We get it: Changing your online habits for the sake of security is a pain. But it doesn't have to be. It's all about your value as a target (aka threat model), and to be honest, most of us aren't important enough to be the single target of a hacker. Still, you should make sure it's tough to compromise your life and account. Remember, criminals will look for the path of least resistance, so it's better to make sure you're more trouble than it's worth to them. So with some help from security researchers, Electronic Frontier Foundation (EFF) and others on the front line of security and privacy, I've compiled a list of tips to keep you safe. Or at least safer.
We log in to dozens of accounts. Like it or not, a password manager is key to keeping all these unique strings of numbers and letters in order. Fortunately, we have a handy guide to password managers to help you decide which works best for you. The best part about these services is that they actually make your life more convenient while securing your accounts.
Managers like 1Password and LastPass will create complex passwords for you and store them in a sort of digital safe. The key to that safe is your master password. While this sounds like a huge pain, once you start using a password manager you'll ask yourself how you ever managed without one. "I suggest regular people use password managers, because regular people aren't going to use really difficult passwords themselves, and they're not going to use different passwords for websites. So I do know they will like the convenience of a Password Manager," said security researcher Samy Kamkar.
Many password managers use desktop-browser extensions or smartphone apps to auto-populate the login portion of a site or app. That's way easier than trying to remember what password you're using for a banking site or Hulu.
In addition to keeping all your passwords at the ready, these services will also prompt you to change them on a regular basis, find duplicate passwords and become a secure storage area for information you need to access but can't put in a Google doc.
Of course, that master password needs to be a complex and secret string of numbers and letters. It can be a long phrase or a weird series of words and numbers. The EFF suggests a passphrase that's longer than six words. The longer and more random the phrase the tougher it is to crack. What's great is that you can use your smartphone's biometric security feature to unlock your password manager so you don't have to type in your crazy-long master password all the time. And for real, keep it secret.
Stop all the tracking
If you've ever searched for a product and suddenly you're being served advertisements about that item, you've been tracked. The problem is that the more you browse the internet, the larger your digital footprint that's being collected and sold becomes.
"A lot of people think of targeted advertising is great," said Bill Budington, senior staff technologist at the EFF. "'I'm getting more directed ads towards me so they'll be more attuned to my interests.' But what we find is that using targeted advertising, people with alcoholism are advertised the liquor store down the street."
Fortunately, you can stop all that tracking with the EFF's Privacy Badger browser extension. It looks at all the services being pinged when you land on a site and blocks most of them. You can fine-tune what's being shared with third parties via easy-to-use sliders right in the extension.
On your smartphone, Apple's Safari can block cross-site tracking via the privacy section of the Safari option in the OS's main Settings feature. In Chrome for Android, tap the three dots in the top right-hand corner, select Settings, navigate to Advanced then Privacy and turn on, Do Not Track. Google's Chrome also has a do-not-track feature, but it's best used with the Privacy Badger extension.
Or you can go all-in on all your devices and use the Brave browser. It blocks trackers on your Mac, Windows machine, Android and iOS devices and Linux. No extension or fiddling with system settings required.
"Running without an ad blocker/privacy preserver is like driving without seatbelts and airbag. You may be able to drive unharmed for a while, but when you do get hit, not having these essentials will be as devastating digitally as a car crash would be physically," said Bob Rudis, chief data scientist at Rapid7 security firm.
It sounds like a pain. Every time you log into a service you have to wait for a text message or load an authentication app. But two-factor authentication (2FA) is one of the best ways to secure your stuff.
"Ensuring that there are two-factor authentication put into place is crucial for making it harder for malicious actors to access data. The best method for two-factor authentication is to have a password application tied to your account that prompts you to approve the access," Rudis said.
The reality is that it keeps your accounts from being hacked. What's great is that most sites and services now offer 2FA and it's pretty painless to use. It typically only rears its head when you log in via an unknown browser or computer. So start using it, especially for your email accounts. Those accounts are the gateway to all your other services: Lock 'em down.
2FA is another level of security to protect against phishing schemes. You might get scammed into sharing your password with a hacker via email or spoofed site, but at least you can keep that person(s) from logging into your account without that special code that inexplicably just showed up on your phone. Also if that happens, change your password immediately.
If you have to use SMS (texting) for 2FA, do it. It's better than nothing. But if your service supports it, use an authentication app like Google Authenticator. It's available for iOS and Android and uses a time-based code system so you don't need to be online to use it.
Social media pruning
That Instagram photo of your dog sitting in front of your home seemed pretty harmless. Your dog is cute; your house is pretty awesome. Then someone got mad at you online because you disagreed with them about politics or anime or really anything and now that person knows where you live.
Social media has become a great way to share your thoughts and images, but it's also a prime spot for data mining and some of that information can end up in the hands of some bad or at least annoying people.
"Whenever you are sharing data online, whether it's through social media posts, blogs, profiles or any other mechanism, you're creating an opportunity for hackers and other third parties to use social engineering or other techniques to try to get access to various accounts or other information," said Mark Rasch, a cybercrime and privacy attorney.
To reduce the chances of random strangers knowing a bit too much about you, first, familiarize yourself with the privacy settings on social networks. Users can lock Twitter and Instagram accounts so only friends can see what you post. The issue with this is that it's an all or nothing proposal. Either your account is locked or its wide open for all the world. Twitter and Instagram don't allow privacy settings on a per-post level. If you want to share images and posts with only certain people, you can use the group messaging feature in Twitter and send images directly to a group of Instagram contacts or create special locked accounts for just your friends.
Facebook -- even with all its privacy issues -- offers more granular control over who can see a post. Each post can be shared with the entire world or just select friends. You can even post something that only you see.
Unfortunately, you might not be able to adjust the privacy settings of past posts. If you've posted something with a bit too much about your personal life, it's probably best to remove it.
In addition to photos of the front of your house, you might want to rethink images that include the front of any of your friend's houses or apartments. Even if your address isn't visible a quick reverse image search and some time on Google Maps can make short work of tracking your homestead down.
It's also a good idea to keep your personal and professional images different. The EFF says that you should make sure that your separate accounts should stay separate. They note that if you use the same image for a dating site that you use for work, someone who finds you attractive could do a reverse image search and find out where you work.
Passcodes on your phone and computer
With the rise of biometric logins (using your fingerprint or face) there's really no reason not to lock down your phone or computer. Even if you're rolling with an older device that requires you to put in a password, do it -- if not for yourself, for all your friends, family and coworkers. Your devices are a treasure trove of other people's information, not just yours. Plus, access to an unlocked device is access to all your accounts.