This is a guest post from Go Daddy’s Chief Information Security Officer, Todd Redfoot. In the post, Todd discusses how you can keep your accounts protected and your domain names safe.
Knowing that an outside party accessed one of your accounts can be incredibly frustrating and exhausting. But there are practical steps you can take to protect your accounts and the information you store in them.
7 basic ways you can make sure your accounts stay secure:
- Use a strong password. Eight characters is really not sufficient, a strong “passphrase” is the better choice. A creative device to help with generating strong passwords is to use a phrase that has special meaning to you. For example, “I need a strong password to make sure I’m completely secure,” could become the password InaspTmsIc$. Passwords should consist of a minimum of nine (9) characters and contain at least one special character.
- Change your password – often. This can be as simple as setting a reminder on your calendar to change your password at the beginning of every month.
- Use a variety of passwords. You should never use the same password for multiple accounts. It simply makes it easier for hackers to access all of your accounts. If you find it difficult to remember all these crazy passwords – try a password safe. There are many free ones out there that will safely store all your passwords in an encrypted database on your machine. Make sure you do your research before downloading anything you find on page 1 of a Google search.
- Always, always, always log out. This is particularly true if you’re using a shared computer, such as one at work or in an Internet cafÃ©. Regardless of the account you’re in, Facebook or Wells Fargo, take this precaution every time.
- Make sure your account is up to date. Some digital spring cleaning can also protect you. Remove expired credit cards you have stored in accounts and make sure your phone number and address are correct. Not only does this make your account secure, it also ensures that companies you do business with can contact you if there’s ever an issue.
- Beware of Wi-Fi hotspots. Sure, they’re convenient. But you shouldn’t use them to access secure accounts. Hackers are known to roam hotspots looking for their next victim.
- Protect your PC. Be careful what you download – only use trusted, well-vetted sources – and invest in anti-virus software to keep your computer safe.
When you have done “everything”, what else can you do?
- Do the 2-Step. Two-step authentication adds another layer of security by texting you a validation code to enter whenever you log in or make important account changes. If it’s available to you, take advantage of it. Go Daddy offers two-step authentication in the US and Canada. You can find out more information about it here.
- Never share your account with others. By giving others access to your account, or purchasing products with someone else’s payment method, you are giving them full access to your account details. If you need to delegate management of your resources check to see if you can assign permissions via account management settings. Go Daddy provides “Account Administrator” functionality. This allows management of your resources from separate accounts, limiting direct access to account details and billing information. Read more here.
- Check for keyloggers on your computer. Your computer might have malicious software, known as keyloggers, installed that records every keystroke you make — including your user names and passwords. Run anti-virus programs regularly to detect keyloggers. We recommend using your favorite search engine to find software that removes key loggers from your computer.
- Don’t fall for a phishing scheme. Cybercriminals look to create a sense of urgency to trick unsuspecting victims into downloading malicious files. Many attackers try to lure you into their schemes by sending emails that look legitimate, but include links to fake login pages that closely resemble the legitimate website. Hover over links, check for misspellings (acmebnak instead of acmebank), but don’t click. Go directly to the website and log in as you would normally; any message, important action, etc. will be there if the email is legitimate. Emails from Go Daddy, in most cases, include your first and last name, a clear first indicator of legitimacy.
Protecting you data is as critical as locking your car or your house – don’t give an attacker an easier route by using weak passwords or unsafe networks.
I like two-step authentication.
If my GoDaddy account is hacked, can the hacker disable authentication and change my email address?
Michael from reading the informational link provided, my guess would be no, they cannot disable. You’d need the auth code to login (the one sent to your phone)
“Two-Step Authentication adds another layer of security to your account by texting you a validation code to enter whenever you log in or make important account changes.
After enabling this feature, you must enter a validation code every time you log in or make important account changes. If you log in to your account frequently or have multiple users managing your account, we do not recommend enabling this feature.
NOTE: At this time, only U.S.-based numbers can receive validation codes.”
Michael, Richard is correct. You must use the validation code sent to your phone to log in to the system. Once in the account, an additional validation code is required
to disable this feature, or make changes to your email address on your account.
An email is sent to the Go Daddy account holder to inform them that the email on their account has been changed. With the amount of email that Go Daddy sends out, at any time, an email provider can have the emails from Go Daddy blocked or marked as spam. Then, the email about the email address being changed is then in a spam folder or blocked. The account holder does not see it. The “undo” feature is also never seen by the account holder. Obviously, attempts are made to whitelist emails from Go Daddy. But if Go Daddy email is blocked by the provider, the whitelist does not help.
If you use a Go Daddy email address, then the email is managed in the account that was just hacked.
Does Go Daddy’s Chief Information Security Officer see the day when critical emails sent by Go Daddy are not so prone to being handled as spam by major email providers?
How does Mr. Redfoot go about informing account holders that the email address they are using is blocking emails from Go Daddy? Therefore, critical information is unseen by the account holder.
