Aaron’s Simple Guide To Security
There’s a lot of hysteria going on about cybersecurity as of late. Even President Trump knows the importance of “the cyber.” In theory, cybersecurity is really scary because there are a lot of moving parts involved and vulnerabilities are everywhere. However, a lot of recent high-profile breaches were a lot more old-fashioned in nature: someone got a hold of someone’s password.
By doing a handful of simple things you can be protected from a lot of potential attacks.
You don’t need to be good with computers for decent security to be within your reach, nor should you have to be. You aren’t expected to be a locksmith just to secure your home and your belongings. Why should your digital belongings be any different?
More and more of the important things in your life aren’t physical things, but digital ones. Keeping this secure isn’t just for paranoid delusional nerds. You have something to lose. David Brooks put it best:
Privacy is important to the development of full individuals because there has to be an interior zone within each person that other people don’t see. There has to be a zone where half-formed thoughts and delicate emotions can grow and evolve, without being exposed to the harsh glare of public judgment. There has to be a place where you can be free to develop ideas and convictions away from the pressure to conform. There has to be a spot where you are only yourself and can define yourself.
This isn’t going to make your digital life NSA-grade, but if you follow all these guidelines you’ll probably be fine.
Most of the time, when someone says “my Facebook got hacked!” what they really mean is “someone guessed my Facebook password” (which is a polite translation of “I had a shitty Facebook password”) or “someone tricked me into giving them my Facebook password” or “I use the same password on every site and somebody got my password from another site and tried the same one on Facebook and they got into my account!”
Good passwords are the foundation of good digital security.
Live by these password rules:
- Every login you have should use a completely different password (don’t just use simple variations of one password!). If some rinky-dink company you have an account with (like, I don’t know, Sony) has hackers making off with your password, it’s not as big of a deal because it’s only good on that one site.
- You should pick good passwords. Good passwords are lengthy and have a lot of entropy (think of entropy in terms of a rubik’s cube. If you have solved it and all sides are solid, that’s low entropy. If you have it all scrambled that’s high entropy).
aaaaaaaisn’t particularly high entropy but
1 award for my pony Isabellais quite good. A lot of sites force you to include numbers and symbols in your password and that’s great, but a password that is a long phrase is as hard to guess as a short password made of cryptic numbers, letters and symbols. If a site says your password can be up to 32 characters long, make it 32 characters long. It’ll be that much harder for hackers to guess.
- Use fake answers to security questions, and keep a record of your fake answers. The answer to a security question is as good as a password, so make sure that your answers aren’t things others can find out about you easily. I use random phrases as answers to security questions and keep track of those in a password manager. Your mother can’t change her maiden name, so don’t use her real one as your security answer!
There’s no way you can remember all those passwords. You need a password manager.
I have logins for HUNDREDS of sites, and I actually know maybe half a dozen of the passwords for them. My password manager knows all, and it keeps them in a securely encrypted virtual vault.
Password managers used to be a tool for nerds like me who have a ton of logins. Nowadays that’s pretty much everyone. They work on your computer and on your phone/tablet, and they have the added bonus of saving you from typing in repetitive information in forms on the web.
I use 1Password on my Macs and iOS devices. It’s cheap and totally worth it. If you’re more of a tightwad you can use iCloud Keychain (assuming you use Safari). Lastpass works well too (and is free, and is available on virtually all platforms).
A password manager takes some getting used to but it’s worth getting into the habit.
One very important note: Your password vault’s password needs to be REALLY good. Pick a long one that is super hard to guess (but make sure it’s easy to type on your phone!
don’t get phished
“So Aaron, what’s the easiest way for a hacker to get my password?”
“You’ll voluntarily give it to them.”
Yep, hackers don’t need to build some sophisticated computing cluster to break past a firewall. Instead, they rely on the biggest security hole of all: the humans that use these secure systems.
It’s surprisingly easy to harvest users’ passwords by sending them official-looking emails that lead to fake web pages that make you think you’re logging into a real site. It’s gotten even more targeted nowadays, too. There might even be people trying to phish you at work, convincing you to share some proprietary company information.
Be suspicious of emails telling you that you need to verify stuff. Be suspicious of an email from Amazon or eBay telling you that you just bought some expensive item you didn’t buy.
