Securing access to your accounts is crucial to protecting you from hacking, impersonation, and other forms of identity theft. You’d be surprised just how far good password hygiene can go in keeping you safe. If you’re getting cyber security advice from all sides, however, it’s OK to feel intimidated and overwhelmed. The tips below are intended to demystify the process. They can be done all at once or piecemeal. Every little bit counts in making you more secure.
- Compose difficult passwords. Hackers, with the help of machines, have gotten really good at cracking short passwords. A strong password is at least sixteen characters and should contain a mix of upper- and lowercase letters, symbols, and numbers. (An emerging best practice suggests combining words into a random phrase.) It can be tempting to use familiar names and places in your passwords or to swap out letters for correlative symbols, like “@” for “a” or “3” for “E.” Resist doing this. A short password with correlative symbols just gives you a false sense of security. Instead, set up a password manager that will automatically generate and store LONG passwords for you (see below).
- Try to follow a one-to-one rule. Feminist Frequency stresses the importance of creating an individual password for each unique account in its Online Safety Guide. Don’t forget all the different accounts out there! Email, social media, banking, household expenses like electric and heating, credit cards, health insurance, television and movie subscriptions, retail subscriptions, charities, and volunteer memberships are just some of the online accounts you might have. It’s a lot to remember, so consider using a secure password manager (see below). Remember that every little bit helps: start by making sure your most sensitive accounts (your email, finances, social media) have brand new, unique passwords and go from there.
- Use a secure password manager. Creating and remembering a unique password for every account can feel like a Sisyphean task. Password managers help generate randomized, highly secure passwords and keep them securely stored so that your brain doesn’t have to. Mobile apps and web browser extensions streamline the whole process, filling in usernames and passwords automatically once you’ve signed in. It’s entirely reasonable to have reservations about storing all your passwords in one place, so it’s important to understand that not all password managers are created equal. The good ones encrypt your passwords so that even if the company has a security breach, your passwords basically just appear as a jumble. LastPass and Dashlane have free versions, 1Password costs money, but offers free accounts for journalists – here’s a review to help you decide.
- Use multi-factor verification whenever possible. Email, social media, and other sites that require a log-in will often give you the option of turning on “multi-factor” or “two-factor” verification. This is one of the best things you can do to secure your accounts. Here’s how it works: whenever you want to log into your account from a device you’ve never used before, you’ll need to first confirm access from a secondary device, such as your cell phone. That means that if a hacker halfway around the planet manages to guess your password, they’re still out of luck because they don’t have access to your secondary device. NOTE: some forms of authentication are more secure than others. Some sites will text a code to your cell number, which is less secure because of something called SIM hijacking (see below). The most secure option is to get a physical security key. A good alternative – more secure than text messaging and less cumbersome than a security key – is using an authenticator app such as Google Authenticator or Authy, which will automatically generate authenticator codes for you.
- Invent security question answers. Many sites require you to create a security question in the event that you forget your password. The questions tend to be simple and personal—meaning their answers could be easy for an attacker to dig up through a Google search. Try to make your answers to these questions difficult, or pick a question an answer which isn’t Googleable. (For example, if the question is “Where were you born?” and a Google search of your name surfaces an article about the time you starred in your middle school play in Pleasantville, America, don’t pick that question or invent another answer.) EFF recommends using a randomly-generated answer in response to these questions. Remember: your answer doesn’t have to be true, you just need to be able to remember it or to look it up! You can always save answers to security questions in your password manager if you’re worried you might forget them (see above).
- Check if your accounts have been compromised in a data breach. When you create an account to use a product, you establish not only a username and password, but enter all sorts of private information as well. If that company is the target of a data breach, your password may be compromised and your info leaked on the web. Go to https://haveibeenpwned.com/, enter the email addresses you use, and check if your data has been compromised. If so, you’ll be able to see which accounts were breached. You will then need to immediately change the passwords on those accounts and never use those passwords elsewhere again.
- Watch out for SIM hijacking. It is shockingly simple for hackers to trick cell companies into handing over control of your phone. Your SIM card is how your cell phone connects to your account and to the internet. Hackers can call your cell phone company pretending to be you, explain you’ve “lost” your SIM card, and then request that your phone number be routed to a new SIM card (in the hacker’s hands). If your cell phone is linked to your accounts, including as the authentication mechanism for multi-factor authentication, the hacker can now access your accounts and reset all your passwords. To protect yourself, 1) call your cell phone provider and request a PIN be added to your account, which will then be required for any future changes; and 2) use a mobile authenticator app rather than your mobile phone number for multi-factor authentication. This can sound complex but it is worth taking some time to work your way through the steps. For more detailed info on how to protect yourself from SIM hijacking, check out VICE’s helpful guide.
- Beware spam and phishing. Be careful when opening unexpected or unsolicited emails, and don’t open any unsolicited attachments or links without first verifying the sender. If you get an email with an attachment or link from a friend that you weren’t expecting, it is also good to send them a quick text and make sure it’s legit.
- Ask your workplace, university, or volunteer affiliations not to publish your contact info in their online directories. See this Field Manual’s Guidelines for Talking to Employers and Professional Contacts if you’d like tips for discussing online harassment in a professional capacity.
The guidance above was developed in consultation with cybersecurity experts at Freedom of the Press Foundation and PEN America.