It’s something that’s been pounded into our heads for years, but it’s hard to take heed of advice when it makes your life so burdensome. So how exactly do you keep your online life as secure as possible without going nuts?
Well, in the last year or so, I’ve really beefed up my online security, but not at the expense of convenience. So here’s how I did it. This is by no means the bible on online security, but it’s an excellent start. You may not want to do everything here, but even if you do some of it, you’ll be making headway towards better keeping your data secure.
Passwords, passwords, passwords
Passwords are generally a bad means of securing anything, because you’re trying to create something random and complex that your brain can remember, but that is strong enough to prevent ever-more-powerful computers to crack. It’s a battle that we will eventually lose, but for now, they need to be managed.
I have been using 1Password since the beginning of the year to start creating strong passwords and to manage them on my behalf. Here’s how it works: 1Password generates long, strong passwords for you and encrypts the passwords in a vault. That vault is “locked” by a master password which you must remember. Until you enter that password, the data is encrypted and thus, secure, but when you open your vault with your password, you have immediate access to all of your passwords.
With all of the products that 1Password offers, managing and using your passwords couldn’t be simpler. From their Windows and Mac apps, to browser extensions and mobile apps, your passwords are always in sync and never more than a click away. You can also tweak the preferences to suit your needs: for example, on my computer I let the app leave the vault unlocked if there isn’t a period of inactivity on my machine, meaning that I can open my vault at the start of the day and continue to automatically fill out passwords all day long with nothing more than a single click of the browser extension. Simple!
I also use tools within 1Password to make sure that passwords are all unique, extremely long (if you’re not having to type them out or remember them, why not use a 50 character password?) and using the full range of characters available.
I will note that your master password must be strong. After all, it protects all of your other passwords, so they’re only going to be as strong as your master password. Just consider that it’s going to be the only password that you need to remember ever again, so make it a good one.
Two-factor authentication
You’ve probably heard this term recently, but might be mystified by what it actually is, so let me break it down for you.
Your password is one factor in your authentication workflow. Usually, it’s the only one needed to access all of your data. Your password can be considered something that you know. Once you know it, there’s nothing to stop you from accessing your accounts.
The idea behind two-factor authentication is to add another layer of security by requiring not just something you know (your password), but also something that you have. Typically, this takes the form of your mobile phone.
Dedicated authentication apps employ a variety of ways to ensure that your phone is in your possession before allowing you to log in to your account. Usually, this is done by asking you to enter a code that is displayed on your phone, which changes every 20 to 30 seconds. Other methods include pushing a message to your phone and asking you to verify that you want to log in.
Most banks and larger websites such as Facebook, Twitter, wordpress.com and GMail now allow two-factor authentication on your account, making it easier to make access to these sites much more secure. These sites are probably the ones that you want to secure the most (your email, social networks and financial information), but you can expect more and more websites to start enabling two-factor authentication over time (see this good list of sites that currently offer two-factor authentication).
I use Authy to manage my authentication tokens, which makes it easy to quickly find and enter my code.
You can also enable two-factor authentication on your own WordPress site with a variety of plugins. To do it in the traditional, access code way, install Google Authenticator, however, you can make life even easier by using Clef (which confirms access by scanning a special barcode on your computer screen with your phone’s camera) or Duo (which sends a push notification to your phone, asking you to confirm your access attempt with a single click).
The bare minimum
Even if you don’t do any of the above, and you want to keep using simple, recycled passwords, I implore you to make sure that you at least do the following:
Get strong passwords for your email accounts and social networks.
You’ve probably experienced forgetting your password before and gone through the process of clicking on the Forgotten Password link, had a “password reset email” sent to yourself and changed your password.
Think about that process for a minute and put yourself in the shoes of someone trying to access your account. You, like them, don’t know the login details to your account, however, you can send an email to your inbox and reset your password to anything you want. As such, the only thing you need to have is the login information to your email account. From there, you can pretty much change any password you want and access any website you have an account on.
For that reason, your email password must be your strongest password. It is the one point of weakness that can open up a whole mess of security issues for you.
For the same reason, logins to accounts that can provide access to other sites (think of how you can log in to a variety of websites with your Facebook account) need to be very secure. These are typically your social networks, like Facebook, Google, Twitter et al.
If you do nothing else, ensure that email and social networks are strongly protected.