In case you’re living under a rock, there is a hack or breach in the news seemingly every other week. Not to scare you, but if you’re in the world of information security, the reality is that there is a breach in the news every day. It’s scary, and I understand, but you can take a few simple steps to reduce your risk significantly. To be clear, there isn’t anything to do to perfectly protect yourself, but as the old saying goes, “You don’t have to outrun a bear – you just have to outrun the other guy.”
Use a password manager and use it properly
If you take nothing away from this blog entry, just know that you need to use a password manager. Investing just a few dollars a month for a password manager will drastically increase your online security in ways few other solutions can promise. My recommendation is 1Password, but BitWarden is also a solid choice. For those who are “all in” on the Apple ecosystem, you can utilize the iCloud Keychain, the Apple native solution. Previously, LastPass has been an acceptable option, but unfortunately, they’ve had their own security issues, so it’s best to steer clear.
Now that you’ve signed up for a password manager, how does one use it properly? That’s fairly simple: Use a strong and unique password on every website. Let the password manager generate a new password for every website you use and ensure it’s something lengthy, 20 characters long is great. The passwords will look like total gibberish and that’s exactly what you’re looking for. A large majority of the “hacks” you hear about in the news are a fairly simplistic attack called “credential stuffing.”
You might have heard about the 23andMe breach, releasing data on millions of genetic records – that was credential stuffing. In brief, hackers get lists of usernames/emails and passwords from websites with poor security. Hackers know that people are lazy and often re-use passwords (and emails are always the same), so they can try your username and password on one site to any other site. If you’ve got an account, they’re in. Easy.
For those new to password managers, you don’t need to go every single site you’ve ever signed up and immediately change your password. Yes, that would help, but it’s also a lot of work. Start simple: Change the passwords to your most critical services (Email, Bank, Investments) immediately, then change the rest as you login to them. Try to login into a site and it’s not saved in your password manager? Perfect time to change that password and save it.
Don’t give out unnecessary information
This goes two different ways, the first is the random sites and services you sign up for. Does that forum for collectible plushy train toys actually need your real birthday? No, it really doesn’t. Pick another random date, and use that. You might need the information later (for password recovery), so write it somewhere safe, like your new password manager. Why does this even matter? Because if the site does use your birthday for password reset – well your birthday is public information. With a few minutes of knowing-where-to-look, you can find the name, address, birthday, birthplace, phone number and other basic demographics of almost everyone in the Western world.
This goes the same for password reset questions. My mother’s Maden name for, the purposes of password reset, on various websites is “5F3vFUCgCtsZoL”. Why? Because Mother’s Maden name is part of that generic information available online. Sometimes password reset questions are slightly more challenging like “Your first make and model of car”. Better hope that you’re not a member of a forum for classic Ford Explorers, haven’t posted a picture of the car, or that question hasn’t been asked (and hacked) from another site.
The second way people often give out a ton of unnecessary information is… social media. It’s fun to show off “Hey, check out my new car” or “Look at the house we just bought” but what information are you putting out in the public? A generic picture of a house or car isn’t a big deal but if you’ve got your license place or house number on it, well now you’ve given out something useful. My favorite is pictures of keys (for cars or houses), you might as well have given out your keys to some random burglar on the street. It’s trivially easy to duplicate keys from a picture (Note: That article is 15 year’s old now). If you’re giving out this information you probably have location tagged your posts, which attackers can search by location.
These sorts of issues are also multiple over time as more information is posted. Posting a house address or keys may not be immediately dangerous. But now when posting about the beautiful two-week vacation to Tahiti you’re on… great, now they know your house is unoccupied. Clearly, people aren’t going to stop posting on social media, just be conscious of what you might be putting out there, especially if your profile is public.
To be clear, when I say social media, that also includes private and semi-private forums (ex: Facebook groups). A common issue I’ve recently found out about is the posting of ultrasounds for pregnant women. Ultrasound images almost always inclune private medical information, including (but not limited to) name, hospital, and estimated age of the unborn.
If you wouldn’t feel comfortable putting the post up on a billboard in Time Square, think about if you should post about it in the first place.
MFA & Passkey for critical systems
For most Multi-Factor Authentication (MFA) is a big, scary and confusing topic but it can be explained thus: In addition to authentication with something you know (your password), you want to authenticate with something you have (a device, fob, code, etc). Because if there is something you “know” (password), it’s possible that someone else knows this as well. Typically MFA (sometimes called 2FA, Two Factor Authentication) is generally a rotating 6 digit number, or a text to your cellphone. But we really don’t like text’s to the cellphone anymore as, unfortunately, the big telecom can’t be trusted (Seriously, do you really trust Verizon or AT&T?).
These can be a little bit annoying to setup and use normally, fortunately password managers make it much easier. This slight amount of pain should be undertaken for the most critical of services in your life (again: Email, banking, etc).
Lucky for us there is a new option that’s slowly rolling out, Passkey. A passkey replaces passwords and the need for MFA. Using a password manager, Passkey’s are easy to setup and use. So if the services you care about support Passkey, you should set that up and make your life faster and easier.
Yes, it does feel like your phone or computer wants to update something every week. However, almost all of these updates are for your own good. Keeping your devices (phones, iPads, computers) up-to-date is a very simple way to keep yourself secure from many of the newest dangers lurking online. Staying updated in the digital equivalent of buckling your seatbelt in a car. It may not protect you from every single issue out there, but we know for a fact that seatbelts will save you life in a large number of situations, just in the same way we know keep your phone up to date will keep many of the latest attacks at bay.
If it doesn’t make sense or it’s too good to be true, it’s probably dangerous
No, someone rich isn’t going to send you $100 for forwarding this email, or sharing this link.
No, the IRS doesn’t demand payment in iTunes gift cards.
No, Apple or Microsoft are not going to call you (or pop up a message on your device) saying you’ve been hacked and to click something to be secure.
No, the cops are not on their way unless you pay the debt/tax fines/whatever.
No, your utility is not just going to give you a discount for being “such a great customers”
In short: If it’s too good to be true (free money), it probably is. Anytime someone wants something strange, unusual, urgent/time-sensitive, or scary – it’s probably a scam. Tell them they can send you a letter in the mail and don’t give them your address, if it’s legitimate they already have your address.
If you *think* it might be legitimate, such as your credit card calling about a suspicious purchase. Hang up on the caller, find the CORRECT phone number from the party’s website or other trusted source (the number on the back of your credit card, or your utility monthly bill), and call them yourself. Never trust caller ID, never trust a phone number given to you by someone who called you, never trust a random phone number on a random website.
And if you think you might have been scammed, tell everyone who you think might need to know. Call your bank, your utility, your kids, your family, whatever. If you’ve got a security-conscious friend or family member, talk to them. There is no shame in admitting you made a mistake. Scammers are so good that even Information Security professionals will fall for scams from time to time.
It may seem scary out there, but by taking a few precautions and thinking critically – you significantly reduce your risk. Using a password manager is like a seatbelt, it might seem like an inconvenience at first but once you get in the habit of using one, you realize how much better your life has become. 99% of the hacks in the news relate to people being lazy, so put just a tiny bit of effort in and you’ll have protected yourself from a majority of the scary stuff out there.