What security precautions my family should use
UPDATED on 2014-03-13
Every few months you read a news story about how another website has suffered a data breach and all of their login information has been stolen (i.e. email addresses and passwords). There are plenty of more data breaches that don’t get reported because the affected companies either don’t know the theft has occurred or choose not to report it in fear of the bad publicity. But it data theft does happen and it happens frequently.
This affects you as it leads to people breaking into your other accounts. When your email address and password are stolen from one site the thieves then go to other popular website and try to login as you using the same email address and password. Since people don’t change their email addresses very often there is a good chance you used the same one all over the internet. And since few people bother to change their passwords, if they have one password for you there’s a good chance they have your password for nearly every website out there.
Once they break in they can do various things. The most annoying but innocuous is spamming your family and friends. Sometimes they steal information like credit card info. Other times they just want the account to ransom it back to you. It all varies depending on the thief. Point is, though, it’s never pleasant for you.
Luckily there are some basic practices you can follow that can make it such that when you hear of a data breach that leaked your email and password you know the worst thing that will happen is you will have to reset your password for that single website and not care after that.
Use two-factor authentication when possible #
Two-factor authentication is the idea of requiring two pieces of information from you in order to log into a website. Typically this is done through a password and something that you get from your phone. The idea is that for anyone to break into your account that has two-factor authentication turned on they would not only have to steal your password but also your phone. This protects you both against someone that knows your password because they won’t have your phone, and from someone logging in on your phone because they won’t know your password.
A few of the biggest websites out there have two-factor authentication turned on. If you have an account with Google, Facebook, Twitter, LinkedIn, or Github then you should turn on two-factor authentication right now. Typically they will offer to text you a unique number every time to try to log into their website for the first time from a new computer. Some of them like Google will let you also install an app on your phone so that you don’t need to be somewhere that can receive a text (e.g. somewhere with no reception or while traveling overseas can be a problem). Either way, at worst these services will bug you once a month to log in to their websites and ask you give them the unique number they provide (this only applies to logging into their websites; stuff like apps and phones from these companies are a one-time deal as they assume you locked your phone). It’s a very minor inconvenience to have the peace of mind knowing that unless someone steals your password and your phone they can’t get into any of these websites as you.
Use your login from other websites when possible (e.g. Facebook login) #
You have probably noticed around the web that some websites let you log in using Google, Facebook, etc. Now that you have turned on two-factor authentication on these big websites (you did turn on two-factor authentication, right?), you can safely use them to log into other websites and rely on the big website for keeping your login secure. This means that if a website lets you log in with e.g. Google, then no one else can log in as you on that site unless they can log in as you at Google, which two-factor authentication makes difficult. It’s called delegation and it’s great as it lets the big websites that have world-clas security experts constantly working to keep their websites secure also help keep the rest of the web secure when websites use them to manage the ability to log in.
Mozilla has even taken the idea of delegation farther with Mozilla Persona. With Persona you can tie your various email addresses together into a single online identity and then use that to log into sites supporting Persona. Since Persona supports Gmail accounts (as well as Yahoo), it means website can delegate to Persona who can delegate to Google.
Have a unique password for EVERY website #
For every website that takes a password, you must have a unique password! Doing this means if anyone steals your password for any website then they only stole your login information for that website and no other website. I don’t care if you think “oh, my bank password is different so I’m fine” or “I only reuse passwords on sites I don’t care about”. It still is not pleasant when an account is is hijacked no matter how inconsequential you consider the account at the moment.
Now obviously keeping track of upwards of 150 passwords is not exactly easy. Luckily you have some options. If you want to use software to store all of your passwords securely for you, you can use LastPass or 1Password. They will also help you generate the passwords you use so they are not unsafe. They both use two-factor authentication and such so they are very secure to use.
The other option is to use Oplop, a project I created. Basically instead of saving a password per account you save an account nickname and then with some crazy-complicated master password you can consistently create a unique password per nickname. You can then use a spreadsheet or something to store the nicknames as all of the security is in how safe your master password is.
Either approach works and just depends on which one you prefer. Regardless of which approach to select, choose one of them and use unique passwords for every website. I hope the amount of bold used in this section gets the point across about how important this is. I for one find it rather comforting that every time a website is broken into I can just sigh and say “get I need to reset that one password” and never have to worry about a cascading effect with the rest of my online accounts. Even if you you don’t go back and change all your passwords but start the practice now of having unique passwords everywhere is better than nothing.
Don’t use strange computers #
When traveling, don’t use some computer in a random internet café. Travel with a phone, tablet, or laptop and only use that to connect to the internet. You can use strange WiFi networks as long as when you enter your password for any website it is over SSL (i.e. the lock icon is on in the address bar). Otherwise don’t enter your password on a strange WiFi network either (you can still use them to browse the web, just assume some stranger is recording everything you are doing).
Lock your phone #
Since you are typically logged into apps and websites on your phone you should lock your phone. That way if you lose it or it’s stolen, the person who ends up with your phone can’t get at your accounts and steal them (e.g. request a password reset, read your email to get the new password, and then change the password to only something they know). You can choose the simplest lock mechanism, but do choose something over nothing.
You should also make sure you can remotely lock and wipe your phone when lost. There is the Android Device Manager and iCloud Find My iPhone to help with this.
Don’t use strange programs #
Don’t download things you saw in a banner ad somewhere online. Only use software you found through reputable sources (e.g. recommended through a website you trust). And pay attention to those security warnings that your phone will tell you about an app!
Back up EVERYTHING #
With Google storage costing $10/month for 1 TB, there really is no reason to not keep all of your files in the cloud. If you want to be really paranoid you can keep a copy on a local hard drive as well, but you should at minimum have a copy of your files store somewhere remotely. This is a security precaution to prevent any malware from hijacking or destroying your files. It’s also just common sense to prevent any data loss from e.g. a failing hard drive.