Facebook Security Best Practices

Profile Information

Keep in mind that with the changes rolled out by Facebook in December 2009, certain information about you is now "Publicly Available Information" (PAI), meaning this information is public to any visitor to your profile.

Facebook makes everyone disclose:

  • Full name
  • Profile picture
  • Gender
  • Networks

You can reduce the visibility of this information by opting out of Facebook Search results; however, there is no way to completely opt out of disclosing this information.

Users particularly worried about their security might choose to sanitize the information they disclose — changing the networks you join, for example.

Privacy Settings: Basic Directory Information

Option Sophos recommends Why?
Search for me on Facebook Be careful The extremely paranoid may choose to set this option to "Friends only," though this setting makes search effectively useless. "Friends of Friends" or "Friends and Networks" are slightly more useful — though still locked-down — options.
Send me friend requests "Friends of Friends" As soon as you accept a friend request, your new friend has access to a wealth of information about you that they could potentially exploit. Make sure the people you add as friends are trustworthy and that you can verify their identity.
Send me a message "Only Friends" Accepting a message from someone you do not know or trust leaves users vulnerable to socially engineered scams as well as basic phishing. Don't leave yourself open to this kind of attack. Disable messages from people you don't already know.
See my friend list "Only Friends" Knowing who your friends are could really help out an identity theft, so we suggest making this friends-only at a minimum. Keep in mind that it's not just your own security you need to keep in mind — if a friend's account is compromised, a cybercriminal accessing their account can see your friend list. If this is a concern, set your friend list visibility to "Only Me."
See my education and work "Only Friends" (at most) It may seem innocuous to call out your alma mater or where you grew up, but disclosing education and work information can be very valuable to someone trying to socially engineer a manipulative attack against you.
See my current city and hometown "Only Me"— though it's best to not enter this information at all
See my interests and other Pages "Only Friends" (at most) These are pages that you "like" or fill-in content areas where most people add personality to their profiles; however, they are rife with opportunity to disclose valuable personal information that can assist identity thieves. Additionally, many of these pages can be of a religious, political or personal nature that you might not want to disclose universally. If you are not comfortable with a potential future employer knowing this information, you should keep this information locked down to a friend level or even set to "Only Me." Be careful about what you reveal here.