Not the username, but the password is the most important part of an online account, and it is relatively easy to explain why. A username usually is displayed somewhere on the site the account is for. A Facebook wall post, a reply in an online forum or the writing of an article all show the username in one form or the other. And even if the username is not displayed openly it can be guessed more easily or often substituted with a user’s email address.
An account password on the other hand is not visible anywhere. Attackers with the right account password can usually get into an account easily, not so on the other hand if they only have the email or username of the user on the site.
Now that we have established that passwords are the most important part of a user’s online presence we need to find out how to make them as secure as possible.
You probably have come upon password security questions before. They are often used when a user forgets the password to an account to identify the user. The major problem with those security questions is the fact that they often only display general questions that the user can chose from during configuration. This includes the mother’s maiden name, the first school, the favorite sports team or the birthplace.
Asking those questions is problematic because of two things. First, they are not that secure if the attacker has access to information about you. Your mother for instance would surely know most of the answers to those questions, as would a close friend and even most work colleagues or class mates might. The second problem with these type of questions is that they can also be easily guessed. The number of possibilities is a lot smaller than the number of possible passwords for an account meaning an attacker could simply try the most popular answers to see if they would be a hit.
Phishing is an attack form that is usually carried out by email. The term phishing is made up of the two words password and fishing which describes the basic concept. Attackers try to convince the user that the email has been send by a trusted organization. Most phishing emails fake emails from financial organizations like PayPal or banks but other services like social networking sites such as Facebook or MySpace are also targeted by phishers.
Links in those emails lead to fake websites that look like the original website. The only purpose of those fake websites is to catch the login data of the user who does not realize that the fake website is not the real one.