Securing access to your accounts is crucial for protecting your online information.
Spending an hour or two updating your passwords and log-in settings is a simple first step to take when preparing for episodes of online harassment that may make you vulnerable to hacking or doxing. Keep in mind the following tips:
- Use multi-factor verification whenever possible. Email, social media, and other sites that require a log-in usually offer the option of turning on two-step verification—a layer of security that requires you to retrieve a code or confirm access from a secondary device before logging into your account. If someone tries to sign into your account, they won’t be able to complete authentication without access to your secondary device, which in most cases is your mobile phone—a device many of us have nearby at all times. To avoid the risks of SIM hijacking (see below), use an authenticator mobile app such as Google Authenticator or Authy, rather than your cell phone number for authentication.
- Watch out for SIM hijacking. It is shockingly simple for hackers to bypass multi-factor authentication to access your email and social media accounts. Hackers can call your cell phone company pretending to be you, explain you’ve “lost” your SIM card, and then request that your phone number be routed to a new SIM card (in the hacker’s hands). If your cell phone is linked to your accounts, including as authentication for multi-factor verification, the hacker can now access your accounts and reset all your passwords. To protect yourself, 1) call your cell phone provider and request a PIN be added to your account, which will then be required for any future changes; 2) use a mobile authenticator app rather than your mobile phone number for multi-factor verification; and 3) do not link your mobile phone number to your accounts; instead, use a Google Voice number. For more detailed info on how to protect yourself from SIM hijacking, check out VICE’s helpful guide.
- Compose difficult passwords. According to the password-creation requirements of many websites today, a strong password is longer than eight characters and should contain a mix of upper- and lowercase letters, symbols, and numbers. (An emerging best practice suggests combining words into a random phrase.) It can be tempting to use familiar names and places in your passwords or to swap out letters for correlative symbols, like “@” for “a” or “3” for “E.” Resist doing this. Instead, try using an automated password generator (like Secure Password Generator) or download a password manager (see below). The Electronic Frontier Foundation (EFF) recommends writing your passwords down on paper and storing them in a secure location, like your wallet.
- Try to follow a one-to-one rule. Feminist Frequency stresses the importance of creating an individual password for each unique account in its Online Safety Guide. Don’t forget all the different accounts out there! Email, social media, banking, household expenses like electric and heating, credit cards, health insurance, television and movie subscriptions, retail subscriptions, charities, and volunteer memberships are just some of the online accounts you might have. It’s a lot to remember, so consider using a secure password manager (see below).
- Use a secure password manager. Creating and remembering a unique password for every account can feel like a Sisyphean task. Password managers help generate randomized, high-security passwords and keep them securely stored so that your brain doesn’t have to. Mobile apps and web browser extensions streamline the whole process, filling in usernames and passwords automatically once you’ve signed in. LastPass and Dashlane have free versions, 1Password does not have a free version, but is especially robust – here’s a review to help you decide.
- Use security questions. Many sites require you to create a security question in the event that you forget or need to reset your password. The questions tend to be simple and personal—meaning their answers could be easy for an attacker to dig up through a Google search. Try to make your answers to these questions difficult, or pick a question whose answer isn’t Googleable. (For example, if the question is “Where were you born?” and a Google search of your name surfaces an article about the time you starred in your middle school play in Pleasantville, America, maybe don’t pick that question.) EFF recommends using a randomly-generated answer in response to these questions. You can always save answers to security questions in your password manager if you’re worried you might forget them.
- Check if your accounts have been compromised in a data breach. When you create an account to use a product, you establish not only a username and password, but enter all sorts of private information as well. If that company is the target of a data breach, your password may be compromised and your info leaked on the web. Go to https://haveibeenpwned.com/, enter the email addresses you use, and check if your data has been compromised. If so, you’ll be able to see which accounts were breached. You will then need to immediately change the passwords on those accounts and never use those passwords elsewhere again. You may also want to do a Google search of your personal info (home address, cell phone, etc.) to see what’s floating around online.