In this article...
Nowadays it's more important than ever to protect yourself when you're online. The internet can be a dangerous place, but some basic precautions go a long way to keeping you safe online.
There is no such thing as perfect security, but if you follow the advice in this guide, it will make you a less desirable and accessible target for attackers.
Before getting started
If you're used to always using one of a handful of easy-to-remember passwords, then I have bad news for you: that's just not secure enough any more.
Changing habits is always hard. At first it can feel inconvenient - a frustrating change ingrained behavior. But I'm here to tell you it gets better. I began following the guidance in this blog post about 4 years ago, and nowadays it's not just second nature - there's no way I'd go back to how things were before!
Passwords are a pain. Simple passwords are easy to remember, but easy for computers to crack. Hard passwords are more secure, but much harder to remember. In the war of passwords, computers will always beat humans, so the solution is to use computers to help us!
Simple passwords are subject to brute force attacks, where an attacker will try every permutation until they crack your password. Modern computers can brute force more than 100 billion passwords...per second! By some accounts, an 8-character password can be cracked in as little as 12 minutes for under $25.
This isn't the time to be subtle: if you're not using a password manager in 2020 then you need to start now! No excuses.
Like many, I used to use the same password across many websites. The problem is that if one website gets hacked, even if you used a really long and complex password, the attackers can now try to log in with that same password on any other website I signed up for.
When there is a data breach and passwords are leaked, criminals will try to use these login details across a plethora of other websites because they know people reuse passwords.
So if I signed up for an account on the website for Harry's Hair Salon using the same password as my online bank, it doesn't matter that my bank's security is great - I'm at the mercy of Harry's security now!
Why use a password manager?
That means using a unique, unguessable and high-entropy (i.e. complicated) passwords at every website. Unless you happen to have a photographic memory, the solution is a password manager. Common options include LastPass (that's what we use) and 1Password, but PrivacyTools recommends Bitwarden as their top pick.
Whichever you choose, do it now!
As an aside, many modern browsers have integrated passwords managers, but I don't recommend using them. They're not as fully-featured as the dedicated equivalents mentioned above, plus it means all your passwords are locked into one browser. With a dedicated password manager you can have it installed on multiple browsers on your computer and phone - very useful!
The idea is simple - your password manager securely stores all your passwords (and other sensitive information you choose to add) and lets you access them just by entering your master password (and hopefully the multi-factor authentication you set up too) - the only password you'll need to remember.
Since the password manager stores the passwords, you can make them as long and complex as you want - and you should! In fact, the password manager will have a built in tool for automatically generating very strong passwords and I highly recommend you use it.
No more typing in passwords. No more forgetting which password you used for a particular site. No more struggling to think up new passwords. Less anxiety that one ofyour logins might be compromised and worrying about which other sites might be impacted.
When you need to log in to a website, it's just a few taps. Not only is it more secure, but it's also much easier than before!
Changing old passwords
OK, this next part is going to be long and dull. Sorry. You need to change your passwords. All of them. If you're lucky, the password manager will have imported many of your passwords from your browser - if not, I hope your memory is good!
I can only speak to LastPass as that's what we use, but they have a report that shows how often you have reused each password. You need to start working through that list until every single website is using a different password.
Then, find all the sites that use weak passwords (as a simple rule, if you can read the password, it's probably too simple) and replace them with stronger passwords. I use LastPass to generate very strong, cryptographically random, long passwords made up of uppercase and lowercase letters, numbers and symbols, for instance:
Good luck trying to remember that, but thanks to the password manager, you don't have to!
Depending on how many sites you have logins for, this may take a while. I did it a few years ago during my commute over the course of several days. Find a few minutes here and there, and you'll soon make progress.
When you inevitably come to log in to sites you had forgotten about, add them to your password manager and change your password to something nice and secure. Or better yet, if it's an account you no longer need, delete it altogether!
Bottom line: install a password manager, use it to store all your passwords and change them to unique and complex passwords for every website.
Some websites ask you to provide security questions and answers in addition to your password. As well as the epitomal "mother's maiden name", these include things like "town you were born in", "childhood best friend's name" and "favorite sports team".
These questions are anything but secure. Just think for a minute how much of this information an attacker might be able to glean from, for example, social media? How about those "fun, innocent quizzes" on social media? Think about how much information you're giving away....
Unfortunately, these questions are often a mandatory step in the flow. But, nothing says your answers have to be accurate! What I do (and I recommend you do) is make up random answers (using my password manager's password generator) and store them in the notes in my password manager for that account.
For example, rather than saying my childhood best friend's name was "John", it might actually say "AKDWNFQGGTLMQEZN". Given that a common way to use these security questions is that you're asked to provide specific letters over the phone, I usually keep it simple and make them all capital letters - less chance of confusion but still secure.
Bottom line: don't use real information for your security questions. If someone can steal your name, date of birth, email address and social security number, you can get they can take a pretty good guess at your favorite band and the make of your first car.
Multi-factor authentication (MFA) is sometimes known as two-factor authentication (2FA) which is similar but actually a subset.
Without getting too technical, the idea is that along with your username (or email address) and password, you have to provide some other piece of information - usually a code provided via phone, SMS, an app on your phone or a digital token such as a YubiKey.
