We've been reeling a bit ever since Mat Honan was the victim of that ruthless social hack that wiped all his devices. Sure, that was an extreme case. But it's also one that could happen to anyone, at any time. So we put together a list of the best ways to make sure your internet self—your accounts, your cash, and your information—stays secure.
Password strength is vital to your frontline defense. Obviously your password should be a combination of letters and numbers, but don't stop at the bare minimum. Use uppercase letters in random spots. Subsitute numbers for letters. Mash multiple word phrases together. Deliberately misspell those words. Space them out. If you're feeling particularly hardcore, you can just create a random string of characters. In fact, XKCD's excellent comic sums this up in a way more eloqent than any words could.
Oh, and for the love of Woz, don't use the same password for everything. Particularly not your most sensitive (read: banking) accounts.
Just as the security questions are a backup doesn't mean you shouldn't put the same thought into them as your password. Use numbers instead of letters. Mash entire phrases together into one word. Deliberately misspell things. Or best of all, Kaspersky Labs expert Dmitry Bestuzhev explains, don't directly answer the security question at all:
The tips are quite simple but effective. Since all social engineering attacks work based on the information of interest for the victim or the information related to the victim, it's important to provide secret questions with the answers absolutely not related to it.
For example, for the question "What is the name of your first pet?" I would register an answer like sw3SwuTu
When I bought my last car... The vendor provided me with a list of secret questions and I had to provide them with the secret answers they registered in their systems. So, instead of providing real answers I provided a password like the [aforementioned] one. They said I was the first customer to do this and they congratulated me.
So, basically the rule is never provide real answers for the secret questions."
Many of the vital online services (Google, Facebook, Twitter, etc.), allow you to only connect to their servers via an HTTPS connection. This will encrypt any stream of data between you and the service, ensuring that anyone using Firesheep or a packet sniffer on a (usually public) Wi-Fi network can't glean your login data. Never work at a coffee shop without it.
Facebook and Google both offer the option of 2-Step authentication when you login, meaning you have to enter a secondary pin number which is generated and/or texted to your phone. It's a complete and utter pain in the ass whenever you're logged out, but it's also a pretty safe guarantee that no one will be getting into your account without a heavy-duty targeted attack.
Facebook will allow you to receive a text message anytime an unrecognised IP address logs in to your account. You may not prevent a hack, but if you act quickly enough, you can remotely log them out and re-secure your account before they get their hands too deep into your business. Gmail is also set by default to alert you if it notices anything particularly strange with your login activity.
Publicly available information is the first way a hacker can get their foot in the door. Few things are tossed around more casually than an email address. Don't give potential hackers a starting point, especially if you use the same login info across multiple sites (which you shouldn't be doing in the first place!). Instead, create an email address that as few people know about as possible that you use only for account log-ins.
Also be sure to delete any emails that include passwords whenever you register a new account or change login info on a service.
In the same vein as employing a low-profile email address, consider having a Google Voice number you only use for online accounts that require a number. When Mat Honan was hacked, his phone number was one of the pieces of info the hackers gave Apple customer support to gain access to his account. Having a low profile phone number associated with your online accounts will keep hackers one step further from your personal info.
A password manager, such as 1Password, is your best friend. Not only will it automatically enter your complex passwords for you, but should anything go awry, it will allow you to quickly know what accounts you need to change. Wanna know which managers are the best? We have a list here.
There are also little things which may seem obvious, but are still worth mentioning:
- Keep your card info offline: Amazon may have closed its CC security hole, but the fact remains that having your card in a site's system can be the difference between a full bank account and an empty one.
- Put passwords on your devices: Even if you're not prone to losing your phone or laptop, it's good to keep a password or PIN on them since you probably use desktop clients and have websites that you're perpetually logged into from your mobile device. You get drunk and lose things. Things get stolen! Don't make it easy for whoever ends up with your gear.
- Keep an offline backup: The cloud is great, but just like your personal hard disks are prone to failure, the cloud is prone to a security breach. All the latest operating systems have made it painfully easy to keep a current backup of all your files, so buy a durable, affordable external drive and back everything up at least once a week. That way if cataclysmic bad does happen, you don't have to start from scratch.
- Don't link your accounts. Yes, linking your Twitter to your Facebook to your Klout to your Hotmail to you Netflix and back to your Twitter makes things wonderfully covenient. But when one service gets hacked and has a bunch of linked services, you've just opened the flood gates. This isn't preventative, but it's crucial for damage control.And while this will get you on the right path, there's obviously no single way to skin this cat. We're curious what are your favorite security tricks? What are your favorite features specific services provide? Let us know.