This is an introductory guide to digital security for the family and friends who've asked what a password manager is.
How do you protect yourself online without having to remember a million impossible passwords? This is an (actually) easy to implement guide, which is the digital equivalent of locking your house when you leave. Implementing these steps won’t make you hack-proof (just as locking your house won’t make your house burglar-proof) but it will make you much safer online, and it won’t make your digital life any harder than carrying keys makes your day-to-day life.
If you're convinced that this is too much work, start with one item at a time. If you're really insistent on not reading the whole list, start with the first 5.
- Set passwords on all your devices (laptops, phones, tablets, routers, etc.). For any devices which still have default passwords enabled, change them (think about your wifi router, a home camera system like Amazon’s Blink, or a smart TV). Don't reuse your passwords.
- Buy a Password Manager. Password managers let you create one ‘master password’ and then securely store (and generate) your strong, unique passwords for each account. They give you the security of having separate passwords for every account, but the convenience of only having to remember one password. I love 1Password ($3/month) as it has an app and a browser extension (therefore it can autofill your passwords for you across apps and devices), but KeePass is a secure free option. Password managers also allow you to securely store all kinds of information such as insurance numbers, bank account data, etc. Think of it as the digital equivalent of having a fire-proof box with all your important documents (sorry mom, I still don’t have one. I have a password manager though!) Setting it up the first time (and putting all your accounts and passwords into it) is a giant pain. So go do it now. Seriously, I’ll wait.
- Go back and do step 2. At least put your bank and credit card accounts, email accounts, and social media into your new password manager. Spend 5 minutes a day adding new accounts to your password manager. Over time, it will save you a significant amount of time and stress. Why? Often when passwords are leaked in a breach, hackers will use something called ‘credential stuffing’. That means they will take that password and plug it into an automated tool which will try using it in as many accounts as possible. If all your accounts have the same password, either your accounts could get breached, or you have to change ALL of your passwords every time you hear about a new breach. Skip the stress and get a password manager (also, set up (free!) alerts here so you know when your account data has been leaked).
- Update EVERYTHING. Don’t click postpone or ignore on those pop up updates. Software updates are most often released in response to reported security vulnerabilities. Leaving your devices unpatched can leave them vulnerable to attack.
- Back up your data regularly in case you are infected with malware. You can use iCloud (but make sure you've used a secure password!), or other cloud service, or a physical hard drive (I use this one)
- Use antivirus (and update it regularly). It's not perfect, but it's better than nothing and typically a good idea for the average user. I use Malware Bytes on my MacBook.
- Limit the number of internet-connected devices you have. Think before purchasing devices with internet connectivity. Is an internet connected kettle worth the potential security vulnerabilities (spoiler alert: it usually isn’t.)? Internet of Things devices are rarely updated and generally aren’t designed with security in mind. That means they’re often riddled with vulnerabilities and if they’re on your home wifi network, can leave hackers an easy way in. Often (but not always), more expensive devices will do a better job of protecting your security.
- Regularly review your social media privacy settings - you might be surprised at how much information is being shared. When creating new social media accounts or posts, think before you post it. The more information hackers have on you, the easier their job is. Try to avoid posting too much personal information on your social media pages, as well as avoiding posting things like pictures of your credit card or boarding pass. For swers and folks who rely on social media as an income stream, wipe the metadata from your photos and videos before posting (metadata can include specific location and device information which can be accessed by anyone viewing the photo/video).
- Avoid connecting to free wifi hotspots. Free wifi hotspots are often targeted by hackers and can put you at risk of MitM attacks (Man in the Middle Attacks, where a hacker spies on your internet traffic, and may even modify it without you knowing). If you can’t avoid connecting to these hotspots, buy a VPN service.
- Buy a VPN service. A VPN (virtual private network) provides online privacy and anonymity. This can protect you, even when you connect to public wifi hotspots. I use NordVPN (~$3/month) which you can install it on multiple devices, enable automatic connection (so as soon as you connect to the internet you are automatically connected to the VPN), and select which country you want your traffic to come from. The TOR browser is a free service, however it is less convenient, and can slow down your connection speed.
- Enable Multi-Factor Authentication (MFA, or 2FA for 2 Factor authentication) on your primary email account. This means that even if someone has your password, they can’t access your account. Multi-factor authentication requires that you have two things to login: something you know (your password) and something you have (a code from an SMS, a code from an app like Google Authenticator, or a hardware key like YubiKey). A hardware key is best, followed by an app, followed by SMS (which is still better than nothing). If you’re feeling really motivated, also do so on your other accounts, but at least do so on your most important accounts. For a full list of websites which support 2FA, check here.
- Use an end to end encrypted chat application. End to end encryption means that your data is encrypted on the device, and that no one can read or change your message in transit (not your internet service provider (ISP), hackers, etc. In order for someone to read this type of message, generally a hacker would have to have access to your device already. iMessage, WhatsApp, Wickr, and Signal are all free options, and Facebook Messenger is secure if you choose the ‘secret’ option when starting a chat. Personally, I highly recommend Signal, as it’s open-source, free, and not owned by any major tech companies.
- Check out MySudo and Privacy. MySudo provides phone numbers via an app with plans starting at $0.99/month. These are really great for using on dating apps, food delivery apps, or any other time when you may not want to give out your personal number (because your personal phone number is being used as a password reset option or as a form of multifactor authentication). They also provide virtual debit cards (though Privacy offers better virtual card options for free). Think of this as the online version of paying with pre-paid Visa cards. You can have a unique debit card number for every single purchase online so you don't have to worry the next time a vendor gets breached and credit card details are stolen.
- Set up (free) alerts with Have I Been Pwned (HIBP). This lets you input your email address and sign up to be contacted every time it is included in a data breach. Not every data breach makes it to HIBP, but a pretty large number do, and this is a great way to stay on top of that. Whenever your information is included in a breach, you can then proactively change the login or payment information that was leaked and (ideally) prevent any further damage.
- Finally, be careful online. Be wary of clicking links from unknown senders (in strange social media requests, texts, or emails), avoid running programs like Adobe Flash (which is notoriously insecure), and avoid websites which might give you malware (adult video streaming sites are often loaded with malicious content, as are free streaming or download sites). If you need to access the link in an email (such as an alert from your bank or social media accounts), navigate to the app or website directly, rather than clicking the link in the email.
At the end of the day, don’t overthink it.
Want to learn more?
- What to do if your information was included in a data breach
- The Motherboard Guide to Not Getting Hacked
- The WIRED Guide to Digital Security