In this new world of zoombooming, facebook cloning, and email spoofing, digital security is as important as it has ever been. We should all do regular check-ups on our security and privacy settings online – and this is the perfect time to do it!
The first post in this series looked at some things you should stop doing right away – some of the “worst practices” that make you less safe online. In this post, I will be sharing some of the best practices – the things you should begin doing right away to be safer online.
1. Turn On Two-Factor Authentication
Many websites and online services now offer two-factor authentication. That means that when you log-in to the website or service from a new computer or device, they will send you a confirmation via another means (usually text message) to make sure that you are who you say you are.
This is one of the very best things you can do for your online security. Turn on two-factor authentication on all your most important sites and services.
It usually works like this. When I log into my Gmail with my password, I get a text message with a numeric code. I then have to enter that code into Gmail.
It means that logging in is a slightly longer process for me, and I have to have my phone near by. But it also means that no one can get into my email (or any other service I use two-factor with) without also having access to my text messages at the same time.
2. Use Pass Phrases
We were all taught to use passwords, which were originally that. Words.
They became more complex – with random numbers, symbols, and capitalization thrown in. But we still try to stay close to words – because we want them to be memorable to us.
I was taught that the most complex passwords are random numbers and letters – but who can remember that on their own! But, even those have issues – because it rarely people working to hack our passwords, it is machines trained as random number generators. It turns out that those random strings of numbers and letters are exactly what computers are best at hacking, and while also being exactly what we are worst at remembering. It’s the worst of both worlds!
A pass phrase is a string of random words put together. Say for example, “Correct Horse Battery Staple.” Because they don’t naturally go together, are random, and are long, they are incredibly hard to hack. Because they are actual words in a phrase, they are easier for humans to remember. The best of both words.
The comic xkcd has done a better job explaining this phenomenon than anyone else.
In the previous post, I told you not to store your passwords on your computer or device. This is the exception.
A password vault or password manager is a secure, encrypted program designed with the sole purpose of helping you keep track of all of the passwords / pass phrases you use in your life. The reputable ones have proven their security measures, and are secure on your device.
There are a variety of password managers, and they have a wide range of cost associated with them. For my own preferences, this is a thing that is worth paying for.
Some password managers store their information on your device, and others store it in the cloud. Some of the best options allow you to sync across devices, so you can update a password on your phone and have access to it on your computer.
A few of the better known services are LastPass, 1Password, Dashlane, and Keeper. Factors to consider in choosing a password manager include cost, ease of use, local vs cloud storage, and how well it works with your devices and operating system. I have been using Dashlane Premium for a number of years and it works very well for me.
Now, instead of a million and one passphrases, you have one to remember: Your password manager.
Simpler AND safer.
4. Do a Security Check-Up
Just like you go to the doctor to get a check-up on your physical health, you should also perform a security check-up from time to time.
Some people recommend changing passwords as frequently as every 90 days – which is excessive if you are using secure pass phrases and not repeating them on multiple sites. The forced password changes that some websites do (especially banking website, in my experience) assume that you are not following these best practices.
Your most critical passwords (banking, email) should be changed on a regular basis. I change them about once a year.
Otherwise, you need to change passwords when they have been compromised.
How can you know?
If you use a password manager (which I know you are all doing now, right?), they will often let you know if one of the websites you use have been breached. You can also check for yourself. Want an eye-opener? Go to Have I Been Pwned and enter your email, and they will let you know if your email was included in any known security breeches. You can also search by your password.
The biggest and most important clean up is the first one. Get rid of all repeated passwords. Get rid of all low-security passwords.
The hardest part for me at first was remembering all the places that I had created an account. There are so many! After using a password vault for a few years, I now have over two hundred credentials stored in there – and I am probably still missing some!
In upcoming posts, I will look at some of the common security and privacy mistakes we are making on individual platforms and sites. But for now, go get yourself and password vault and get started on a security check-up.