This is pretty much a re-post of last years article, not much has changed except in that year there were even more record breaking breaches. But if you have not started using long passwords or a password manager yet YOU SHOULD DO THIS NOW.
In this article, I will give you the ultimate security advice and tips for today’s online digital life. This will include online passwords, account setup, logon Tips, and mobile apps management.
Security ≠ easy
This is going to get long.
I’m sure everyone “knows” to change all your passwords to something long and complicated. I’m sure everyone “knows” to have a different password for EVERY site or app. I’m also sure most people don’t, and don’t want to take the time and effort required to have good online security.
But look at this list of sites that have been hacked in the past few years, and it is just a portion of what happens.
- Yahoo was hacked and had 3 Billion of their user accounts compromised (that is all of them) – and didn’t tell us about it for 2 years!
- Equifax was hacked in 2017 and affected 146 million people. Since they are a major credit reporting agency, it included information like DOB, SS numbers, full names, and drivers license information. And somehow they are allowed to keep their business going AND CHARGE FOR personal information protection!!!??? What the mother f***!
- Target had a 110 million, and a 70 million attack with full names, addresses, email addresses and telephone numbers let out into the wild.
- Sony PlayStation accounts were hacked for around 100 million users login credentials, names, addresses, phone numbers and email addresses.
- Home Depot had malware on their POS system for weeks (or longer) stealing customer information.
Source: Tom’s Guide: the Worst Data Breaches of All Time
This article is an update to my past posts password basics. and book. A couple of my points I invented years ago and didn’t see anywhere else until recently in large business security procedures. I still don’t see some of them in other online security articles.
The points I invented came from my own experience with my accounts being compromised or attempts to hack into them.
I will start off with the basics and move through the advanced options. So after reading this take an hour and start at the first suggestion and as you visit other sites the next few weeks change your settings………….
#1. I alluded to above, and is the most important – Use long, complicated, and different passwords for every website or app you use. I will expand on this after…
#2. Use a password manager.
Since there is no way to remember all (or any) of your long, complicated passwords; you need something to do it for you. I’m not going to say not to use paper, but if you do don’t keep it at your desk. Hide it so if someone visits or breaks in they can’t find it. But it’s hard to keep updating or adding to a paper list or to carry it with you to use on your phone…
Instead, use an app like LastPass, Dashlane, 1Password, or KeyPass. There are many more options but these have been around a long time and are well proven. They use a browser extension or mobile app.
I use both LastPass and Dashlane. LastPass has a free version and it was the first one I ever used. It is reliable and vetted by security experts like Steve Gibson. I go back and forth depending on how well each works on various websites and phone apps. After websites or apps get updated, sometimes one, or both, don’t autofill as well as the other. I started to use Dashlane (hate to say it) because it looked prettier. But it is also well regarded and let’s face it, we buy a lot of things based on looks….
Last Pass is free for use and will sync with computers and mobile devices. At only
$24 (new for 2019) $36 a year for premium features, you get multi factor authentication USB keys, a PC app, 1GB secure online storage, emergency access to your sites for loved ones -if you die. They also have a family plan for $48/yr.
Dashlane has released a new version as I am writing this article. They offer a free version limited to 50 passwords on one device. The full service price has gone up from $40/yr ($20 if you were a returning customer) to $60. But now they offer a wifi VPN and “dark web” scans for personal information. There’s a Premium plan for $120/yr with even more features.
I have 5 months left on my year to see if I will keep paying for it. I expect they will offer a discount when my time to renew comes. I have not been offered a discount yet, so I have not renewed my plan. My PC has kept all of my close to 200 passwords and notes, but I did a export just in case. I created a new free account on my phone with my banking and email accounts as a backup to my LastPass.
Dashlane would be good for people who visit coffee shops and other places where they log onto free wi-fi because you can use they VPN service they provide. This is one of the most dangerous things you can do (logging onto public wi-fi)
You can also keep other information in these managers like secure notes, credit card info, passport info if you travel and more….
