This is going to be a pretty dry topic, but do yourself a favor and read the whole thing.
With so many security breaches in the news, we all feel vulnerable. And I hate to say this, but we may be partly to blame. We like to be helpful, so when we get an email from someone requesting information, we send it. We also use the same few, easy-to-guess passwords all over the web, maybe with variations thrown in to make them more complex and safer.
We use certain patterns when creating passwords, and guess what: the bad guys know every single one of them. Even the common variations we come up with don’t make our passwords much more secure. It’s not that hard for a computer program to add a number onto the end of a basic password or substitute numbers for letters.
We want to protect ourselves online, but it seems too hard, what with all the different, difficult passwords we’d have to create to be safe. Guess what? It does not have to be complicated! It can be downright easy with the right tools.
Our identity and money (which is really the point of all this) will be a lot safer online if we just do a few things. This isn’t just about you, either; what about your Mom?
Here are some solutions to the insecure password problem; please consider doing one or all of them.
1. Use a good password manager. I use 1Password (www.agilebits.com/onepassword), and let it create and remember my passwords. And those passwords! They’re long, complex, completely random, totally wonky, and include letters, numbers, symbols, etc. I use at least 16 characters, unless the website doesn’t allow that many. My passwords are impossible for me to remember, so I don’t even try. I’m on a mac, but maybe you aren’t? No worries; there’s a version of 1P for most desktop and mobile operating systems. If you use multiple devices, you can link them all together so all your passwords are available everywhere. 1P isn’t cheap, but it’s the best. Think of it this way: what’s it worth to keep the bad guys out of your bank account?
2. Set up two-step authentication for accounts where available. To log into a protected account from a new phone, tablet, or computer, you need to not only know something, you need to have something. Besides your user ID and password, you need to enter a specially generated code sent to you via phone or text. It sounds a lot more complicated that it really is; it just slows you down a little while you get the code and type it in. Two-step authentication is available for Facebook, Google, Dropbox, iCloud, and many, many others. This Lifehacker article has some good, basic information: http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now.
3. Use your head. There are a lot of really convincing phishing emails which look like the real thing, so be suspicious! You’ve heard it before, but it’s true – no legitimate bank or company is going to send you an email asking you to supply your password so it can be “verified.” The good guys do not do that. If you get an email from a company saying your computer is infected, ask yourself one question: how would they know? No email like that is legitimate, so delete it.
A phishing email is designed to get you to provide information that should remain secret, or click on a link that leads you to the bad guys. A good one seems legit; it has links and email addresses that look real, but aren’t. The differences can be as subtle as a .net when it should be .com. If you aren’t 100% sure that the link is genuine, don’t click on it! Call the sender to verify that they actually sent the email, especially if it’s a bank or credit card company. If you decide to copy and paste the link into a browser window to check it, look at the URL at the top. Are you where you expect to be? If you’re emailing Apple and the URL includes a foreign country, there’s a problem.
If you get what looks like a phishing email, you may be able to report it to the company being spoofed. Again, using Apple as an example, if you get a phishing email that appears to be from Apple, you can forward it to firstname.lastname@example.org. Their legal department wants to know about these so they can take action if necessary. Most big companies have a similar address, so look on their website.
Yeah, I know; boring. Sorry about that, but this really is that important.
PS – There has been an issue lately with (mostly) Australian iPhones without a passcode being locked by third parties who demand money to unlock the phone. If you get one of these emails or messages, do not pay. Contact Apple support or go to an Apple store and get it fixed for free. BTW, the simple way to prevent this from happening is to have passcodes on your iThings. This scheme can only work if the bad guys can create a passcode for your unprotected phone. Don’t give them the chance.
A lot of the technical information for this post is from the 1Password blog, http://blog.agilebits.com.