Set Better Passwords
We know most of your passwords aren’t strong, and who can blame you when you have to remember a bazillion of them. But, the first step to securing your personal info is to pick a distinct secure password for each of your accounts. If you need help figuring out a good password, there are a handful of password generators out there. While the XKCD password generator is awesome, my personal favorite password-generating mechanism is one I learned from IT consultant Adam Frost years ago: Use the first letter from each word in a song title you love or favorite phrase and swap out numbers and symbols for letters wherever possible. If you’re ready to give up on remembering all those passwords, it might be time for a password management system. There are several of these, including 1Password and LastPass.
Keep Your Smartphone To Yourself
Have you set a password on your smartphone yet? If not, you could be leaving it open to hacking. If you’ve got iOS4 or higher, you can set a password, rather than the four-digit PIN most people are used to. For Android, avoid creating an obvious shape with your connect-the-dots passcode. This might seem obvious, but you’d be amazed how many people still have “password” as their password, and 1234 as their phone’s PIN. For further safety, keep Bluetooth turned off most of the time (and set your device visibility to “Off”), keep GPS limited to the apps that truly need to know your location, and only use wireless when you absolutely have to — these are three ways hackers have been known to get into smartphones without you being any the wiser. Given our addiction to gaming apps, these moves only protect us so much — as we recently learned, the NSA got into our smartphones through AngryBirds, and they’re far from the only ones interested. I recommend everyone opt out of Millennial Media, the most “leaky” of the gaming app advertising partners, so your personal information isn’t sold to the highest bidder while you’re happily crushing candy.
You should also know that any password, no matter how long or complicated, can be broken by someone that really wants to know. Malicious hackers can get our passwords in a variety of ways. They can use powerful computers and algorithms (a method known as “brute-force” attacking). Some compromise the end-company’s password database (which can also alert them to your password hint, bank account information, and more, as it did with this Amazon password hack in November). Others create an alternative site that looks and acts exactly like the target site, and gathers your information as you type it (a “man-in-the-middle” attack). Once they have your password, they can log in as you, sell it, or just share it with the world, to prove that they can. The only way to protect yourself from these hacks is to set up two-factor authentication, which forces you to use a second code, along with your password, to log into that site or app. Usually, the code is sent to your cell phone, and you type it in. Many sites like Google, Facebook, Twitter, Dropbox, and Evernote have two-factor authentication built in, you just have to turn it on.
Even if you have your passwords on lockdown, unfortunately, two-factor authentication does nothing to protect you from something called trojan attacks. Much like the Trojan horse they’re named after, trojan attacks are programs that look like something you’d actually want to use, but that are actually meant to snoop around your computer and get access to your information or use your computer for international crime (great!). The only way to protect against trojan attacks is to use current, top-quality anti-malware software, such as Bitdefender’s Antivirus Plus (Mac or Windows) or Kapersky Antivirus (Windows-only). You can also look to popular free tools such as Bitdefender Antivirus Free (Windows), MalwareBytes’ AntiMalware Free (Windows), or AVG Free Antivirus (Mac) to do the job.
Change Your Password
RIGHT NOW. All of this is great, but the most important thing you can do right now to protect your key information online is change your passwords. A few weeks ago, the world learned about Heartbleed, a vulnerability in the security protocol used by most of the websites on Earth that might have exposed every single piece of information on our computers to, well, everyone. The world’s top internet security expert Bruce Schneier described Heartbleed as “catastrophic,” saying “On the scale of 1 to 10, this is an 11.” Now that Heartbleed has been stopped, we have a new SSL vulnerability on Apple OS and iOS (read: iPhone) called Triple Handshake, which experts call a “mutation” of Heartbleed and that just might also be leaking all of your information to the world. This means now is the time to both change your password and set up two-factor authentication — before your identity is stolen or photos meant for your partner are spread all over Reddit.
Use Ephemeral Communications
Services for ephemeral communications are popping up everywhere, promising the answer for sexting, opining, or just saying “hi” without it ending up on TMZ. While Snapchat and its seemingly hundreds of competitors promise to erase your image or message forever after a brief viewing time, sadly, Tumblr pages and for-profit porn sites are rife with screencaps of Snapchat images that were meant for one person’s eyes only. Some new entrants to the space, like Glimpse, prevent screen captures. But Women’s Coding Collective co-founder Susan Buck points out one all-too-obvious flaw there: “Someone can just use a different phone or camera to take a photo of your photo on the screen.” Apps like Secret, Rumr, and Yik Yak offer simple interfaces to share anonymous information and thoughts with friends or the world. But, while these tools keep you anonymous to other users, it is important to note that the app developers know who you are, and that information is hackable. My approach is to assume everyone can read what I am writing or see the photos I am sharing, all the time. But, I still recommend “OTR” (off-the-record) chat clients Adium or Cryptocat for those times when you really, really don’t want this conversation getting back to your boss.
Though we rarely talk on the phone anymore, we text more than ever, and giving someone your digits to text can feel less threatening than actually having them hear your voice. However, giving out your real phone number can put you in danger of being stalked, as your cell phone number is often attached to your home address on identity sites. It also opens you up to phishing phone calls, where criminals call and then socially engineer you into giving them information, or take control of your smartphone’s computer through the phone. Google Voice gives you a secure alternate number to use for online dating, self-promotion, or professional networking — anytime you don’t necessarily want the person on the other end showing up at your door. A word to the wise, though: Do not use Google Voice for your two-factor authentication.
But of course, we do live away from the computer too, and even the strongest password can't protect you from the dangers of in-person interactions. Enter Kitestring, a new tool that, like a digital mom, expects a call when you get home from a sketchy situation (hanging at the club, walking alone at night, going on a blind date) and texts your friends if you don’t check in when you say you will. There are other similar tools out there but this one wins my heart by being activated by inaction instead of requiring action (shaking a phone, pressing a button) — if someone roofies my drink, I’m going to pass out, not reach for my phone.