No matter what you choose, $24-$50 or so year is definitely worth your online and financial security. Even if you pay for LastPass just to “say thanks” and help keep them going,
$2/mo $3/mo is nothing. Think of how much you put into other apps /games, coffee….
Don’t use the web browser password managers or ones from security software (like Norton, McAfee) managers. They have been found to be not secure at all. They have also been found to cause browser / PC issues.
The password for any site or app should be one that you can’t remember. Make it 15 or 20+ characters long, with special characters, CAPS, and numbers. The password managers will generate these for you. All you need is to remember the password to the password manager and keep it secure. – Make that password a good one too. DON’T make it your kids or pets name or birthday.
- Technically length is the key. For each character more a password is, it adds a magnitude of difficulty.
Look at the 2 images below of sample passwords. Notice the last 3 box fields. They give an estimate of how long it would take to “crack” the password in different ways. The second one is 1 character longer and notice how the length of time jumps incredibly.
There is a lot of work being done to try and make good passwords easier for people. So there is a lot of momentum behind the use of Phrases or padding (the periods at the end of the passwords above). If you can make a good phrase or put some padding in front, middle, and or end of a password; you can make a “simple” but long password.
I still like the use of special characters. The more complex the long password is the better. But if you do try the phrase or padding, don’t make it the same for every site either.
You may not realize it but you probably have close to 100 or more passwords! so even if you try a method like phrases, you still can’t remember everyone you have for every site.
#3. Lie on the security questions websites have you make when you first create an account. If someone knows you or can read your Facebook page… they can probably answer the common questions you answer. What is your maiden name? Where did you go to high school? what was your high school mascot?… all probably on Facebook. So Lie on your security questions. Pick a question and put in the opposite as the answer, type in something totally unrelated, or create another random password, or a short phrase. Keep this info in your password manager with the password. All password managers let you put notes in each password you create or it has a separate secured notes section.
#4. Use Two Factor Authentication. You may use this one to some extent already. Google and Facebook both suggested you use it some time or another when you logged in.
The most common method is sending a text message to your phone or let you enter a special pin number generated by an app when those sites are accessed by a device that has not logged in before or every time if you like. For example, you usually log in on your home computer. When you try to log in on your work computer, you will be prompted to enter a code from a text or app – or you won’t be able to log in! It’s that simple. This uses the idea that your phone is something physical that only the account owner will have. So if someone from a different state or country got your login info from a hack or bought it on a shady website they would not be able to log on to your account without the text message or pin from the app. Plus when you get that text or an email from the company asking “was this you?”, you know that someone tried to log in to your account.
P.S. you should password protect your phone too.
Google and Facebook both offer this service that can be used on many other sites. I use Google Authenticator as much as possible – because I still don’t trust Facebook.
LastPass offers an authenticator feature in their app also, if you want to keep things together and get more value for your password manager.
Every bank and credit card company should offer some form of this now, so if you don’t have it set up on at least those sites, do it now.
#5. Two Factor Authentication – with a USB key. This is an extra step of two factor authentication that adds another physical component of a USB key you get from the company that needs to be plugged into the computer you are using. It also generates a security code the site has to verify before you would be able to log in. Only a couple of companies or services offer this option and it would be reserved for the most sensitive information/ security conscious user. LastPass offers this, as well as a company called yubikey. As I’m writing this it was announced Google will be offering this service soon.
OK. Here it is, the ultimate suggestion for adding security to your online log ins….
Use a unique and complicated user name for each site – NOT YOUR EMAIL!
(At least for the real important sites). Most notably I’m talking about your banking and credit card sites. Most people use their email address as their log in to most sites.
STOP DOING THIS NOW!
Many sites allow you to sign in with a user name / nickname that is not an email address. Your email address is everywhere. If a site like Yahoo gets hacked (again or again), the hacker will get a list of email address, and they can use them as user names to the most popular bank and credit card sites. So if you use your email address for log in to these sites, that gets the hacker in the front door. Most bank and credit card sites now have you enter your user name and password on different pages to make it harder for hackers to access your account. If they don’t have a valid user name they are stopped at the front door. If your log in is something like kz9vuM1G, then the hacker will not even get a chance to try any passwords.
