Chapter 16 (pp. 140-141) of The Virtual Handshake (free download or buy at Amazon), we offer a simple scheme for creating passwords that are unique for each site, but not easily decipherable if someone obtains a single password. I’ve found, though, that more and more sites are requiring longer passwords — sometimes 8 characters — and also doing things like requiring both numbers and letters in the password. A couple of years ago, I posted a little more complex password scheme that should meet those requirements.

Developing a secure password management scheme is one of the single best things you can do to protect against online identity theft.