We could all do more to be a little safer online, and that’s even more apparent after learning how the recent email hack went down. Here’s how a Russian government hacking group was able to hack into DNC and Clinton staff emails according to Buzzfeed: they sent some official-looking emails to these people with instructions to reset their passwords. The password reset page looked like an official Google page and asked for their current passwords. And apparently enough people fell for the trap.
It might sound sophisticated, but posing as a legitimate company in order to trick people into handing over important data is a common exploit.
Why you should care
Maybe you’re thinking, “But I don’t have any sensitive email that anyone would want to get, so what’s the point?” With access to an email account, you can basically get access to every other account by using a service’s password reset form. This could expose your banking, your photos, and your entire identity.
What you can do
Fortunately, there’s some pretty basic things everyone can do to safeguard themselves online. You can never remove risk entirely, but you can try to mitigate it.
So here’s some baseline, common-sense steps to take and how to take them:
1. Turn on two-factor authentication
Two-factor authentication (sometimes called other things, like “login approvals” in Facebook), is when you give a website your phone number and when you sign in from a new device, it texts you a unique 4 or 6-digit code that you have to enter after entering your password. This way, if someone gets your password, they can’t actually access your account unless they’re able to get your device as well. Sure, they could do this, but it’s significantly harder.
It adds one extra step, but because you can tell it to remember your device, you only really need to jump through the extra hoop when you sign in from a computer or phone for the first time.
Long story short, if you use a website that gives you this option, you should turn it on. You should absolutely turn it on for your email, Facebook, and iCloud accounts, as those are often the basis for logging into other services. Once you do it for those, turn it on for anything else you can.
Here’s the instructions for how to do it for some common services:
All in all it should take 15 minutes or less. So just go do it.
2. Use unique, long passwords
Once you’ve got your two-factor auth set up, it’s time to step up your password game. I know a lot of people who say, “I can’t keep track of multiple passwords so I just use the same one or two everywhere.” I used to do the same. Sorry, but this is a terrible idea.
In recent years, Yahoo, LinkedIn, Tumblr, Adobe, MySpace, Gmail and others have had their account info — including passwords — hacked. This will only continue to happen, which is why you should always use a unique password for each site.
So, what makes a good password? First off, never use something like
123456. Second, make your passwords long, like, over 12 characters long. Making longer passwords is the best thing you can do to make your passwords harder to crack. A human might have a hard time guessing a random combination of numbers, letters and symbols, but to a machine running through all the options it’s all the same. Making it longer makes it easier to remember and makes it exponentially harder for a computer to guess.
Now, there’s just no way to keep track of all these new, unique, long passwords you use for everything, which is why it’s time to get a password manager. This is a little app that you use for storing all your account info. There’s several on the market, but the most popular probably are 1Password and LastPass.
I use 1Password (which costs a little money). LastPass is free, with the option to pay for extra features. Both allow you to sync passwords between devices and have browser extensions so it’s super easy to automatically enter a password into a form.
Not only does this make your life more secure, but it makes it notably easier. I used to hate making accounts for myself and needing to come up with a password and then remember it. Now the app does that all for me.
3. Look for HTTPS when entering sensitive data
The last step is the easiest. You’ve probably noticed that some websites start with
https:// while others just say
s stands for secure, and basically it means that the when you’re sending info to that website (like, say, a password or credit card number), it can’t be eavesdropped on or tampered with.
https means that the site has been certified to be who they says they are. Someone can’t pretend to be Google and have an
https certificate. The Russian hackers didn’t have
https on their fake password reset page, which was a dead giveaway it was a fraudulent form, if only the victims knew what to look for.
https sites are super easy to see because most browsers display them differently in the address bar with a little lock icon:
Most major websites these days only use
https, and others at least do it when asking for sensitive info. If a page is asking you for a credit card, Social Security number or password, you should always check for
And that’s what I have, two things you can do today, and one thing you should always keep an eye out for:
- Use two-factor authentication
- Use unique, long passwords (with a password manager)
- Only enter sensitive data over HTTPS
There’s always more you can do, but I wanted to start with a few super simple things that can make a big difference. If folks have other ideas for what to add to this list, I’d love to hear.