You should always enable MFA or 2FA if it's available. It makes it significantly harder (although not impossible) to compromise your account. This is particularly important not just for the obvious websites like your online bank, but also your email account - if someone controls your email account then they can use the "reset password" flow on most websites to steal control of that account too.
If you have the choice, you should use an app-based authentication method or a digital token. While SMS and voice are better than nothing, they're vulnerable to attacks such as "vishing" (voice-phishing) and SIM-swapping.
Bottom line: if a website offers multi-factor authentication or two-factor authentication, enable it.
I often hear people talking about VPNs as some silver bullet that will protect you from every online threat. I wish that were true, but it's not.
Don't get me wrong, VPNs can have their place, but it's important to realize what they can, and more importantly cannot, do to keep you safe online.
Hiding your identity
Keeping things simple, when you visit a website (or do anything online), the website can see where you're connecting from.
That's essential to how the internet works as without that information, the website wouldn't know where to send the data back to. Think of it like sending someone a letter - if you didn't include a return address, they'd have no way of sending things back to you. This return address is called your IP address.
When you connect to the internet normally, the IP address is the one assigned to you by your ISP. That means that the website you're visiting can see the IP address you were assigned by your ISP, and using that information they can usually get a decent idea of where you're geographically located.
When you use a VPN, your traffic is routed via the VPN and the IP address the website sees belongs to the VPN provider. That's why VPNs are able to offer services that let you pretend to be in other countries. VPNs may also be used by people who wish to conceal who they are - an ISP could be issued with a subpoena to reveal your identity based on your IP address, but many VPNs claim not to respond (or even be able to respond) to those requests. It comes down to how much you trust the VPN.
Hiding your traffic
One other use of a VPN is to hide your traffic. As I mentioned earlier in the article, while TLS encryption (that's what websites use when you see https:// at the start of a URL) will stop someone seeing the contents of your data, other people on your network may be able to see which websites you are visiting.
Without getting into the technicalities (read up on DNS if you want to learn more), the gist is that a VPN is one way to protect yourself against this. A VPN is a Virtual Private Network, and acts as a layer of encryption between you and the rest of the people on the same network as you. This prevents others from seeing which websites you're visiting.
Bottom line: while VPNs can have a role in protecting your security and privacy online, they're often misunderstood by many who use them. They are absolutely not a silver bullet for protecting yourself online, and I typically don't recommend people use one unless they understand how they work.
Social media has exploded in the last decade, to the point that many people spend hours every day trawling through feeds and sharing their lives online.
But just stop and take a minute to think about what you're sharing. Be careful about not just what you're sharing, but about with whom you're sharing it.
Does your profile list your maiden name? Are your kids on Facebook? You've potentially just compromised one of their security questions. Birthday and graduation year? Name of your high school? Favorite sports team? Home town?
One option is to delete your social media presence altogether, but in lieu of that there are at least a few precautions you can take:
- Don't accept friend requests from people you don't know - they could be fake accounts to steal your information, or even to use their connection with you as a way to infiltrate someone else's account;
- Update your privacy and sharing settings so you know who you're sharing posts and photos with;
- Delete or hide any personally identifiable information that you wouldn't feel comfortable with a complete stranger knowing.
Bottom line: think about what you're sharing, and whether that information could be used by someone to steal your identity (or someone else's).
No software is guaranteed to be perfectly secure. Bugs and security vulnerabilities are found every day. Some of the worst of these are known as zero-day vulnerabilities - weaknesses for which a patch doesn't yet exist, but may be known by (and even exploited by) criminals.
When your phone or computer prompt you to install updates, do you do it? While some of these updates bring new features, oftentimes they are security updates - patching known vulnerabilities in the software.
While sometimes these updates will break things, that's not the norm. Overall, in my opinion, the security benefits of installing updates far outweigh the potential of things breaking. So I recommend turning on "Automatic Updates" on your computer and phone, and when prompted, say "yes" to installing the new updates!
As an aside, if you're a blog author, then make sure your blog software is kept up-to-date too. Vulnerabilities are constantly being found (and patched) so it's essential to stay up-to-date with your blog software, else you could unwittingly find your blog hijacked.
Bottom line: enable automatic updates to ensure you already have the latest security patches installed.
Browser Extensions & Plugins
If you're one of those people that has a thousand browser extensions and plugins installed, you might want to rethink that. Browser extensions are often given very broad control in your browser - such as the ability to read and edit the data on webpages and see everything you're typing.
Always be sure you trust the source of the extension you're installing, and it's a good habit to periodically go through and remove extensions you don't use any more.
Why? Well, even if a browser extension was safe when you installed it, there are documented cases of developers selling their extensions to unscrupulous people who push out updates to the extension that introduce malicious behaviors.
Bottom line: only install extensions you trust, and remove them once you no longer need them.
This blog post has just scratched the surface of staying safe online, and is intended to include things that everyone can (and should) do. Each of the topics above will incrementally make you a little more secure online, but I would encourage you to adopt as many of these best practices as possible.
Information security is a topic near and dear to my heart - a passion of mine. I hope you've been able to learn something from this blog post, and that it's given you the tools you need to protect yourself online.