Category Archives: Password

Data Privacy Day and Practical Online Security

Today is Data Privacy Day, where we bow our heads and give thanks to the benevolent corporations that so closely guard all of our data. Without these titans of industry, data breaches would be routine and your private accounts could be accessed by nefarious hackers wearing ski masks.

don't let this guy win
don’t let this guy win

But just in case you don’t feel these companies always have your best interests in mind, there are a few simple things you can do to protect yourself online. Obviously this is not a comprehensive list and will not protect you against all adversaries, but you’ve gotta start somewhere.

Passcodes

Put a passcode on your phone, seriously. If you’ve followed the “debate” over the use of encryption in iPhones and Android devices, you know that certain groups (like the FBI and more local law enforcement) are very upset that encryption is now the default on modern devices. Encryption means that the data should be inaccessible to anyone who is not you, but it does you no good unless you enable it with a passcode. If you don’t want to use a passcode, don’t bother reading the rest of this post. Anyone with physical access to your phone can get at the data inside.

Additionally, if you feel like you could be in a situation where you could be physically coerced into unlocking your phone, turn off the fingerprint or face-recognition unlocking features. Don’t reveal your password to anyone without something that’s been signed by a judge.

Also, pick a GOOD passcode. Don’t pick 1234, 0000, 2580, or your birthdate. And just like a password, don’t tell it to ANYONE. Not your lover, not your boss, not your pastor. Also, wipe your phone’s screen regularly because I can probably guess your passcode based on the Dorito cheese your greasy fingers leave behind.

Password Manager

Speaking of passwords, you should never reuse them! If you use the same password on your Google, Facebook, and Amazon accounts, anyone who guesses that single password has access to all those accounts.

I recommend using a password manager to keep track of all these things. The way a password manager works is that you remember one master password, which is used to unlock an encrypted database of the passwords you use on other sites.

I personally use 1Password, which costs money (though I think there’s a free trial), or LastPass, which is free. Both can generate new secure passwords for you when you sign up for a new site, but all you need to remember is the master password. Both options above have browser extensions and mobile apps, which reduce the amount of hassle it takes to start using passwords more securely.

Install Signal

If you have a smartphone, this is a necessity. It’s currently the most secure text-messaging app on the market, and it’s free. Messages between you and other Signal users will be encrypted, so even an adversary using IMSI-catchers (aka Stingrays; when they’re in planes they’re sometimes called Dirtboxes) won’t be able to view them.

Of course, using Signal does not mean you’re completely secure if the other person does not have it installed. Signal gives you an indication if the other party has it. You can also use the app to make secure phone calls with other Signal users.

Apple’s iMessage also provides fairly good security, in that it encrypts your conversations, but only works for conversations between iPhone users.

Enable Two-Factor Authentication on Everything

This is probably the most “cumbersome” step but will also provide the greatest security against attempts to access your accounts. It’s called two-factor authentication (sometimes multi-factor authentication) and the basic idea is that it should take more than just a username and a password to log in to an account. Since a username and password are things you know, we want to require something else to prove your identity. Typically this is something you have (like a smartphone) or something you are (like a fingerprint).

By enabling two-factor authentication, the next time some masked hacker guesses your username and password for a website, the site will send a verification code to an app on your phone or as a text message to you. Without that code, they won’t be able to log in and see all your secret messages and cat pictures! However, you’ll need to go through some configuration steps to enable this. I recommend starting by enabling two-factor authentication on your Google account first.

If you are able, I suggest installing Google Authenticator (or Authy) on your phone rather than getting verification codes via text message. Not all services use two-factor authentication and some only use codes sent as text messages rather than using Google Authenticator. Here is a handy chart of sites that support it – I recommend enabling on all that you can, particularly Facebook (they’re called “Login Approvals”) and Twitter.

I’m sure I forgot something, so feel free to ask questions or drop knowledge in the comments. I’m available to give presentations and assist with security at a discounted rate (if I like you), or at my usual hourly rate (if I have no idea who you are). Stay safe out there!