Two Useful Online Safety Tips
We deliver online security seminars to audiences all across New England. When we speak to general-interest audiences, we are often asked, “What are some of the basic ways I can protect myself from online hackers?”
We are currently working on an entire book that will exhaustively answer this question, but in the meantime, here are two quick tips:
#1: Choose Better Reset Questions!
Even if you’re taking all the right precautions with password selection and protection, poor reset questions can undo your efforts. Information such as your ZIP code, birthdate, or alma mater can be easily discovered online. Even your mother’s maiden name can be easily obtained in minutes via nearly any genealogy site. When choosing reset questions, aim to use information that only YOU would know, such as the name of a beloved first pet (provided you’ve never blogged about it!) or something more abstract than a basic, biographical fact.
Another tactic worth considering is to add a three-character string to each reset answer. For instance, let’s say you add Q7t to each of your reset answers. The name of your high school now becomes “Swampscott HighQ7t”, the name of your favorite pro sports team becomes “PatriotsQ7t”, and your first car becomes “MazdaQ7t”. As long as you can remember those three characters — which you won’t have to change — you can choose easy-to-remember reset questions without having to worry about whether someone can crack into your accounts after pulling down some basic Google search results about you.
#2 Set up Two-Factor Authentication for every account that offers this feature.
Sometimes abbreviated as 2FA, and sometimes known as two-step verification, this is a means by which an extra layer of security can be applied to user accounts on the web. Generally speaking, 2FA combines something you know (e.g. a password) with something you have (e.g. a physical token or a unique, randomly generated code sent to your phone).
If the concept seems strange, just remember that you already use 2FA every time you access money from an ATM – you need both your Personal Identification Number AND a physical token (your card) in order to access your money.
A typical 2FA setup will involve a randomly-generated, six-digit code either sent to a user’s phone or retrieved from an app such as Authy. Someone with a 2FA-protected e-mail account, for instance, would need to enter in this code after entering his password in order to gain access to his e-mail.
Most accounts that offer 2FA will give you the option to use it only when an attempt is made to log into your account from a new browser. This is a great way to balance convenience and security — after the initial set-up, you won’t need 2FA to sign in again when you’re using your personal computer and/or smartphone, but only when you’re on a new device or using a different browser. And it would still be impossible for a cyber-criminal to break into your account…assuming that he does not also have access to your phone!
2FA is an extremely powerful way to bolster the security of your online accounts. In July 2014, a Wall Street Journal tech columnist writing a piece about 2FA actually included his Twitter username and password in the column. By doing so, he was demonstrating that his password was useless to a would-be hacker on its own; without also obtaining access to his phone, a hacker would not be able to access the reporter’s Twitter account.