If the email is from a site you use and it’s suspicious looking, don’t click a link in the email. Instead, go to your browser and log directly into that web site, then deal with the matter from there.
Always double check URLs in your browser’s address bar to make sure you’re on the site you expect to be on.
Get in the habit of always using your password manager to log into sites. If you think you’re on Target’s web site, but you’re actually on target.com.myphishingsite.biz, your password manager won’t fill in your target.com login.
If your web browser tells you that it might be a phishing site, believe it.
I recommend that you equip all your web browsers with ad blocking extensions.
There are ethical issues for sure. Most of the sites you use serve ads to pay their bills and using an ad blocker is kind of like leeching off of them.
The problem is that most sites don’t directly control the ads that appear on their pages. Instead they let a complex series of shady middlemen manage these ads, and as a result, a lot of otherwise reputable sites have lately been feeding you shady ads and sometimes malware.
If you’re on iOS you can get ad blocking now too; as of iOS 9 Apple had added the ability to develop content blocking extensions for Safari. They’re super fast and they make Safari load pages a lot faster!
Nowadays a lot more sites try to detect if you’re using an ad blocker and will bug you about if if they think you’re using one. Wired won’t even let you read the article. If you land on a page like that, don’t whitelist the site like it asks you to. Instead, just open that page in an incognito window. In iOS you can also press and hold the refresh button to reload the page without content blockers.
As an aside, I strongly recommend that you find sites that make cool stuff and support them. Spend the $10 on YouTube Red and enjoy ad-free videos without guilt. Pay for a news site subscription. Patronize people on Patreon. There’s stuff on the web worth giving your support to, and if more people start paying creators with cash dollars, we won’t be expected to pay for stuff with our eyeballs.
Maintenance and Security Updates
OS updates don’t just give you the latest emoji; they usually include security fixes, and they’re an important way to protect yourself! Always install your security updates promptly.
I recommend iOS over Android to all friends, not just because iOS is so much nicer overall, but because security updates on Android are a total crapshoot. If you insist on using Android, I recommend using the Google-branded phones. Google-branded Android phones get Android updates the soonest.
Most modern web browsers are very aggressive about updating themselves and that’s a good thing; don’t try to stop your browser from updating. Most people are doing a lot of their computing inside of a web browser and so that makes your browser a big attack vector.
I think the above steps are essential, but there are a handful more things you can do to make yourself just a little more secure.
On iOS if you set a six-digit passcode, all the data on your phone is encrypted with a strong key, and iOS works really hard to prevent people from guessing your passcode by brute force. (And to be clear here, that hard work on iOS’s part is the really important part here, otherwise a six-digit passcode is laughably inadequate. Do not let this give you the impression that six numbers makes a good password for your other accounts.)
You should absolutely have a passcode on your iPhone/iPad.
On OS X you can enable FileVault, which encrypts your entire hard drive. You should have FileVault enabled, but make sure you keep the recovery key in a safe place. When it’s on you won’t really see any difference in how your Mac works. It’s great.
Windows offers full-disk encryption as well.
If you want some more security for your accounts, Two Factor Authentication is a great thing to add. With 2FA, your password alone doesn’t get you access to your account; you also provide an extra six-digit code that changes frequently to get into your account. 1Password can work with these. I recommend turning on Two Factor Authentication for your iCloud account or your Google account.
I could go on, but this is a good start. If security interests you, you should dig into it more!
This stuff is important
Maybe you live in a home in a pretty safe neighborhood. Not much crime is happening around you, and you feel nice and safe.
Being just a regular average Joe on the internet you might think you’re also in a safe internet neighborhood and that no one’s gonna hack your account. After all, why would they?
On the internet, we’re all living in the unsafe neighborhood. On the internet you’re just as accessible as any other citizen on the internet. Your private photos are on the same iCloud as all the celebrities whose private photos got leaked awhile back. You’re the same one phone call or email away from some scammer who tries to get you to install some app that watches everything happening on your computer.
I don’t secure my digital belongings because I’m a computer enthusiast; I secure them because they’re mine. You don’t leave your car unlocked on a busy street because “you’re not a car guy.”
Security habits benefit everyone, and I believe they should be accessible to everyone, whether you’re the President, some CEO, or a high schooler named Jessica.