Protection in the Digital Age

I wrote last week about the responsibility of security in the digital world. Whether or not you agree with the policy, part of maintaining security rests in the hands of users. As I mentioned briefly before, we expect those growing up with computer technology to possess a certain common sense in regards to its use. Yet while we teach high school kids how to balance a checkbook, and type by touch, we don’t run classes on internet security.

The internet is vast. Knowing where to start can be daunting, especially with so many programs promising to protect you with a single click (most of them turn out to be malware or some other type of virus). Having learned about the deep, dark underbelly of the web in college, I’ve put together a list of guidelines I try to follow, all of which will make your web surfing safer.

1. Creating a Strong Password
Most websites these days offer an indicator of password strength when you create your password. Much my glee, most of my passwords fall into the highest category. But most password guides simply tell you to include a number or a symbol in order to increase your online security, without explaining why.

One method hackers use to gain control of people’s accounts is known as ‘brute forcing.’ It’s essentially like trying to break down a wall with a battering ram. Hackers use programs to match common words until one of them is accepted. Another method involves using programs to decode the password one letter at a time. The amount of time required to brute force a password dramatically increases for every symbol used in the password. Numbers are also useful because they won’t be included in word lists commonly used to hack passwords.

But let’s take security one step further. “Password” is misleading; you should never use a word as your password. Instead you should develop a pass phrase. Think of something unique you can remember, such as “I like bubblegum and pizza.” A common suggestion is to take the first letter from each word in the phrase to make your password, IE: Ilbap (as you can see, not a word). You can make it more random by taking more than one letter from each word, ie: Ilkbbgmnpz. As long as you can remember what made you choose the letter combination, you’re good.

My recommendation is to create your password phrase and resulting password, then dress it up with letters and numbers. You can replace numbers with letters that look similar, or just throw a random number you like in there somewhere. Same goes for symbols. It’s generally a good idea to have at least 1 number, 1 symbol and 1 capital letter somewhere in your password.

So if my password phrase was “I like bubblegum and pizza,” my final password might look something like this: 1lkbbGm&pZ. This is a strong password.

2. Mix and Match
Creating a strong password is only the beginning. Many people think having a strong password is all it takes to stay safe on the Internet. Their biggest mistake is using this password on every single account they create. This is actually a terrible idea. Say someone does manage to figure out your email password; they now have access to every other account on which you’ve set that password. If you use the same password for your bank account, the hacker can very easily gain access it.

The most common way for hackers to gain access to video game accounts (such as MMOs) is to hack databases of less secure fansites, steal the passwords and attempt the same username/password combination for said MMO. We, all of us, are lazy. We want everything associated with our game to have the same information. But allowing that to happen is like inviting hackers into our accounts.

There’s a simple solution for this; mix and match your usernames and passwords. Come up with a solid group of passwords and make sure all your major accounts have different passwords. Use different email accounts for different things. Never use the information you use for an MMO or other game system (say Steam) on a fan-run forum.

Unfortunately this simple solution becomes complex quickly because it requires you to remember several complex passwords. You can write them down or create a password masterlist, but then if someone finds it or gains access to your computer, you’ve eliminated your efforts to keep secure.

As for me, I remember my complex passwords, but not necessarily where I’ve used each one. That’s okay because most websites allow you several attempts to login before locking your account.

3. Less is More
Passwords are important, but they can’t protect you from everything. Identity theft is a growing issue in today’s world. The problem is, with us plastering our personal information all over the web, it’s easier than ever to find other people’s details. A friend of mine once attended a talk by a woman who works for the government. He told me her recommendation was never to post pictures of yourself on the internet where you’re facing fully forward, as these are exactly the kind of pictures that can be used to create false IDs.

I’m not going that far, but I do recommend turning off some common features built into modern social media. First and foremost, disable the location feature on Facebook. It’s great that we can carry the Internet in our pockets, but do you really want the entire world knowing where you are every second of the day? I’ve always regarded this particular as feature creepy and stalkerish, and I’m surprised how many people leave it on by default.

