Securing access to your accounts is crucial to protecting you from hacking, impersonation, and other forms of identity theft.
You’d be surprised just how far good password hygiene can go in keeping you safe. If you’re getting cyber security advice from all sides, however, it’s OK to feel intimidated and overwhelmed. The tips below are intended to demystify the process. They can be done all at once or piecemeal. Every little bit counts in making you more secure. If you need help implementing any of the guidance below or want to delve a little deeper, check out these fantastic, interactive, and user-friendly toolkits: Security Planner from Consumer Reports and Cybersecurity Toolkit for Journalists from the Global Cyber Alliance.
Compose difficult passwords
According to the password-creation requirements of many websites today, a strong password is at least sixteen characters and should contain a mix of upper- and lowercase letters, symbols, and numbers. It can be tempting to use familiar names and places in your passwords or to swap out letters for correlative symbols, like “@” for “a” or “3” for “E.” Resist doing this. Instead, try using an automated password generator (like Secure Password Generator) or download a password manager (see below).
Try to follow a one-to-one rule
Feminist Frequency stresses the importance of creating an individual password for each unique account in its Online Safety Guide. Don’t forget all the different accounts out there! Email, social media, banking, household expenses like electric and heating, credit cards, health insurance, television and movie subscriptions, retail subscriptions, charities, and volunteer memberships are just some of the online accounts you might have. It’s a lot to remember, so consider using a secure password manager (see below). Remember that every little bit helps: start by making sure your most sensitive accounts (your email, finances, social media) have brand new, unique passwords and go from there.
Use a secure password manager.
Creating and remembering a unique password for every account can feel like a Sisyphean task. Password managers help generate randomized, highly secure passwords and keep them securely stored so that your brain doesn’t have to. Mobile apps and web browser extensions streamline the whole process, filling in usernames and passwords automatically once you’ve signed in. It’s entirely reasonable to have reservations about storing all your passwords in one place, so it’s important to understand that not all password managers are created equal. The good ones encrypt your passwords so that even if the company has a security breach, your passwords basically just appear as a jumble. LastPass and Dashlane have free versions, 1Password costs money, but offers free accounts for journalists – here’s a review to help you decide.
Use multi-factor verification whenever possible
Email, social media, and other sites that require a log-in usually offer the option of turning on multi-factor verification—a layer of security that requires you to retrieve a code or confirm access from a secondary device before logging into your account. If someone tries to sign into your account, they won’t be able to complete authentication without access to your secondary device, which in most cases is your mobile phone—a device many of us have nearby at all times. To avoid the risks of SIM hijacking (see below), use an authenticator app such as Google Authenticator or Authy, rather than your cell phone number as your means of authentication.
Invent security question answers.
Many sites require you to create a security question in the event that you forget your password. The questions tend to be simple and personal—meaning their answers could be easy for an attacker to dig up through a Google search. Try to make your answers to these questions difficult, or pick a question an answer which isn’t Googleable. (For example, if the question is “Where were you born?” and a Google search of your name surfaces an article about the time you starred in your middle school play in Pleasantville, America, don’t pick that question or invent another answer.) EFF recommends using a randomly-generated answer in response to these questions. Remember: your answer doesn’t have to be true, you just need to be able to remember it or to look it up! You can always save answers to security questions in your password manager if you’re worried you might forget them (see above).
Check if your accounts have been compromised in a data breach.
When you create an account to use a product, you establish not only a username and password, but enter all sorts of private information as well. If that company is the target of a data breach, your password may be compromised and your info leaked on the web. Go to https://haveibeenpwned.com/, enter the email addresses you use, and check if your data has been compromised. If so, you’ll be able to see which accounts were breached. You will then need to immediately change the passwords on those accounts and never use those passwords elsewhere again.
Watch out for SIM hijacking.
It is shockingly simple for hackers to trick cell companies into handing over control of your phone. Your SIM card is how your cell phone connects to your account and to the internet. Hackers can call your cell phone company pretending to be you, explain you’ve “lost” your SIM card, and then request that your phone number be routed to a new SIM card (in the hacker’s hands). If your cell phone is linked to your accounts, including as the authentication mechanism for multi-factor authentication, the hacker can now access your accounts and reset all your passwords. To protect yourself, 1) call your cell phone provider and request a PIN be added to your account, which will then be required for any future changes; and 2) use a mobile authenticator app rather than your mobile phone number for multi-factor authentication. This can sound complex but it is worth taking some time to work your way through the steps. For more detailed info on how to protect yourself from SIM hijacking, check out VICE’s helpful guide.
Beware of spam and phishing.
Be careful when opening unexpected or unsolicited emails, and don’t open any unsolicited attachments or links without first verifying the sender. If you get an email with an attachment or link from a friend that you weren’t expecting, it is also good to send them a quick text and make sure it’s legit.
Ask your workplace, university, or volunteer affiliations not to publish your contact info in their online directories.
See this Field Manual’s Guidelines for Talking to Employers and Professional Contacts if you’d like tips for discussing online harassment in a professional capacity.
The guidance above was developed in consultation with cybersecurity experts at Freedom of the Press Foundation and PEN America.