I Haven't Changed My Passwords In Over 2 Years - What About You?
Two years ago, I read an interesting article about a Wired magazine reporter who got hacked. In just one hour his Google, Twitter, and Apple accounts were broken into. Hackers deleted his Google account and all data on his iPhone, iPad, and MacBook. His entire digital life gone - in 1 hour.
This got me thinking. What if something like this happened to me? All aspects of my life heavily rely on my digital accounts. I use services such as Gmail, Facebook, Dropbox, Drive, and Skype for work as well as for staying in touch with friends and family. So, maybe I should do something about it. I don't have a strong password and, even worse, I use the same one on most of the websites.
However, just a few minutes after reading the article, my urgency to do something was gone. After all, why would anyone want to break into my account? I am nobody.
So, I did nothing.
Should we care about cyber security?
Just a month ago I was reminded of the cyber security again. The reason is the TV series Mr. Robot, which shows a story of a young socially awkward hacker Elliot, who hacks into online accounts of almost every person that he meets. Ten episodes of the first season were enough to get my negative imagination going. Should I care about my cyber security, I asked myself.
Quick research on the topic only fueled my concerns. In the last couple of years, several data breaches have happened, compromising privacy of millions of users. I am guessing that many of you, who are reading this now, have also been affected (maybe even without knowing it). For example, most prominent data breaches include eBay and Heartbleed data bug, which affected websites such as Pinterest, Amazon, Reddit, Tumblr and SoundCloud.
You might still say: "I don't care. I have nothing to hide". Think again. How much data, photos, and private conversations do you have on your Facebook account? How many contacts and important files do you have on your email? With which websites did you share your credit card details? All this information is stored somewhere on the servers and the only thing that ensures your access to it is your password. Imagine that you would lose this access even for just a couple of days. It's like losing a wallet. You would need to contact all these companies, prove your identity and regain control of the accounts. And even then there is no guarantee that your data will be restored.
Why risking all this if we can put a little bit of effort and just make ourselves a smaller target for potential attacks?
How much time are you willing to invest?
I recognize that the majority does not want to spend too much time optimizing their online security. So, I have experimented with it so you don't have to. I have designed an action plan that is easy to implement but still efficient enough to provide the real benefit.
You can read and use the below action plan as a menu. There is no particular sequence that you need to follow. When you choose your desired time commitment, you can execute on the proposed solution and ignore the rest.
1 minute - Change your email password
Your most important online account is your email. You not only use it to login into other websites (usually email is also your username) but it also serves as a recovery tool to reset passwords. So, if someone has an access to your email, they can change passwords for other services. In just a couple of minutes, they could effectively disable your access to most of your online accounts. Also, if you use the same password for many websites, hackers can break into your email account once they figure out your password on other websites.
So, if you do only one thing, change your email password now! Here is the link for Gmail users. In the "Password and sign-in method" section click on "Password". You will be asked for you old password and then you can create a new one.
TIP: Creating stronger passwords does not need to be complicated. You can create a pretty simple but very strong password by using a computer’s calculator. First, come up with a 8-10 digit number that is easily memorable for you. Don't choose your birthday but something that is harder to guess. For example, it could a sequence of zip numbers where you lived (2101+81665). Put it in the calculator (programmer view) and change input field from 10 to 16 characters. Add special and lower case characters before or after to make it even stronger. See the video on the right to see how you can do that.
5 minutes - Enable 2-step authentication for most important accounts
The way 2-step authentication usually works is that every time you want to login into your account from a new computer, you will receive a SMS with a pin code. 2-step authentication (2FA) is effective because it protects your accounts even if someone else has your password. They can't login into your account as they need another password (pin code sent to your phone), which is generated randomly and is sent to your phone. The majority of you are already using some version of this concept for online banking when authorizing transactions.
It might sound like you will need to input SMS code every time that you login. That would be awful, yes, but this is not the case. Note that this is only required when logging in for the first time on a new device. So, once you login into your personal computer you will not need to use the SMS pin anymore. However, in case you want to access your account from, for example, friend's computer you will have to input an SMS code.
I suggest that you determine your most important accounts and enable 2-step authentication for them. I included the direct links for some of the most common services with 2FA.
UPDATE (July 2016): There have been reports that SMS texts for 2FA are not the safest option. Apparently, hackers are using a so called SIM-swaps attacks, whereby hackers call up mobile operators and impersonate the victim and convince mobile companies to redirect sms messages to another phone. So, my new suggestion would be to download code generator such as Google Authenticator. The setup is very simple. You can find a tutorial video here.
2-3 hours - Start using password manager
One of the most frequent advice of cyber security experts is to create strong passwords, use different ones for different accounts, and change them often. The problem with this advice is that we are not good at memorizing strong passwords. For an average human, it is hard to memorize even one 25 character password. Imagine memorizing 10-15 of those, one for each account. And then change them every 6 months.
Password managers are software apps that help you securely save and remember your passwords. When creating a password, they generate strong sequence of characters, and store them in encrypted database. You only need to create and remember one strong master password to access all other ones.
If you decide to use a password manager, you must create a very strong master password. You can use the same tip as presented in the 1-minute solution.
I have decided for this option and I can only recommend it. It takes an hour to really understand the software but after that it is a great experience. Every time I need to input a password, I simply click the right mouse click to open browser extension and paste the password. If you decide to use a password manager, here is a more detailed video that explains how it works (it uses the example of 1Password).
The most commonly recommended password managers are:
- 1Password (one-time fee of 50$) (I am using this one)
- Lastpass (1$ per month)
- KeePass (open source and free of charge)
- Dashlane (40$ per year)
TIP: Even if you do use a password manager, I still suggest you use a 2-step authentication, described above in the 5-minute plan.
3-4 hours - Start using password manager and backup your data
First, look at the 2-3 hours action plan above for instructions on the first part (start using password manager).
If you want to further increase your cyber security, you should also backup your computer regularly. In other words, you should copy your files from your computer to an external hard drive and do it every now and then. This way you can mitigate a risk of losing important data. Remember the Wired magazine reporter? He wasn't doing backups so when hackers deleted information from his devices, he lost important work files and even photos of his child growing up.
To do a backup, you will need an external hard drive. Make sure that its storage is at least as big as the disk of your computer so that you will be able to make a full copy. Once you have the external drive, backup is easy. Apple and Microsoft have created pretty straightforward processes. Check these two tutorials on more detailed backup instructions:
If you take one thing away from this article I hope that it's this: do not take your security online secruity for granted. Invest a little bit of your time and make yourself a smaller target. If you have any other suggestion, I would love to hear them in comments below.