Free WordPress Security Mini Course

Facebook, Twitter, and Other Big Players Don’t Secure Their Login Pages

I’m going to wag my finger at a few of the bigger websites on the Internet for a few minutes. Hackers run rampant on the Internet. They’re very stealthy, in fact, and you probably don’t even know they are there until some time after they passed by. In fact, they’re a sort of pickpocket thief.

Short story… My wife was in New York a few years ago and decided to see exactly how good the New York pickpockets were. So she and a friend took a couple dollar bills, folded them in half, and stuck them out of their back pockets just enough to make it obvious for someone walking next to them to see the cash in their pocket. They figured it was a pretty easy target and would take less than 10 minutes on the bustling streets before the bills were gone. They weren’t even done making guesses before they noticed the cash was gone. They checked their pockets, looked around on the ground, and stared at each other in disbelief. That was quick! So they decided to try something a bit more difficult. They took a couple more dollar bills, folded them up, and put them in their front pockets with the corners of the bills sticking out of the pocket. The front pocket has to be more difficult than a rear pocket… right? You can clearly see everything in front of you and your hands are virtually right next to the pockets. Well, you can probably guess what happened next. The pickpockets were up for the challenge this particular day, and after just a few minutes of walking through a crowded street, the cash was gone.

Moral of the story? Hackers are sneaky buggers! But… and here’s the punchline… you CAN prevent most hacks by putting up correct defenses and knowing how to steer clear of the hacker “hangouts.”

Now let’s get back to Facebook and Twitter. Most website owners use these large social platforms. I could probably guess that you have already logged into your facebook account at least once today. I could probably even guess that you have facebook or twitter open in a browser tab or a window next to this page. Am I right?

I can also probably guess that you’ve never thought twice about typing your login information into their little username and password boxes at the top of their homepages right? Here’s the problem with logging into Facebook and Twitter right now. Look at the pictures below of their login URLs.

Facebook Non-secure Login URL

Facebook Non-secure Login URL

Twitter Non-secure Login URL

Twitter Non-secure Login URL

What do you notice? A nice little icon, a URL that you recognize, and an http://… wait? Just http://… Where’s the “S” in HTTPS://??

Where’s the “S” in HTTP://??

You have been trained very well to look for that HTTPS:// on ecommerce sites or banking websites. Your browser probably even changes to a blue or green color on secure sites right?

Hackers know how popular sites like Facebook and Twitter are. They know they have easy targets if they can “listen” to your computer as you type in usernames and passwords. Let’s not get too “geeky” or “technical” here, but essentially everything you type on the Internet can be tapped into much like a tapped phone line. UNLESS… you type it through an encrypted connected. The “S” in HTTPS:// indicates an encrypted connection. That’s why you feel safe putting in personal information such as name, address, phone, credit card, etc. on an ecommerce site. Because that company has taken precautions to secure your information from being stolen.

The “S” in Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) is a means of hiding what you send from your computer as it travels across the internet to its destination (i.e. your Facebook or Twitter account information). HTTPS gives your logon a private and secure ride across the Internet — hidden from unwanted prying eyes of nasty hackers.

Here’s a couple login URLs you might recognize that have been secured with HTTPS://

GMail Secure Login URL

GMail Secure Login URL

Amazon Secure Login URL

Amazon Secure Login URL

Here’s the trick…

Facebook and Twitter do actually have secure login pages. You just have to manually add the “S” into the URL. Look at the images below and notice the difference from the non-secure images above. You still have their icons and the recognized URL, but now you have HTTPS and a green highlight around their name.

Facebook Secure Login URL

Facebook Secure Login URL

Twitter Secure Login URL

Twitter Secure Login URL

I’m not picking on just Facebook and Twitter. I see login pages all the time that don’t have secure pages. In fact, I’ve noticed several hosting accounts that don’t use secure URLs. Shame on them! They know better! These and other sites not using SSL for their logon page could almost be called negligent in their lack of support for user privacy.

And I wouldn’t be surprised if just a few months down the road, Facebook and Twitter change their login pages to force secure logins for everyone. The point of this article is to educate users to be aware of entering login information on non-secure pages. Look for that little “S” and the green or blue login bars. They can help keep you safe. That’s why they’re there!

So what? What can a hacker do with my username and password?

Besides the obvious fact that they can deface and spam all you friends resulting in your account getting penalized or completely banned, there is something much worse that a hacker can do with your username and password. From my experience as I consult and do outsource work for companies and individuals, I have found that many people use the same username and/or password for many of their accounts. The same username/password combination for email, twitter, facebook, and their website! I certainly understand how we all like simplicity in our lives, and remembering dozens of unique usernames and passwords is difficult, but please, please, PLEASE… don’t use the same username or password on all your different accounts. At the very least, please use different login credentials for your website. You do so much work guarding and protecting your wordpress installation. Don’t give a hacker such an easy open invitation through the front door by using the same login credentials.

Fine Print Disclaimer:

Even though a site has HTTPS:// in the URL does NOT automatically make them a credible company. You can purchase a secure certificate for $30/year and make your site appear secure and credible. And some hackers will go this far to “fake” a reputable site. Always be cautious before entering in any type of personal information (this includes usernames and password!). It’s always safest to type the URL directly in the address bar rather than clicking a link in an email. And if in doubt, don’t do it without consulting forums or other reputable sources.

Leave a Reply

  1. Another easy tool for Website hackers released… Firesheep! | Stop Wordpress Hackers11-02-10