You probably know someone who has had an online account hacked.
Recent troubling conversations with members of my family made me realize their online accounts are vulnerable. They created their accounts long ago, using the same easy-to-remember password for each. If a website required additional password complexity they’d append ! or 123! to that password. They naively think their online accounts are safe.
It makes sense. Modern online security is complex and overwhelming for most people. Many do not even know why they should care — until it is too late.
I tried to find a simple guide to help my family improve their personal online security, but everything I found was too complex. In this post I simplify the complex. I explain why something is important and tell you how to address it. I wrote this for them, but I also hope it can help you or someone you know.
Like a fortified medieval castle, online security grows stronger when you add layers of protection.
Security Layer 1: Use Strong Passwords
Most websites require you to provide a password when you create an account. While the website should protect your password, data breaches caused by poorly written code or from malicious attacks are an increasingly common occurrence. If you use a weak password (a short or easy to guess password) or if you reuse passwords on multiple sites then your online accounts are vulnerable.
Julie uses password “Rover1!” for all of her online accounts, including her favorite pet store. One day that online pet store has a data breach. The data, which includes her email address and password, is sold online to BadBob. BadBob tries to use the same email address and password to log in to social networking sites and online banks. Since Julie uses one of those banks, and since she always used the same password, BadBob is able to log in to her online bank account.
You can use haveibeenpwned.com to check if your email or phone number have already been leaked in a data breach.
Password Managers Are No longer Optional
Password Managers are a simple and effective solution to weak and reused passwords. They allow you to create and store unique and strong passwords for every online account. Well known Password Managers include LastPass, 1Password, and Bitwarden. Some are free and some cost a few dollars a month.
Password Managers require you to remember a single password that you use to lock and unlock your password vault. This password should be hard to guess and easy to remember, such as purpleFoxswimsFor$7tacos.
Secure Your Email Account
Personal online security is based on the assumption that your email account is secure. Most websites allow anyone to click “Forgot Password” and provide an email address. This sends a reset-password email with a unique link to set a new password. If your email account is compromised and someone can read your email then you are vulnerable.
Joe used a weak password for his email account. BadBob was able to guess that password and log in to his email. BadBob searches through Joe’s inbox and discovers that Joe has an online bank account. BadBob visits the bank’s website, clicks the “Forgot Password” link, and enters Joe’s email address. A reset-password email is sent to Joe’s email inbox. BadBob clicks the link in that reset-password email and creates a new password for Joe’s bank account. BadBob uses the new password to log in and access Joe’s bank account.
Fortunately it is easy to secure your email account by using a unique, complex password generated by a Password Manager.
Email providers, such as Google Gmail, have additional security features that help keep your email account safe. I use Gmail because it is very secure and has as excellent spam filtering.
Security Layer 2: Use Two-Factor Authentication
A website has a login page so you can prove your identity. It assumes that if you know your username and password then it must be you and not someone else. This assumption fails when other people know your username and password.
Two-Factor Authentication, or 2FA, provides an additional layer of security by requiring you to prove something you know and to prove something you have. For example, I know the password and I have an email address, or I know the password and I have an SMS phone number.
Many websites offer 2FA login, but usually it is not enabled by default. You should enable 2FA for every website that you use. It is a minor inconvenience to add an additional step during your log in, but it provides significantly better security for your account.
There are four main types of 2FA:
Many websites will send a temporary login code to your email or mobile phone every time you log in. Email and SMS are better than having no 2FA, but they are less secure than the token-based options.
Authentication Apps (Google Authenticator, Authy, etc)
If the website allows you to use an “Authentication App” to improve security, they are referring to soft-token 2FA. I recommend using Authy since it runs on multiple devices (such as mobile and desktop) and it allows you to transfer your tokens to your new mobile phone when you upgrade.
Here is an example of enabling an“Authentication App” on Twitter. The process will be similar on other sites.
Navigate to Settings → Security and account access → Two-factor authentication
Open your Authentication App and “Add” a new account. Scan the QR code and follow directions.
Once enabled, the next time you log in you will be prompted to enter a six-digit code.
The six-digit code will be in the Authentication App. It changes every 30 seconds.
Google Voice
Some websites only give you the option to use SMS text-based 2FA. SMS was never designed for security, and unfortunately your mobile phone number is vulnerable to a SIM Hijacking. The simplest solution, especially if you already have a Gmail account, is to use Google’s free Google Voice service. Google gives you a phone number and you can use their app or website to receive all SMS-based 2FA codes.
Hard Token 2FA (YubiKey)
Hard Tokens are the most secure version of 2FA. I will write about them in a future blog post.
Security Layer 3: Be Smart Online
Here are a few best practices to improve your online security:
- Never click a link in an email. If you receive an email alert from your bank, social media, or any other site — do not click the link. Instead, type the URL in your browser and navigate to the site’s messages/alerts page. The only exception to this rule is if you just created an account or reset your password — the link in the email should be clicked since it contains a unique code in the URL. Never click “unsubscribe” links — create an email filter rule instead. If you must click a link, right-click and “Open link in incognito mode.”
- Log out when you are done visiting a website. For additional security, you can log in to sensitive sites using “incognito mode”.
- Reduce the amount of personal information you post on Social Media — especially facts that are used as “password security questions” for other websites. For example, threads on social media asking you to post your first car, best friend in high school, or name of your first pet are created to gather information that can be used to gain access to your other online accounts.
- “Password security questions” are insecure and websites should stop using them. Until then, you can protect yourself by using your Password Manager to generate unique, random-character “answers” to these questions. Be sure to store these “answers” securely in your Password Manager (I use the “Notes” section in LastPass for this).
- Delete unused accounts. If you no longer use a website then delete your account. If you cannot find a way to do it through “Account Settings” then you can email support and request that your account be deleted.
- Keep your browser up to date. Security vulnerabilities are constantly being fixed. If an update is available, spend two minutes and upgrade.
What do I do?
This is a simplified version of how I secure my online accounts. It works great for me, and I hope it can be useful to you.
I use LastPass for my password manager. All of my online accounts have strong, unique passwords. My LastPass password is the only password that I have to remember, and I use Authy 2FA for additional security. I pay for the LastPass Family Plan which includes “Dark web monitoring” that notifies me when any of my account’s credentials are compromised.
I use Google Gmail for my email. My Google Account has a complex password stored in LastPass.
I use Google Voice for my SMS text verification. Google Voice is also protected by my Google Account. I use my Google Voice phone number for all of my online accounts, even if not required for 2FA.
I use Authy for 2FA for sites that support “Authentication Apps”. My Authy “backup password” is complex and stored in LastPass.
Call to Action
The best time to address your personal online security is now. Start small — pick a Password Manager and create an account. Every time you log in to a website, change the password and store it in your Password Manager. Enable 2FA for each of these accounts. Make this routine. A small effort will go a long way to improve your security posture, and you’ll be far less likely to become a victim.