This has happend to me, since godaddy was sending so many emails, their servers were blacklisted, front level Customer Service, was clueless, and unable to help. I googled it, and rightfully so there were so many others complaining about the same issue, while the customer service reps at godaddy, kept saying check your spam box, lol, if it was that easy, I would not be spending an hour calling you.
Bob, this is from Todd:
You describe a very real scenario. We send out a lot of email (account notices, transfer requests, etc) and constantly try to stay on top of not being blocked. We work with the providers themselves to get us on their whitelist, so they will deliver all mail from our servers. But at the end of the day, we all get way to much email to begin with, so even when it is delivered, it can easily be overlooked.
I think the answer to your question is in new communication methods. We are going down the path of push messaging with our Go Daddy mobile app, as well as notifications within the account interface itself. This will bring more attention to the mission-critical notices, without bogging down our inboxes. Stay tuned for when we release these features.
First, you are correct, Go Daddy support is NOT going to tell you that an email from Go Daddy is blocked. Giving the Go Daddy customer that fact would be an admission that the Barb Rechterman generated, Go Daddy promotional emails have created a problem. The problem being that the promotional emails now have gotten ALL Go Daddy emails blocked as spam. No one at Go Daddy is going to question that. The view of the Go Daddy executives is that they have been paid a lot of bonuses because of Ms. Rechterman and her email campaigns. They are not going to challenge that situation.
The above being the case, on the blocked emails, I am requesting some views on the following. In the past, I could not install an SSL from Go Daddy because my client was NOT getting the email for the validation of their domain. Go Daddy support kept telling me to give the validation email more time. After a LOT of waiting and wasted time, on my own, I found that the validation email was going to an email address from a provider who had blocked emails from Go Daddy. At that point, it appeared that the choices for the SSL were as follows:
1 – Wait and hope for the email provider to unblock Go Daddy. There is no help from Go Daddy on this. Calling the email provider does no good. They report having valid reasons to block emails.
2 – Go to the client and ask them to change the WHOIS info on their domain to align with the company that I had selected for their SSL, Go Daddy. Then wait even longer for the WHOIS to update.
3 – Cancel the Go Daddy SSL and purchase a new SSL from another provider. A provider that does not send as much spam as Go Daddy.
I am asking those who read these posts:
Of the choices above, what would you do?
I welcome your ideas!!!!
Nice tips, thanks for sharing.
To fool keyloggers the virtual keyboard can be used to tip in passwords yousing the mouse.
This is incorrect!!!! Keyloggers use the binary Character codes sent to the 2nd level processing. So even if you use the virtual keyboard, it can still pick up the characters. A safe way to avoid keyloggers is to have your PW typed somewhere you can copy and paste it. This reports nothing but the mouse cordinates and button clicks to 99% of keyloggers.
There are many 3rd party Password vault programs out there that store your info in encrypted vaults and allow you to copy the contents with a button click instread of typing it out.
As well the issue from the other day, changing of godaddy emails via old credit card, at least ask for PIN, or contact old credentials on account first before service reps, change account info.
I have a suggestion for yet another layer of security: Require an account email that is different from one’s Whois email. Then use that as the user ID sign in and eliminate the user ID and account number as sign-in options.
Account and last 4 numbers of credit cards should NEVER be sign-in options.
Send all updates, receipts, etc. to the Whois and account email addresses, but only queries about domains to the Whois email, which should NEVER be a point of entrance into an account.
If your usrer sign-in email is a secret, then it will be more difficult to hack in.
That’s a great recommendation! Go Daddy account email addresses are managed separately from domain contact information. We don’t require them to be different, but it’s certainly a good idea for increased security.
What about GoDaddy Gold Account and Platinum account?
These kind of accounts are not safe!?
“always, always, always log out”
This one is not hard, since GD automatically logs me out after every 5 minutes it seems like. I understand the security reasons, but I think a time-out after an hour could still be safe, and would mean I do not have to constantly revisit the GD tab in my browser ever 4 minutes during auction time to do some little activity so that I don’t get logged out. I really like GoDaddy, but this is the one thing I have always found irksome.
… and I don’t say this to be a negative-nancy. This was a great post, btw.
Mike, I’m glad you liked the post, and thanks for the feedback regarding the page timeouts. It’s always difficult to define the appropriate space between convenience and security, but we do our best to find that happy medium. Of course, you shouldn’t actually be getting logged out in just five minutes. If that’s happening, there’s a problem because the timeout is longer than that. We’ll take an extra look at things just to be sure.
The website states that 2step verification is only available for US customers. We Canadians need security features too! It’s been a while now and godaddy still hasn’t made the feature available to Canadians…what’s the hold up?
I emailed goDaddy about this, and I got back a generic email with the URL to set up 2step – but they ignored the part where I mentioned I am Canadian.
From the article:
“Go Daddy offers two-step authentication in the US and Canada.”