Facebook Security 101: Locking Down Your Account

At my wife’s request, here is the shortened version:

  1. Obfuscate (make it not make sense) your security question’s answer; enable secure browsing, login notifications, and login approvals; and kill off any unrecognized active sessions at https://www.facebook.com/settings?tab=security
  2. Change your password at https://www.facebook.com/settings?tab=security and make it (really) secure.  Get a password vault/generator like 1Password.

Now, read the rest of this, to find out what you just did…  🙂

This morning, Wal-Mart’s Facebook page got hacked.  I figured it might be a good time to talk about the steps you can take to lock down your Facebook account, so that you won’t fall victim to a similar fate.

And, incidentally, if you’re wondering why a hacker would be interested in your account, the answer is simple: Because it’s there.  How would you feel if you turned on the television one evening, and saw your face, being quoted as saying something horrible?  Same idea here.

Start by enabling secure browsing.  If you do nothing else in this article, at least do this.   Go to:


…and enable Secure Browsing.  This will encrypt everything you do with Facebook (although it may not encrypt external activity, like games).  This will prevent somebody from stealing your login session by snooping your traffic at a public WiFi access point.

Now, let’s go back to your password.


Change your password from time to time, and make it something secure.  Your middle name followed by a number can be hacked pretty quickly.  Personally, I use a password vault/generator for my passwords, so, to be honest, I don’t even know what my Facebook password is, though I have access to it by means of a secondary password on all of my devices.  The one I use is 1Password.


It syncs your passwords between Mac, Windows, iOS, and Android, so all of your devices will have your password, encrypted by a password that only you know, so that your data will remain secure.  It also stores credit card numbers, and other information, and can fill them into website forms with a single click.  Very cool.  And, yes, there are less expensive solutions out there; this is just the one that I use.

Now, let’s move on to your other security settings.


Start with your security question.  Is your answer to the question, the actual answer to the question?  How many other people might know that?  A lot of people will use nonsensical answers to these questions (with the caveat that you have to remember them), to prevent this kind of social-engineering hacking.

Next, turn on login notifications, via both email and text/push (assuming you have a mobile device).  You should be the only person to ever log in to your Facebook account, so you really want to know if somebody else does.

Next are login approvals.  This is a nifty feature, which will make it almost impossible for somebody else to access your account, unless they have both your password, and your mobile device.  There are a number of ways that this can happen, but the simplest is that, after entering a correct password, Facebook sends you a text message with a code that you have to enter.  You can also use a code generator, like Google’s, or the one built into the Facebook app.  You can find more information at https://www.facebook.com/note.php?note_id=10150172618258920

Finally, at the end of the list, is your active sessions.  These are the places from which you’ve logged in, and are currently active.  If somebody has stolen your session, you’ll see it listed there.  It’s a good idea, from time to time, to clean up old sessions, and certainly terminate any sessions that you don’t recognize.