Your Password: Keep it Secret, Keep it Safe
Today's guest post is from Matt Lind. Matt is the Customer Success Manager at Spredfast, fielding questions every day from Spredfast users. Tweet Matt using @gomattlind and visit his personal technology blog The Encyclopedia of Matt.
When one fast food company suddenly swallows another and unexpected partnerships develop in the automotive industry, the fallout can be entertaining and slightly humorous. However, this week's news involving Twitter hacking also brings to mind that classic adage "If it could happen to them, it could happen to me" and its much lesser-known corollary "If it happens to me, I will not be laughing....nor will my management."
Twitter offered excellent and commonly-accepted information regarding security in a quick blog post. The Spredfast team wants to share more about how passwords are used, how the platform protects its customers, and how its customers can protect themselves. In the world of passwords, knowledge goes a long way.
A critical note about social media passwords and Spredfast
Spredfast actually never stores a password for Facebook, Twitter, LinkedIn or any social network. In fact, very few third party tools do. Spredfast does not see, store or have any knowledge of our customers' social network passwords. The social networks use security tokens which are issued to Spredfast at the time the social media accounts are authenticated. The token authorizes Spredfast to publish, listen, and measure activity. Spredfast receives and securely stores these tokens, but never any passwords.
If a social network detects any unusual activity in an account, that social network typically de-activates all of the tokens which have been issued. When Spredfast communicates with the social networks after unusual activity has occurred, the social networks will indicate the token has been invalidated, at which point Spredfast's authorization to learn anything about that social media account is immediately revoked. Spredfast is rendered unable to publish, listen, or measure activity related to the invalidated account. As soon as Spredfast receives this message from a social network, Spredfast notifies the Spredfast user designated as the Company Owner that the social media account has deauthenticated and that re-authentication is needed.
Think of this like a hotel room key card. During the authentication process, the social networks issue Spredfast a token (key card) which allows Spredfast to access social media accounts for publishing, listening, and measuring. However, if any unusual activity occurs (think hotel party), the social networks deactivate all the outstanding tokens (key cards) issued to Spredfast and any third party tool. When the tokens are invalidated, the third parties holding those tokens (key cards) can't get into the room until the owner of the social media account intervenes. The re-authentication process allows the social media account owner to affirm their own identity and ownership, and re-authorizes a third party tool like Spredfast to resume its valuable work via a freshly-minted token (a new key card).
Spredfast itself is also guarded closely with several safeguards built directly into the Spredfast platform. By design, Spredfast times out after a period of inactivity. Spredfast users may note that they have to re-input their Spredfast passwords frequently to re-access Spredfast. This is a design feature within Spredfast to enhance security and prevent unauthorized access from idle web browser sessions.
If a user does not have to re-input a Spredfast password frequently, he or she may have configured the web browser or computer to store the Spredfast password. Although some users prefer this arrangement for convenience, this does make a Spredfast account more vulnerable, as anyone who gains physical access to the workstation can access Spredfast by extension.
Spredfast offers additional high security features which require complex Spredfast passwords, enforce password lifespan management, and introduce IP access restrictions which mandate a company's Spredfast users arrive only from pre-specified IP addresses.
Good password hygiene
Additionally, good password habits go a LONG way toward a secure environment. Creating complex passwords, changing them regularly and keeping them secret are among the most effective ways to keep the environment protected. I have written about password best practices at my personal technology education blog here and here. Stop by for excellent and slightly humorous advice on password selection, hygiene, and good habits.
Spredfast is committed to security as our customers' social reputations are on the line. The strong mesh of social network authentication practices, Spredfast security, and good password habits will provide a secure environment to advance your own brand and message safely and effectively.