While we’re at it, make sure you lock down your social media profiles to ‘friends only’ (unless you use them for business promotion). Facebook’s default for all posts, including pictures, is public. I recommend not posting your address, phone number, or pictures anywhere open to the public (unless you don’t mind sharing certain details, such as vacation photos in blogs). Be not only aware of what you post but who can see it. Remember that certain celebrities have had their accounts hacked simply because hackers were able to find all of their personal information online (including an incident a few years ago involving Sarah Palin’s yahoo account).

Be aware of the personal details you enter into your accounts, and refrain if it seems unsafe. Google, for instance, keeps asking for my mobile phone number, claiming it makes my account more secure. But what if I lost my phone? If someone gained access to it, they could easily reset my account password from my phone without my being able to stop it. And what if I change my phone number but forget to update Google about it? It’s bad enough one of their ‘secure’ methods of updating your password is to email the information to another account; the same feature resulted in a high-level hack of twitter’s corporate accounts several years ago.

Of course there are times the Internet needs valid personal information. Amazon, for example, needs my address and phone number to deliver packages to me. But when Yahoo asked for a mobile number, I gave it a false one (in fact, in a recent attempt to set up a yahoo account, my husband and I discovered that certain fake mobile numbers have been used for so many Yahoo account creations, Yahoo now blocks the number). If a site asks for too much personal information, walk away; that’s what we did with Yahoo in the end.

4. So Much Nonsense
Remember the incident I mentioned with Sarah Palin’s Yahoo account? The hacker gained access without any real skill, simply by looking up the answers to her security questions online. It’s true that most of us aren’t at risk for such attempts, since most of us aren’t famous. But you never know who’s going to go snooping and for what reasons.

The best piece of advice I can give is: make up nonsensical answers to your security questions.

It’s difficult to give examples for this one. If, for instance, a security question asks “Who was the best man at your wedding?”, instead of writing the straight forward answer (which anyone who attended your wedding could answer), choose something indirect. Perhaps the best man at your wedding has a nickname that few people use. You could even spell the name strangely or state it in a way no one else would think to enter (such as “my best friend”). Much like passwords, so long as you can remember the nonsense you entered in the box, you’re golden. And the best part is, no one would be able to find the answers.

5. When in Doubt
I believe I’ve touched on this before, but it bears mentioning again. If a link looks at all suspicious, don’t click on it. If you receive a message from your bank asking you to login to your account for any reason, don’t click the link. Instead, go directly to your bank website by entering the URL manually and attend to account business that way. Banks and other such official places almost never send you emails asking you to do something on your account, and never ask for your password when they do so. It’s a common tactic (known as phishing) for hackers (or in this case phishers) to create a fake email with a URL leading to a site that looks almost identical to your bank, MMO, ect. Once you enter your password information on one of these forms, the hacker has it.

There’s no catch-all solution for this one except to be vigilant, but there are steps you can take. Make plain text the default for all your emails, you can then choose to display images on an individual basis if you trust the source. Use a virus scanner with ‘active scan’ to identify suspicious links and warn you if you click on one. Avast and AVG, for example, contain such features. Firefox add ins like ‘web of trust’ allow users to give websites ratings and will also warn you if you enter an area of the Internet with a poor rating.

Now I can’t promise following all my recommendations will make you Internet invulnerable; even as vigilant as I am, I still fall prey to the dark side of the Internet. In a moment of short-sighted arrogance, I picked up some nasty adware a few days before writing this (sometimes there’s danger in knowing what you’re doing, especially if you think you can fix everything). But, acquiring the infection did require me to click links and accept downloads I knew I probably shouldn’t have (in other words, user error).

If you aren’t famous you probably don’t need to be ‘Internet bullet-proof.’ But on the other hand, it can’t hurt.