Last updated by Erik Kingissepp
Whether it is through growing use of smartphones, social media, e-commerce or other means, we are all putting our personal information on the Internet more and more. We are living in a time of unprecedented connectivity, and it is easy to forget that there are dangers out there, on the Internet, on social media, in the apps we use every day.
As the Internet evolves, it is becoming ever more interconnected (sometimes in ways we don’t know or think of). In the push to make things easier online, sometimes we make things more dangerous.
More and more websites use your email address as your username to sign-in, making it a lot easier for hackers to gain access. They only need to guess your password, because they know your username is your email address.
So what if someone gets access to your Facebook account? No big deal. You can just reset your password and that’s that, right?
Wrong. Many websites now offer a “sign-in with Facebook” option. With access to your Facebook profile, someone could also access all sorts of other services.
Even worse, you may have used the same password on other accounts (banking, email, government sites), which means the person who got your Facebook password might be able to access those accounts too. And if someone gets into your email account, they could change your password at virtually every website by sending a reset link to that email address.
When any aspect of your digital security is relaxed, all of your personal information - your credit cards, bank accounts, email accounts, your whole identity could be at risk.
Things that make you vulnerable
Typically the bad guys are not crafting some attack just for you. They generally send out millions of generic attacks in hopes someone, or many people, will fall victim to them.
One way a hacker can obtain your passwords is by simply trying multiple times on one site. They would simply log in, again and again. This works if the password is common, e.g. "password" or "password1".
Generally, these attacks fail but do work a certain percentage of the time on accounts with a poor password.
If you avoid the most common errors and create a strong password, you will put yourself in a better place to keep your personal information safe and secure.
From time to time it might be convenient to share a password to one of your accounts with someone else. This could lead to your password(s) unintentionally (or intentionally) ending up in the wrong hands. Also, that person might start using your password with their own accounts. If their password gets discovered by bad guys, it could end up on the “common passwords” list they use to crack accounts, leaving you vulnerable.
Using the same password for each website
With all the websites we visit each day, each with their own password requirements (include a capital, lower case, number, special character, etc.), it can be very tempting to create one password that meets all of those requirements and then use that same password for every site.
While this makes it a lot easier for you to remember your password for each website, it also makes it a lot easier for a hacker to gain access to each of your accounts.
Let’s say your favorite social media site got hacked and your password was stolen. Now those hackers have the password to all of your accounts on every website. Scary thought.
Writing your passwords down
Writing your passwords down, on paper or in a file/email, leaves you vulnerable. If someone finds that paper or you lose your notebook, your accounts could be at risk. If you keep a list of your passwords in a Word doc or an email, you could be vulnerable too. If someone accesses your computer, they could find easily that list.
If you don’t think you can remember all your passwords without writing them down, you should use a password manager program.
Password reset options and compromised email accounts
Most websites offer a “forgot password” option where a password reset link is emailed to the email address listed on your account. This is a great, secure way to get into your account should you forget your password.
Where it becomes a vulnerability is if an attacker gets access to the email account listed for password resets. The attacker could reset your passwords to every online account you have, have access to those accounts, and you’d be locked out.
A good way to insulate yourself is to have a second email address which you use as the password reset email address for your most important accounts (banking, government, etc.). Use your primary email for social media and e-commerce (which are easier targets for hackers), but use your 2nd secure address for banking and government sites only.
How to make passwords and keep them secure
Make your passwords impossible to guess
A strong password generally should include these common features:
- Special characters
- 10+ characters
Make sure to include all of these in your passwords.
Make your password as long as possible, but not so long that you can’t remember it.
A great way to make a super-secure password that you can easily remember is to think of it as a passphrase instead of a password.
This would be a very secure password. It’s long, has upper case, lower case, numbers and special characters. Problem is nobody would ever be able to remember it!
Now that is easy to remember! Look, you’ve already memorized it! (But don’t use it, or any example, as your password!)
Or you can string a few nonsensical words together, separated by special characters and numbers.
No two passwords should be the same
Ensure each password you use on your accounts is unique. No two passwords should be the same. Don’t use variations of the same root password either.
Don’t make the password for one system “IloveCorvettes” and the password for another system “IloveCorvettes1”.
Don't reuse passwords across multiple sites. Reusing passwords for email, banking, and social media accounts can lead to identity theft.
Avoid simple passwords
Don't use personal information such as your name, age, birth date, child's name, pet's name, or favorite color/song, hobbies, etc. in your password.
When 32 million passwords were exposed in a breach in 2015, almost 1% of victims were using "123456." The next most popular password was "12345." Other common choices are "111111", "princess", "qwerty", “password” and "abc123."
Do not use repeating characters or numbers (like 12121212), don't use "password", or simple keyboard combinations like "asdfghjkl".
Do not use simple 1-word passwords, like Elephant. These can be cracked very quickly by password-cracking software.
Check your password strength
If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice. There are even some sites out there, dedicated to checking your passwords strength.
Use a password manager
These services use a master password (which also must be unique) and a browser plugin (or their website) to save passwords and provide them to you when logging in to any site you wish. It will also generate unique passwords for you within the plugin. This does a few things - enable you to not worry about remembering passwords, allow you to have truly secure and unique passwords for all sites you use, and to carry them all from browser to browser (as opposed to having Chrome remember your passwords, for example.)
LastPass offers two-factor authentication, and 1Password has two-factor authentication available in the licensed version.The master password for your password manager should be stored only in your head.
Clean public computers’ caches
If you use a public computer, make sure to clear the browser's cache when you are finished using it. That way the browser will not have any usernames or passwords remembered in it.
Smartphone and tablet security
Make sure to password-protect your devices!
Most of us have our email accounts set up on a device of some sort. If you were to lose that device, and it didn’t have a password protecting it, whoever found it could access your email and use it to reset your passwords for all your accounts. Plus, they’d know what type of accounts you have, because they can see all your apps (banking, e-commerce, etc.).
Securing your home Wi-Fi
Securing a wireless network can get technical. When setting up your home wireless network, you should take steps to ensure it is secured and cannot be accessed by unauthorized parties.
Check out this handy guide to setting up a secure home Wi-Fi network: http://www.wikihow.com/Secure-Your-Wireless-Home-Network
Key points to remember when setting up your home Wi-Fi network:
- Enable encryption on your access point (router/gateway)
- Do not use WEP encryption
- Use WPA or WPA2 encryption
- Select a long, secure password (use the same methodology you have learned about in this course to make the password)
- Change your Wi-Fi network name (SSID)from the default name to something unique. Default SSIDs are very obvious, and to hackers indicate a "soft target" (a network set up by a novice, meaning it is likely easier for them to hack).
- Don't disable the SSID Broadcast option
- Disable remote login
- Disable wireless administration (meaning you'll need to plug directly into the router to change any settings)