Recently, a friend of my wife had something on Facebook go viral and she became the target of some, shall we say, unpleasant people. Here was my advice to her on how to attempt to secure her digital life. This is by no means complete, since there’s much more to security than I can fit in a blog post. This is a basic guide to securing your accounts against people trying to access them without your permission. It’s also, unfortunately, not assured to work. Persistent advanced threats (skilled hackers intent on a task, basically) are extremely difficult to defend against.
First things first: get a password manager. Really strong passwords are difficult to remember. So… don’t. Remember them, that is. Password managers let you create monstrosities like “cha5REZu44t*uqaq?Utr”. They encrypt and store these passwords, then regurgitate them when you need them. LastPass is a popular web based password management system, though I haven’t used it. My preferred solution is an open source implementation called KeePass 2, which has clients on Windows, Linux, macOS, Android, and iOS. I store my password database in a properly secured Dropbox account that is further secured with two factor authentication. More on two factor authentication later.
The next (tedious) step: update your passwords across the board with replacements from your shiny new password manager, starting with your email account. If attackers can read your email, they can take control of every account associated with it by intercepting password reset emails. Then, secure the accounts that would worst impact your life if they were compromised. This means financial, professional, and medical.
Next, set up two factor authentication (2FA). Two factor authentication consists of two things: something you know, and something you have. An example would be a building access key card requiring a PIN. You know the PIN and you have the card, so you’re allowed access. 2FA can be set up on just about anything that could be considered important: Google, Facebook, PayPal, Dropbox, Twitter. There are many more sites that support 2FA than I can list here, so have a look at twofactorauth.org to see what else you can secure.
Your options for 2FA will usually be a text message, phone call, email, software token, or hardware token. Of these, software and hardware tokens are the most secure. (While it’s not particularly likely, any of the others could be intercepted.) So what are they? A software token uses an app installed on your phone to generate one-time PINs used to access your account. Setup is easy: install the app (I use Google Authenticator), scan an onscreen code, and type in a code to confirm it works. (Google has an easy to follow setup guide here.) After completion, you’ll receive a list of rescue codes you can use to access your account should you lose your phone. Record these in your password manager.
If you really want to be secure, you can get a security key. These are tiny USB sticks that fit on your keychain. I won’t pretend to understand the underlying cryptography, so here’s Ars Technica’s explanation:
The Security Keys are based on Universal Second Factor, an open standard that’s easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a “cryptographic assertion” that’s just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in.
I got one a few weeks ago, and it’s really easy to use. When you want to log in to an account, type your password and plug in the key when prompted. This is only necessary when you first log in to a site, so you don’t have to go hunting for your keys every time you want to check Facebook. It’s supported by Dropbox, Google, Facebook, and others. If you’re serious about protecting yourself, it’s worth the $18 investment.
Last up, verify the security and privacy settings for your accounts. Google has a step-by-step guide for their security and privacy settings, and Facebook has one as well. This isn’t just about hacking, it’s also about information sharing. Find out what information you’re sharing with the world, and ask yourself if it’s something you’re comfortable having a potentially hostile stranger knowing. Do you want this person to know your email address? Your home address? Where you work? What about your phone number? They could all be available.
Finally, keep in mind that everything here is only intended to protect you from people who want access to your accounts. They won’t protect you from things like spear phishing attacks, insecure software, or being careless. You’ve probably heard these before, but they bear repeating:
- Keep up to date. If your computer tell you it has an update, apply it. This is especially true for Java, anything made by Adobe, and your operating system. No one is so busy that they can’t take fifteen minutes to reboot once a week.
- Only open files from sources you trust. Your system can be taken over with a PDF, a Word document, or any number of random email attachments. If you don’t know what it is or who it’s from, don’t open it.
- Pay attention to warnings. It’s easy to succumb to alarm fatigue and stop paying attention to them, but they’re there for a reason. In particular, watch for invalid certificate warnings in your browser. These will appear as full-page warnings containing “Your connection is not secure”. If you see these, it could mean a few different things: either the site administrator has screwed up somehow, or someone is impersonating the site you’re trying to access. In either case, nope right out of there.
Good luck. Security is a tricky thing to get right, but these basic tips should help you get started.