Online security

A family member recently had an issue with her Paypal account being compromised, so I thought this was a good time to share some of what I know about being safe online. If you have any questions or would like clarification on a point, feel free to reply and I can elaborate.

1. Every site should have a complex password. See the infographic at the end. If a hacker was to try to brute force a password (meaning, try every combination of every character until they found the right one), then it becomes a LOT harder if there are more characters they need to try.Action: Make your password at least 12 characters, using numbers, upper case, lower case, and symbols.

2. Every site should have a unique password. Never use the same password between two sites. If you use the same password at Pottery Barn and Chase, and then Pottery Barn gets hacked, now your Chase password is out in the wild. Not ideal.Action: Go to each site where you have an account, find the Change Password function, and change your password to something complex. It’s OK to do this over the span of a few weeks when you have time.

3. You should use a password safe. If you’re going to do #1 and #2, that will quickly get unwieldy to keep track of. Tracking passwords in a notebook isn’t a bad approach, but what if you lose the notebook or spill your drink on it? What if you’re on vacation and urgently need your Amex password? You’ll install a password safe, create a complex password for the safe, and then remember it. This will be the only password you need to remember. Even better: make up a nonsense passphrase (e.g. “Disney-Monkey-Peptide-Shadow”) for easier memorizing. I’ve used LastPass and 1Password and prefer 1Password. Pay the $3 a month (or whatever they’re charging). Software developers deserve to be paid, and compare it to your possible financial loss if you’re hacked. One huge bonus is these password safes have plugins for the popular web browsers, so when you visit a site it will help you auto-fill your username and password! They also work across devices, so it will fill your password regardless of whether you’re on phone or desktop.Action: sign up for a password safe, install the software, set up a vault with a passphrase, and start entering your current passwords. Critical: when setting up your password safe, they’ll show you either a recovery phrase or have you print out a PDF with a long string of characters on it; DO THIS. If you do NOT do this and then forget your password safe password, you cannot recover. You can’t call the company and have them unlock it; it’s technically impossible. You are the only one that can access your safe! So put that somewhere safe in your house, then start to work on #2 — 1Password will helpfully tell you if you’re using the same password on multiple sites.

4. Use two-factor authentication (2FA) everywhere it’s offered. “Two-factor” means that in order to authenticate you, there’s 1) something you know, and 2) something you have. The something you know refers to your password. The something you have usually refers to your phone. The site verifies you have your phone on you by SMS texting you a code (usually six digits), or having you type a code from a program like Google Authenticator. No phone, no code; no code, no login. It will be a pain in the ass to have to grab your phone each time you want to login, but it still beats the alternative of someone else using your account.Action: login to your most important sites like your email, banks and brokerages, and look for Settings or Profile or Security to set up 2FA. It may also be called ‘multi-factor’.

5. [In the US] Freeze your credit. With all the large-scale hacks that have taken place, including the famous Equifax one, assume that your name, address, SSN, and other PII is out there for whomever would like to do you harm. So besides practicing good online security by doing 1-4 above, also consider freezing your credit file at the 3 major bureaus. Action: Freeze your credit at TransUnion, Equifax, and Experian. Some of them will provide you a PIN in order to unfreeze your file; put the PIN in your new password safe. :)