[By Nic Lindh on Saturday, 22 August 2015]
As we lead more and more of our lives online the risks of losing control of your accounts get more dire, including both our money and our reputations.
You don’t want to end up completely paralyzed by paranoia, but you don’t want to make yourself a target, either. This post is written for “normal” people who aren’t likely to be targets for concerted attacks, but instead are more likely to get caught up in automated attacks perpetrated by criminals.
If you’re Jennifer Lawrence, you need to get way, way more paranoid than this. But you’re probably not.
The basic problem we have is that securing computers is incredibly hard—it’s something humans just did not evolve to be good at—so sooner or later some site you use will be cracked and criminals will make off with whatever information they found. This information will then be sold and traded and used in various creative ways to attack other sites and institutions in a chain of awfulness.
Remember, though, that for most people these are automated attacks that go for the low-hanging fruit, so some basic hygiene will protect you well. The steps below will help you lock your digital doors and windows. Let’s go through the steps.
Arguably your most important accounts are your email accounts—if somebody takes control of your email that person can send password resets from pretty much any other site and it’s game over.
This means yes, you should use a unique and complicated password for your email.
Again, your email accounts are the keys to all your other accounts—guard them carefully.
Two-factor authentication combines something you know (your password) with something you have (your phone). Some sites will send you a text message with a verification code, some will use a special app on your phone—such as Google Authenticator—to verify your identity.
If you use a site—like GMail or Dropbox—that offers two-factor authentication, turn it on, now!
This is the single most powerful thing you can do to increase your security online.
This one is obvious—if attackers get a hold of your user name and password from one site, they will attempt to log in to any site they can think of with that same combination. If you’ve reused passwords across accounts, boom, they’re in.
But, you sigh, I have so many accounts there’s no way I can remember unique passwords for all of them.
True. Neither can I. Neither can Batman. In 2015 a password manager is required, not optional. Is it a pain? Yes. Is it more of a pain than having somebody break into your accounts? No, it is not.
A good password manager makes it easy to generate hard-to-crack, unique passwords for each one of your accounts. Personally I use 1Password on my Macs and iOS devices and it’s working great for me. (Not an affiliate link—I genuinely use and recommend it.) If you find another one like LastPass or KeyPass that works for you, go for it. Just pick one and use it.
Once you’ve converted over, you only need to remember the one (very strong) password you set up for the password manager itself.
Note that if you’re in the Apple ecosystem, Safari on the Mac and iOS has a very bare-bones password manager built in, which is certainly better than nothing.
This one is a bit more paranoid, but with the ease of finding personal information these days, the shadow of an automated attack that finds out the answers to common security questions en masse is lurking. So, lie. If the question is, “What street did you live on as a child?”, answer “James Bond” or something nonsensical like that.
Obviously, you’re going to have to write down your dirty lies somewhere, like your password manager.
Increasing your online security mostly requires changing your thinking a bit to become more conscious of the risks. Follow the tips above and you’ll avoid at least automated trawls from criminals on the net.
Note: You might follow all these tips and still end up a victim. Nothing is guaranteed. Be careful out there.
Style note: The word “hacker” used to mean somebody who did clever things with computers and has since be co-opted to mean “computer criminal.” By not using it in that sense in this post I’m doing my tiny part to bring the word back to its real meaning. If you write for public consumption, please consider not misusing “hacker” to mean “computer criminal.” You can write two words instead of one. I believe in you.