i mean that as in, being able to enter my accounts without even using my password or without installing any virus in my computer. thank you!!

  • TootSweet@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    1 year ago

    “Hack” is a pretty imprecise term, but let me see if I can discern what you mean by it.

    I’m guessing you mean something like “log in as me,” in a way that would allow a hacker to see your private information and take actions as you, yes? (You mentioned Facebook, so something like reading private DMs and/or making posts as you would be your concern, yes?)

    First off, there are some things about software security that require specialized/professional knowledge to understand, but a lot of software security is things that you can mostly work out for yourself with no “magic” involved.

    You said in your original post “without using my password”, but do for sure consider that if your password is “1234” or the word “password” or something similarly easy to guess, that’s definitely one way that hacker could gain access to your accounts without comporomising your computer.

    Similarly with your “secret questions” for account recovery. (That feature is usually used let you back into your account if you forget your password.) If your answers are easy to guess, that can (depending how exactly the website acts) be used to gain access to your account.

    Cookies are unique identifiers that websites give you to uniquely identify you. Websites can handle requests from thousands of different users in a single second and need to be able to keep track of which requests are for the user “TootSweet” and which are for the user “adrian rodriguez” (and which are for which of the other thousands of users.) When you visit a website and your browser doesn’t give a cookie value, the website assigns you a cookie value (typically a very large number.) Thereafter, your browser will send the cookie value to the website every time your browser sends a message ot the website.

    When you log in, the website saves some information on its side saying “all messages with the cookie value 12345678 are for the user ‘adrian rodriguez’.”

    So, if you’re logged into a website with the “remember me” feature, that means there’s a cookie value in your browser that the website knows is you. Anyone with that cookie value can access the website as you.

    Your browser does its best to make sure that that cookie value isn’t leaked to anyone. It’s supposed to be kept a secret between the website and your browser. And unless the website isn’t following good security practices, the website only assigns very large, random numbers that are very very hard for a hacker to guess.

    So in practice, for a hacker to access your accounts as you via your cookies, somehow they’d have to get your cookie value. And that cookie value only exists on your computer and on the website’s computers.

    If a hacker was targeting you, they might try to trick you into giving them your cookie value. They’re not terribly easy for a casual user to find, but if a hacker walked you through the process without telling you that they were trying to steal your identity and log in as you, theoretically it could be done. That would involve following some somewhat complex and opaque steps, though. Or a hacker might try to infect your computer with a virus that would go find the cookie values where your browser keeps them and send those cookie values to the hacker. There are some other potential ways they might try to steal your cookie values, but for most users, those are pretty unlikely scenarios where the hacker would probably be walking you through it step-by-step over the phone or some such.

    There have been a few times when the account of someone I knew started posting spam messages or some such. I suspect in the significant majority of cases where that’s happened, it’s been because they used a very weak password or there were viruses on their computer or phone.

    If that happened to you recently or you’re concerned about that potentially happening to you in the future, changing your passwords (and switching to a password manager like “LastPass” or short of that just picking a very hard-to-guess password and not reusing the same password for multiple accounts), enabling 2-factor authentication, reporting the incident to the website(s) where your account(s) were compromised (if possible), and logging out are probably your best options.

    Deleting your cookies regularly can’t hurt, but it doesn’t really do anything other than log you out of all websites. (I’m oversimplifying a little, actually. But not much. It would technically be a little safer to log out of websites when you’re done using them than delete your cookies. Logging out lets the server know to stop thinking that the cookie value number is associated with your account. Deleting your cookies just makes your computer forget the cookie value. If someone already has your cookie value for a particular website, then deleting your cookies won’t do anything to revoke their access. But logging out theoretically might in some circumstances.)

    Also, deleting your cookies on your phone won’t do anything about dedicated apps that you’re logged into. So, for instance, if you’re logged into the Facebook Messenger app, deleting your cookies from your browser won’t log you out of your Facebook Messenger app.

    One other thing I’ll mention. You asked if providing your email address to a website could allow a hacker to access your accounts. Think to yourself: if you only knew your email address and not your password and you were logged out of an account, could you use just the email address to log in? If the answer is “no”, then chances are the same is true for “hackers.”

    Sorry. I went into this post trying to explain things simply, but it’s a complex topic! I hate that there’s an extent to which you do have to be an engineer to understand some of this stuff and make good software security decisions. But there’s definitly also an extent to which you can improve your security without a degree in computer science. I hope some of this has helped at least somewhat.

    • 01adrianrdgz@lemmy.worldOP
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      i am a software developer so i know those things, and yes it’s complex, but i was afraid because i used to use firefox with cookies disabled, and i thought it was safe, but i will not give anyone my cookie value. thank you!!