by Larry Magid
When it comes to online security, you don’t have to be paranoid to worry about people who want to harm you. Sadly, there are such people, and although they have nothing against you personally, they do want your money, and because the internet is global, they can be anywhere in the world, including countries where it’s extremely difficult to find and prosecute them.
That’s why you need to take precautions to protect your online accounts. Contrary to what you may have heard, the threats don’t always come from hackers with sophisticated computer skills. There are plenty of criminals that use old-fashioned persuasion and trickery to get you to reveal information or fall for a scam. There’s even a term for that, “human engineering.”
So, in addition to doing technical things like keeping your operating systems, browsers and software up-to-date and using anti-malware software, the most important things you can do have little to do with technology and everything to do with critical thinking and protecting your information.
Strong unique passwords
Start by making sure all your passwords are unique, relatively long and hard to guess. Never use a name or a word that can be found in a dictionary. A phrase is OK to abbreviate with the first letter of each word. It’s a good idea to have at least one capital letter and some numbers and symbols. Some experts recommend a series of random words that don’t ordinarily go together. Never use the same password on multiple sites, but you can have a similar one that you change up a little for each site perhaps with a different letter or two, but never the name of the service or anything that’s easy to guess.
A password manager like LastPass, Bitwarden or 1Pass can store passwords for you as can Apple Keychain and browsers, including Edge and Chrome. Make sure the password to that service is very secure, but you should still keep a copy of your passwords, preferably on a piece of paper that you keep away from your computer. I realize some people are afraid of writing them down, but unless you live in a place where someone is likely to find and use your password list, it’s likely OK. Hackers on other continents do not have access to things you write down and store in a drawer or safe at home.
Some sites let you sign in using Google or Apple or even Facebook. As long as your passwords to those services are secure, it’s a pretty good idea, especially with sites that are not that well known, because it means not having to share your password with that site.
I have different standards for different types of sites. My passwords for my newspaper or streaming services are secure, but I have very secure passwords for email, banking, social media, medical records or other sites where the consequences of a break-in are more serious.
Many services offer two-factor authentication where they send you a code by text or email or allow you to use an authentication app. It may take a minute or two longer to sign in, but it greatly reduces the risk of a hacker getting in. In most cases, you don’t have to authenticate yourself every time. It’s usually just the first time you sign-in from a new device or browser, or they may ask you to re-authenticate after a period of time.
Some sites, mostly on mobile devices, allow you to use biometrics such as your fingerprint or face recognition. This is not only secure but makes it very easy to log in. I recommend using this whenever possible. Keep track of your password in case you need to log on from a different device or if the biometric fails to work as sometimes happens.
Some sites let you use a time-based one-time password (TOTP). These generate a unique, temporary password that is valid for a short period, typically 30 or 60 seconds. Sometimes they will send that temporary unique code to your email or mobile device on the assumption that only you have access to those. There is also the option of using an authentication app like Authy, Google Authenticator, Microsoft Authenticator or Lastpass Authenticator.
If you’re compromised
Chances are pretty good that you have interacted with a site that’s been breached, so it’s likely that your email address, some usernames and even some of your passwords are already on the dark web. That’s why it’s important to change passwords periodically. There are ways to check if your information can be found on any accessible databases of leaked information including sites that have been hacked. Many security programs, like Norton Security offer services that look for your data on the dark web, but there are free ones including haveibeenpwned.com that let you enter your email address to find if that address has been revealed in a database. Don’t panic if you find out it has. Just make sure you’re using a secure password that has been changed since any likely breaches. And if you ever hear that any of the services you use have been breached, change that password right away,
Be careful about challenge questions
You’ve probably been asked to enter information for challenge questions to authenticate you such as your mother’s maiden name, your first car, etc. Your best bet is to answer these with fictitious information that can’t be guessed or found online. Make sure you write down that information or store it in a secure and encrypted file so you know what you entered if you ever have to answer a challenge question.
Use encrypted services
If you must share confidential information, use a service like WhatsApp, Signal, Telegram or iMessage that uses end-to-end encryption so that your information cannot be compromised in transit. All reputable password management services are encrypted as are many messaging services.
Avoid phishing scams
Be wary of phishing scams that send you email or texts asking you to login to a service or respond to an email with information that can be used to compromise you. Often they ask you to log into what appears to be a legitimate bank or other website. Don’t click on their links unless you’ve verified that they are legitimate. One tell-tale sign is if the website they link to doesn’t have the same URL (web address) of the organization or company, but sometimes it’s hard to tell, so the safest best is to log into the site using a known URL or calling them on the phone.
It’s also important to have backups of all your data in case you’re ever a victim of a ransomware attack or a virus that wipes out your device’s storage. Monitor all your financial accounts, and if you find any unauthorized charges, report them immediately so that you can be reimbursed for any losses.
This post first appeared in the Mercury News