Boy it didn’t take long for the first XP security threat to be released after the end of Microsoft’s support of it. But even without the XP anchor tied to many a person and business, the issue of security was already there and will always be there. That is as long as people can profit from causing havoc, stealing information and by using your identity. So what is a person to do when even websites we expect to be able to trust can be vulnerable to security issues? I mean we have all stopped using our children’s birthdates as our passwords, no longer write them down on the bottom of our mouse pads, and for sure have stopped putting them on sticky notes on the side of our monitors. How can we be expected to do enough to protect ourselves and our data when doing anything seems so hard in the first place.
I am not sure who I first heard say the following but I am going to give credit to Charlie Waters for the most recent incarnation; “Security is about being secure, not simple”. But are all of the best security steps we can take hard. I would say not as hard as the steps we have to take when we “think” we have had our email broken into our worst when we actually lose control of our identity and someone ends up having a nice holiday in Tahiti on a credit card we didn’t even know we had. But not as easy as continuing to do those things we know are unsafe. But like texting while driving, eating to many french-fries, not working out enough, and jay walking in New Orleans (trust me that is one city you don’t want to do that in) until we have a close call or a real call due to our bad choices most of us won’t do what is needed.
But in case you are interested in what you could do to better protect yourself I submit the following 3 easy steps. Now I am not going down the Clarke Howard, “Lock down your credit report” path since you can get that advice from him. Since I am an IT geek at heart I am going to stick to what I know best.
USE BETTER PASSWORDS!!!!
There I said it, we are all still not using passwords that are secure enough. At the least every password should have upper and lower case letters, numbers and special characters in them. If you feel you have to use words to help you remember the password consider a character replacement for the word. Where all I’s are 1’s and e’s maybe are 3’s. Taking this first steps greatly expands the number of possible passwords and therefore reduces the chance they might be guessed. If a site doesn’t provide for that level of security you should consider how much do you need to use the site/service and what will they be storing for/about you before you sign up.
I would also suggest that any site that stores personal or financial information (banks, eBay, credit card sites, etc.) should each have an unique password. This takes security a step further in that it will ensure if one site is compromised, by loss of your password or by loss of passwords by the site, they don’t get more than that one. You should also avoid cycling 3-4 passwords around. Since many sites won’t let you reuse a password to keep you from doing it they store both the current and past passwords. So each time you put a “new” one into the site from your group that site now has the potential to expose more of your passwords if hacked.
So what do you do if you believe in this way of protecting yourself but like me lack an eidetic memory (shout out to The Big Bang Theory). I would suggest you consider a password vault. There are a number of them out there and I want to avoid suggesting one particular one because even these aren’t 100% foolproof but when combined with good password security they can elevate your security and even simplify how you respond to exposures. At a base level the programs can be installed on your computer and/or smartphone. They should be an encrypted database (They should tell you this in the marketing information on their site) of your different passwords for sites. The database is protected by a master password which you should only use on this program and will need to be just as complex as any site you would set one up on. The software will not store this password for you so you need to make sure you remember it. If needed write it down on paper and store it someplace safe (safety deposit box, safe at home). Then you store all of your other passwords inside this program. They will normally provide a password generation tool inside them that will generate passwords that meet criteria you setup (see above) so you don’t have to do that part. Some of them will even provide for review of existing passwords on sites and help you see where you might be using weak or reused passwords and help you clean them up.
One last consideration is if any of your sites provide for a token, text, or call to be able to use the site consider setting that up also. Each of these would be considered two factor authentication or “What you know and what you have”. You enter your password and that is the “what you know” part, which can be guessed or hacked. Then the system requires a second input from a process that covers the “what you have” which makes getting into your account harder because someone would have to get physical access to you to take away that part. Not many sites offer it and that is why password vaults can be a pretty close second. Some of the password vault programs I have used provide for this extra layer of security also.
Stop opening emails and Facebook links to contests, freebees and unsolicited things (Even when sent by someone you think you trust)
When I get an email from my sister telling me that “I too can look sexy with my shirt off” my first thought isn’t about how well my sister knows me but how did someone get access to her email, AGAIN. When UPS sends me an update on a package I wasn’t tracking I don’t automatically go see what might be heading my way, I go back to the vendors I had purchased from and track from there. Lastly I know Facebook has a lot of people working there from other countries but I am pretty sure if they are asking me to go and reset my password it won’t be in broken English.
So the first thing you have to do is be skeptical of everything. Sorry to say that but even things from my mother get the “is this real” treatment before I open it or click on it. When I am in doubt I will send a new message to the person, don’t reply, and ask them if they really sent me the message and what it is about. This is one of the reason why when I am asking someone to do something for me via email I try and be as clear in my request to help ensure the other person knows the message is from me.
I also have never heard anyone that got $5,000 from Bill Gates for liking his post on Facebook nor have I heard anyone being harmed by it but you never know I will forgo my chances and stay away from helping propagate something that might be harmful as should you.
Watch your accounts like a hawk.
One of the most important things you can do is watch your accounts like a hawk. With so much of our lives online now we can go days if not weeks/months without logging into some of our accounts. But that doesn’t mean you can’t watch them still. Many sites allow you to get alerts when something changes, like password resets, address, email, etc. Be sure these are turned on and when you get an alert for something you didn’t request be sure to check into it. If the site allows for there to be a required second action to commit a change you can consider that also for those sites that deal with your financial matters.
Many people use program/sites that aggregate financial accounts like Mint. While these sites haven’t proven to have had any issues there is always a chance that by allowing one site to have access to many others they could be targets for hackers. So if you are going to use them be sure the passwords you are putting into the site and the password for the site are all secure enough. I expect one day many sites will provide for ways to have one username/password for just monitoring and another for direct access/interaction but at this time I am not sure of any that do that. So just be diligent in your monitoring of all of your accounts.
So if I haven’t turned you off yet with all of my fear, uncertainty and doubt great you just might be on your way to safer computing even if another bug is found in a Microsoft operating system tomorrow. The bottom line is be aware, question, and when in doubt avoid that click. It just might keep you from becoming part of the next security breach story. What else do you do to protect yourself from potential security issues? Let me know as I am always looking for the next thing to try.