Simply Secure

Money, Security, Technology 5 Minutes

NASA and other employers have reported that cyber attacks increased dramatically with the spread of the pandemic. Apparently, internet bad guys view millions of people teleworking from home, outside protected corporate or government networks, as an irresistible opportunity for stealing data and money. So, it is more important than ever to pay attention to your own security on your phone, tablet or computer, and your most important accounts, especially bank and email accounts. Here are some simple steps you absolutely should take. (Some info is from TWiT’s iOS Today #495.)

Longer is Better

While randomizing your passwords is great, lengthening them is even better. The longer a password, the harder it is for criminals to guess, and the more time it takes even the fastest supercomputer to crack with a “brute force” attack (e.g., extending minutes or hours of computer time into years or decades, impractical). As a simple example, you could guess *** in short order, especially if you knew part of it: ca*. However, you’d have a hard time guessing ******************************, even if you knew every other letter: *a*I*T*e*a*K*o*s*L*t*b*u*T*a*! Using a long phrase like CatInTheHatKnowsALotAboutThat! gives you a long, strong password that is still easy to remember. Add dashes or underscores between words to make it even longer, and misspell some words or replace a couple letters with similar looking numbers to mix it up a bit. Just be careful typing it if you don’t use password manager software as you should (more on that later).

It should go without saying: never reuse the same long password or passphrase for multiple accounts, lest a data breach in one account open your other accounts (and thus data, identity and money) to malicious hackers. Remember that your email account is effectively the key to your kingdom. Not only is it your username for many accounts, it’s where account password reset messages usually go, so a crook who gains access to your email may easily access your other accounts/data/identity/money. Guard your email account with a long, unique password, and…

Turn on Two Factor Authentication (2FA)!

If you do nothing else after lengthening your passwords, turn on 2FA (aka 2-step) for every account possible! This includes Amazon, Apple/iCloud, Google/Gmail, eBay, PayPal, Twitter, Facebook, your credit cards, your bank accounts, your iPhone/iPad (Settings > your name at top > Password & Security > Two-Factor Authentication)…everywhere! In this context, “factors” are what you use to prove (authenticate) you are you to some other person, company or computer system. Common identification or authentication factors:

  1. Something you have, e.g., driver license, passport, military ID, company badge, RSA token
  2. Something you know, e.g., debit card PIN, password, answers to security questions (bad)
  3. Something you are, e.g., biometrics like fingerprint, face scan, retina scan

You’re probably already using 2FA in everyday life without realizing it. Your ATM card uses 2FA, because it requires you to have your card and know you PIN to get cash. My office building has cypher locks that won’t let me enter unless I have my badge and know my PIN. (Highly secure facilities may use 3+ factors, but let’s stick with 2 for now.) Modern iPhones (that you have) use TouchID or FaceID (scanning what you are) to gain access to your data. Now that you’re a 2FA expert, use it where it is most important: your online accounts that hold your credit, money and identity! A cyber thief on the other side of the planet might be able to know your password (due to a corporate data breach beyond your control, or lazy you with your easily discovered pet’s name or breed PW), but they won’t have your phone or tablet, much less your finger or face (assuming those are still attached). Thus, 2FA is a simple way to create a big obstacle for bad guys and greatly increase your online security. NYT explains how protecting your internet accounts with 2FA keeps getting easier. If you haven’t already done it, do it, now.

When setting up 2FA in your online accounts, try to avoid using just security questions. So-called “security” questions are not secure because your answers–mother’s maiden name, grade school, first car model–are more easily discovered than you may think. If you can’t avoid such questions (unfortunately still in use by some bank systems), at least make up false, silly, unguessable answers that you’ll still remember, e.g., “favorite food” = “pink elephant” (one bite at a time). Likewise, try to avoid SMS text messages for 2FA. SMS texts are unencrypted, and savvy criminals can spoof your phone number to intercept such texts and steal that 2nd factor in transit. An Authenticator app (such as Microsoft Authenticator, Google Authenticator, or Authy) on your phone or tablet is a far better option for 2FA, as are email messages, though SMS texts and even security questions are better than nothing.

Here’s a rough ranking from best (most secure) to worst (least secure) 2FA options you may look for (thanks to Leo Laporte of TWiT.tv):

  1. Hardware token, e.g., YubiKey or RSA SecureID, for pros or tech-savvy computer users
  2. Biometrics, e.g., FaceID and TouchID, for people with faces and fingers
  3. Authenticator app, e.g., Authy, Google Authenticator, Microsoft Authenticator (my pref)
  4. SMS texts (if you must)
  5. “Security” questions (boo! bogus! shame on your bank!)

Use a Password Manager

Password managers make your digital life more secure and easier. A password manager is simply a software app that securely stores all of your account credentials (usernames and passwords) in an encrypted database on your device and/or in the cloud. TheWirecutter explains why you need a password manager, and recommends 1Password, which is what I use in my Apple-centric home (iPhones, iPads, Macs, Apple TVs, HomePod). LastPass and BitWarden are also highly rated. Password managers offer many advantages over your paper notebook or unencrypted Notes app, including:

  • Securely stores all of your login credentials (usernames & passwords) in an encrypted database that you easily access from any of your devices
  • Generates and remembers long, strong passwords for you, unburdening your brain while increasing your security
  • Automatically fills in your username and passwords on most web sites, eliminating your need to type or copy-n-paste
  • Securely stores other important card or ID info including credit cards, driver license, passports, rewards & membership cards, software licenses, vault codes/combinations, etc.
  • Creates shared/family password vaults for your trusted loved ones to access

What about letting your web browser store passwords as a “poor man’s password manager”? With most browsers, this is a bad idea, because they don’t store the password securely, encrypted, while you’re browsing the web. One exception is Safari, that correctly uses Apple’s Keychain to securely store passwords, but this is only useful for MacOS and iOS users, not for Windows and Android users. It is rumored that Keychain in iOS 14 will have true password manager features, presumably a free default for Apple iPhone and iPad users.

Recap

Being simply secure–more important in this time of pandemic and teleworking–is as easy as 1-2-3:

  1. Use long, unique passwords (or passphrases)
  2. Turn on 2FA (aka 2-step authentication)
  3. Use a password manager app
Unknown's avatar

Published by Steve Munday

Published

Leave a comment