I started doing this when I realized one of my credit card log ins was being attacked. I kept getting notices that the account was locked for too many failed attempts. After 2 or 3 notices I realized that someone had my email address that I used as the log on. It was not random. Changing the password was fine, (You get annoyed after the 3rd time) but they kept trying because they had a valid user log on. So I realized I had to make it so they could not even try. I have not had a problem with that site or any other since I started this practice. Now it is time to share it with the world.
STOP USING YAHOO EMAIL! – Yahoo has proven that they do not give a shit about you – their customers – security or privacy. They have been hacked several times in the past couple of years AND NOT TOLD ANYONE ABOUT IT!
Start changing all of your contact or login email to Google or Microsoft.
If you use your internet service email (Comcast for example) and leave them, then you may lose that email too. So use another trusted permanent email.
Use a different web browser for your banking/ credit card sites than Facebook/ general browsing.
Most people have multiple browsers on their computers. Most people use Chrome; and IE, Edge, or Safari come on the computer. Firefox is also very common. Choose one you don’t really use, and start using it for either banking or Facebook. Just to help prevent any easy browser trojan from seeing your history and cookies. – It can also help (a little) with sites like Facebook from “following” you around the internet. But honestly, just having FB on your PC or phone is like an infection.
Use credit cards that allow “virtual” card numbers. You can give a different card number to every site you visit. Walmart, Target, Match.com can all have a different card number. This way when one gets hacked your real card number is not at risk.
You can setup these cards to be a one time use, or have a limit on them also!
Citi, Capital One, and Bank of America are three big companies that offer virtual credit card numbers.
Get an email just for online banking / shopping. You can have as many Google email addresses as you want. So make one just for the important things.
Setup alerts on your bank and credit cards. All bank and credit cards will set alerts for purchases.
Don’t use YourName@….com for email addresses. using your name as an email address is just giving the bad guys a step in your front door. They can target you very easy for phishing and other email scams much easier if they really know your name.
Don’t store your credit card number on shopping sites. It may be convenient, but if someone does get onto your account (really should not happen if you follow the advice in this post) it’s just like they took the card out of your pocket. Or if the site is hacked, your card could be used or sold on “the dark web”.
Online shopping is safe! it is probably safer than giving your card to a waitress who takes the card into the back to charge it. The problems are with the bank or companies getting hacked and the information getting stolen FROM THEM, not a transaction you are making.
The other problem is people having easy passwords to guess or using the same password everywhere.
#1. Treat mobile (phone) apps the same as websites. use the same logon and password tips.
#2. Watch what you link to your apps. Facebook is the best example of this. You may have linked or signed into some apps/ websites with Facebook, so these apps can “see” your posts as well as your personal information of your FB account.
Maybe you did not give app X your birth date, but you have it on FB, so now that app does know your birthday.
The problem with this is that they can then sell some important info about you to an advertiser, or if they get hacked – your birthday is out there and you may never know it because you think you did not give them any important information.
Facebook and now many other apps/ websites will let you see and edit what info they share or let you unlink apps you don’t use anymore or want to stop using for any reason. Check Facebook’s and other companies settings for this and unlink any app you don’t use anymore or have worries about.
#3. Watch what apps you install. Most apps on the Google and Apple store’s are “safe”, but don’t install an app that has very few downloads or good reviews. Make sure you get the app you are looking for. Make sure you are getting Chase Bank, not Chase Bonk. – OK, Bad example.
#4. make sure you use your mobile data or a VPN when connecting to your bank/ credit card apps. DON’T USE FREE WIFI from anywhere. Hotel and coffee shops are famous for people getting their information stolen by connecting to these wifi spots. And you can never know what your work or Walmarts wifi will let them see.