The Art of Personal Cybersecurity
Quick question: Is the password for your Facebook account the same or similar to the password for your bank account? By similar, I mean did you just add a 1 or an ! to the end of it to meet the security requirements?
If you answered yes to that question, this post is most certainly for you. If you answered no, this post is also for you, but you may have a better security posture than the other readers.
When it comes to cybersecurity, every expert out there has strong opinions regarding what is required and what should be required. Often enough, these experts tend to agree with one another on many (but not all) aspects. Overall, the problem is that perfect cybersecurity doesn’t exist and the closest we can come to it (short of disconnecting from the Internet and living off the grid indefinitely) is cost prohibitive for the vast majority of us. Because of that, we either “do the best we can” or “we should do better, but …” and hope for the best. My hope is that this post will give you some very simple, yet effective ideas on how to improve your personal cybersecurity without breaking the bank.
Securing Your Passwords
I figure the best place to start is to talk about passwords. One of the best pieces of advice I’ve ever read came from a cybersecurity researcher named Troy Hunt with his blog post “The only secure password is the one you can’t remember”1. The idea behind this is that in order to come as close to perfect personal security (in relation to passwords) is to randomly generate a long, complex password with enough entropy that no one could ever possibly guess it or brute-force it during your lifetime. What turns people off by this method is 1) remembering these random passwords and 2) typing them in.
Fortunately, there’s a pretty simple answer to both: Password Managers. Services such as 1Password, KeePass, LastPass, and Bitwarden all specialize in helping you securely and safely store your unique passwords in a digital vault so that no one else can get to them. Simply generate a random set of complex characters and save a password for a site in this password manager. The only password you need to remember is the Master Password for the entire vault (as an aside, make this “Master Password” a sentence that means something to you - a Bible verse, a quote from your favorite book, a lyric from your favorite song - this is a quick way to create a secure passphrase)a. Most of these solutions will also integrate with your browser and your phone so that you can autofill the complicated mess automagically and never2 have to type in that gross collection of symbols ever again.
Personally, I use 1Password (after having migrated from LastPass) and have been overall very pleased with the service. If the concern or storing all of your sensitive passwords in the cloud is too great for you, KeePass and Bitwarden are services that don’t require cloud-hosting - but you lose some of the convinience that a cloud-hosted solution can provide.
Ultimately, it’s about personal risk. I feel my risk level is lower than most simply because of the complicated passwords that I use and the trust I have in 1Password in keeping my vault secure.
Securing Your Parent/Grandparent’s Passwords
I would also think of this section as applicable to someone whose technical expertise is … limited. If the idea of password managers is something that you are struggling with, there is another simple solution (again, at the cost of losing your convinience factor as well as a potential level of security). Just write your passwords down in a notebook that you keep safe. Like with a pen on paper.
Seems a little sacriligious to say “just write your password down on a piece of paper”, but remember the line from above - “The only secure password is the one you can’t remember”. If you can create unique passwords or passphrases3 for each site and write it down, you’re still doing far better than someone who uses the same, likely weak password for every site.
Why Shouldn’t I Use the Same/Similar Password?
Let’s say that you are buying something from some small business website called “Joe’s Bait and Tackle”. They require you to create a username/password so that you can store your order and payment details and you automatically type in that password you use for everything - email, Facebook, your bank. A few months later, Joe’s Bait and Tackle’s website is compromised and the bad guys stole all the usernames and passwords. The very first thing that they may try is something called Credential Stuffing4.
Guess what? That username and password works for your email. Now, even if they don’t have the password for your bank or other online presences, they can simply request a password reset email from the site and using your email mailbox they already have access to, reset the password to something they know. Bad news bears, right there.
Other Suggestions for a Healthy Security Posture
One of the other things that I will always recommend is to enable MFA or 2FA5 whenever you can. Having MFA enabled means that when you sign into a service, the service will ask you for something you know + something you have (or something you are in the case of biometrics). The something you know is your password. THe something you have might be a rotating set of numbers in an app like Google Authenticator6 or a text message/email that send you a code.
Having MFA enabled provides an extra level of security to your account because without that “something you have”, a bad guy cannot get into your account, even if they do know your password7.
I might also even suggest using other sites to sign into accounts. A lot of sites will offer “Sign in with Google” or “Sign in with Facebook” as an option. This means that once you authenticate with your Google or Facebook account, Google or Facebook will send a “this person is authenticated!” message over to the site to let you in. That’s one fewer password that you need to remember or store in a password manager. Just remember the risk of having one account sign into everything else - if they compromise that one account, they have access to everything else.
Finally, a little bit of common sense can go a long way. This is one of those “easier said than done” or “hindsight is 20/20” statements, but it boils down to this: if something just smells funny, if it just doesn’t feel right or look right, if someone is asking you to do something you don’t normally do (such as asking for personal information in a situation they don’t really need to know it) … take a step back and think about it. Even get a second set of eyes looking at what you’re doing to confirm your activity. In a future post, I’ll explain more about the dangers of phishing and social engineering8 and how prevalent it is in our internet-connected world today.
I know I focused super heavlity on passwords here, but it really is the first line of defense to your own personal cybersecurity. I plan to continue talking about personal cybersecurity in future articles - talking about installing patches, running IoT9 devices at home, safe browsing online, and even leaving legacy access to a loved one after a death - to keep expanding on all the various ways that you may be able to simply improve your security posture.
There’s a lot that can be done, but I hope that through some small, simple suggestions, you can make vast improvements in your own online presence and feel more comfortable browsing online.
You may have to copy/paste your password as some websites really don’t like the autofill capability for some reason. Still simple, though. ↩︎
Personally, I prefer passphrases for those that I have to remember. It’s far easier to remember a sentence, than a collection of letters and numbers. ↩︎
MFA = Multi-Factor Authentication. 2FA = 2-Factor Authentication. Both acronyms are pretty well interchangeable. ↩︎
The technology is called TOTP (Time-based One Time Password). The code will rotate every 30 seconds (usually) and once it’s gone, it’s gone and can never again be used. Google Authenticator is one of many apps that will store these TOTP codes for you. 1Password and other password managers can do so as well. ↩︎
Outside the scope of this post - there are “vulnerabilities” (quotes heavily intended) with MFA practices. All of which are human-vulnerabilities. Basically, if the bad guy asks you for the code and you give it to him, your MFA means nothing. ↩︎
Both of which are essentially you giving your information to a bad guy because he asked. ↩︎
Your Amazon Alexa, Google Home, smart lightbulb, smart toaster, etc. ↩︎