Have you taken steps to guard your online data? If not, you should, experts say.
“I think a lot of us start thinking about our cyber security when we’re unfortunate enough to become a target of abuse,” said Viktorya Vilk, program director of digital safety and free expression at PEN America. “Be proactive, not reactive.”
Vilk and Manuel Egele, assistant professor in the department of electrical and computer engineering at Boston University, offered the following tips for keeping your online information safe.
Use a different — and long — password for every account.
“It’s the simplest thing, and we all know it, but so few of us are actually doing it,” Vilk said. “You want to use a different password for every account.”
You should use at least 16 characters, with a combination of numbers and symbols. The 16-character minimum is because hackers are using algorithms to “churn through” permutations of passwords, she said.
“The longer you make a password, the longer it takes for a machine to do that, and the likelier it is that someone is going to give up,” she said. “So you want to use passwords that are as long as you can stand, but 16 characters is a good baseline. And phrases work great.”
Don’t use the following information in passwords because hackers can easily find it online: your birthday, a pet’s name, your maiden name, your mother’s maiden name, and your high school, she said. As with security questions, you don’t want to use anything someone could successfully Google about you, she said.
Which accounts should you create a long, secure password for? All of them, Vilk said.
“You might not think it’s a very important account, but if somebody can get into it, they then have access to all kinds of private information about you,” she said. “That’s why it’s important to keep even passwords for accounts you don’t care that much about really secure.”
Get a password manager.
If you’re wondering how you’re going to remember all those 16-character passwords, the answer is by using a password manager.
“These are either browser plug-ins or separate programs that will generate strong, random passwords for each of the services you are signing up for and then remember them,” Egele said. “What’s important about this is all of these passwords and log-ins are stored in an encrypted form and are locked through the master password. So, basically, at the end of the day as a user, you only have to remember the master password.”
“It’s really easy to use these things, but I don’t think that there’s a large enough fraction of people who use password managers,” Egele said. “There’s really no reason not to do it.”
Set up two-factor authentication on all of your accounts.
When you set up two-factor authentication (2FA) on your accounts, if someone tries to log into your account from an unrecognized device you will get a message asking you to authenticate it by entering a one-time-use code delivered by app or text.
“It’s basically like an extra layer of security so that it’s much harder for hackers to get into your account,” Vilk said.
SIM jacking, said Vilk, is “somebody calling your cell phone provider, pretending they’re you, and saying, ‘Oh I got a new sim card and a new phone number, can you route all my traffic to my new number?’ And then suddenly those codes that you’re getting that are supposed to be going to your phone are going to somebody else’s number.”
The way to protect yourself from SIM jacking is by calling your cell phone provider and asking that no changes be made to your mobile phone account without you providing a special pin number. A helpful hint from Vilk: Don’t make the pin obvious by using your birthday, for example.
You can find a list of accounts and platforms that support two-factor authentication at twofactorauth.org.
Find out if one of your accounts has been part of a data breach.
If you want to know if one of your accounts has been part of a data breach, you can go to the site haveibeenpwned.com and type in your email.
What should you do if it has?
“Make sure you change the password on that account and never use that password again,” Vilk said.
You can also ask to be notified if one of your accounts is part of future data breaches by using the “notify me” tab on the site, she said.
Be diligent about your privacy.
“Be very cautious in what you’re sharing,” Egele said. “If you don’t share it with any online property, then no one can steal it from you.”
For example, “Is it really important that Facebook has your birthday?” Egele said. “I assume that your real friends know your birthday.”
“The birthday is almost always an important ingredient in identity fraud,” Egele said.
For example, if someone was trying to collect important information about you to, say, open a credit line in your name, you just made it easier by providing your birthday, he said.
Also, review the privacy settings on your accounts, he said.
“If you are diligent about your privacy settings and you are diligent about who you are sharing info with, that certainly limits the intentional exposure of information,” he said.