By now, you know that you need to change your passwords. Everyone heard that message clearly this past week because of the security flaw named ‘heartbleed’ now in parts of the security infrastructure that we’ve come to rely on when using the Internet. I’ve had several people ask me for advice on how to deal with passwords so they can protect themselves but also to not make life impossible. Don’t worry; you don't have to stop using the Internet.
Using a unique password for every site you log into is a way of limiting your risk. If you use the same password in multiple places, all you need is to have is one site hacked and you are vulnerable in all the other sites having the same password. This is especially true for key sites such as banks or your email (since it is the basis for all your other accounts).
But having multiple passwords can be confusing, so you need a password manager. This is an application where you keep all of your passwords for easy reference. Some folks just use a text file on their phones (leaving you vulnerable if you lose your phone). I’d suggest one of the applications designed specifically for this since it will insert your username and passwords right into the login form (thus reducing typing, frustration, and vulnerability).
The password manager that I use is LastPass. I find it’s especially good since it has quality clients for mobile devices and desktops so you can use it everywhere you have to log into sites. It also has a very handy security audit feature, which monitors your password usage and alerts you to potential vulnerabilities. Warning though: to use it on mobile devices requires a $12/year subscription.
Two-factor authentication refers to a login system where you not only provide a username and password but also show proof that you have an object in your possession. An example of this is the combination of your bank card and your pin. To get into your bank account at an ATM, you need to have something (your card) and know something (your pin). Someone could steal your card, or someone could see your PIN but without the two factors together, they can’t access your account.
In the online world, two-factor authentication has come to mean having a user/password combination and a code that is delivered to your phone (usually by text message). The added advantage is that this code is usually a one-time code with a time limit so unlike your bank PIN, it’s always changing and thus is extra secure.
All the major websites have two-factor authentication. Facebook, Google, Twitter and others have implemented this. I suggest that you activate it as soon as possible.
Another tactic for improving your security is to use Social Sign-on. Social sign-on is a process by which sites do not ask you to make yet another account but instead to sign on using your account from another service (Facebook, Google, or Twitter). This means that the large provider can assure the smaller website that you are who you say you are, but you only need to prove your identity to the larger provider. It means less work for the small sites and for you. But it relies on building good password habits with the major sites that you rely on (tip #1 and #3).
Now that you have a password manager installed, and you are using two-factor authentication and social sign on, it’s time to get in the habit of changing your passwords on a regular basis. This means every few months you should get your password manager out and have it auto-generate new passwords for all of your key sites. Since you are using a password manager, this is a fairly simple process and it will vastly improve your safety online.
There are a number of ways that security breaches occur online. The Heartbleed fault falls in the category of mass attack issues where the bad guys are trawling the net hoping to find a weakness. The above tips will help keep you safe from this kind of attack. You could also come under attack from someone specifically targeting you, however. The above tips will help with that, but you might as well make it harder for such an individual. A good way of doing that is to set up an email account that you use only for access to the few accounts that really matter, such as your bank.
Keep this email address hard to guess (randomly is best) and only use it for the handful of services that really matter to you. Remember, to access most accounts online these days, the attacker needs to know your password, but also your email address. Why not make them guess about both of those? And with a password manager, you don’t have to remember anything new. So keep this email address private and keep them guessing.
I hope that you found these tips helpful and please add any other thoughts you might have in the comments below.