How do you protect your private photos and personal content from being hacked? With these security precautions!
There's been another round of celebrity hacks online. While blame and fault rests entirely and completely on the criminals doing the hacking and leaking, it's a cold reminder that security in the digital world is just as urgent and imperative as security in the real world. We don't just need to close our data doors, we need to lock them. With deadbolts and sirens.
Whether it's Apple's iCloud, Google Accounts, Microsoft, Dropbox, or any other service, you want to avoid using weak, repetitive, single-factor passwords and start using long, strong, unique passwords with multi-factor and a password manager.
It's a hassle but so is your home security system or personal protection detail. It's the fault of the criminals but we're the only ones who can protect ourselves.
Don't use weak passwords
Everyone should know by now to avoid passwords like "password", "123456", your birthdate or anyone's birthday, nickname, pet's name, child's name, or anyone's name. But you also want to avoid any word or set of words in the dictionary and even common variations thereof, like d!ct!0n@ry.
Anything easy for you to remember is easier for someone else to guess or "brute force".
Do use strong, pseudo-random passwords
The best passwords are blobs of pseudo-random letters, numbers, and symbols. The longer the series, the stronger the password. Most of us don't have to worry about nation states or hackers with similar resources trying to get into our accounts but once you start using a password manager (see below), you might as well be as secure as possible.
Don't use the same password for more than one website
Let's say you set up your iCloud account with a strong password but use the same password to set up your account with home supply store. Then that home supply store gets hacked and, it turns out, they didn't bother to properly secure passwords. The hackers then start trying those passwords on other sites, including your iCloud account.
If your passwords are all different, one hack doesn't compromise all your accounts.
Do use a password manager to store and auto-fill unique passwords
It's impossible to remember even one long, strong password, let alone dozens of unique ones for every site log into. That's where a password manager like 1Password or Lastpass comes in. They'll generate the long, strong passwords for you, store them, and when you go to those sites, they'll automatically fill in the passwords for you.
They also support Touch ID and copy/paste, so they're easy to use.
Don't use security questions that are researchable
Security questions are bad for security and I wish companies would stop using them. If you're a public figure, Wikipedia can usually provide anyone with the answers to several common security questions. Even if you're not a public figure, Google can sometimes provide the same answers. And if people get those answers, they can reset your password and try to get into your account.
So, avoid using security questions if you can and, if you can't…
Do treat security questions like extra passwords
If a service you're using insists you provide it with security questions for password recovery or reset, don't use anything anyone else can research. Instead, treat security questions as extra password fields.
Generate long, strong blobs of pseudo-random characters and store them in your password manager. Then, if you ever need them, copy/paste them in.
Don't just use passwords
A password is a single factor. If that's all you use and someone somehow gets your password or security questions, they can get access to your account.
Add in a second factor, though, and the password only gets them half way.
Do use 2-factor authentication
Most major online services, including iCloud, now offer 2-factor authentication (2fa). Apple's version pops a token code up on your iPhone, iPad, or Mac, and you have to punch it in to get access. Other systems use apps like Google Authenticator, 1Password, or Authy to supply you with a token, or sends it to your phone via SMS.
It's less convenient but it's far more secure. And if the 2-factor token pops up when you're not trying to log in, you know someone else is trying to get into your account.
- How to set up two-factor authentication for iCloud
- How to set up two-factor authentication for Google
- How to set up two-factor authentication for Dropbox
- How to set up two-factor authentication for Facebook
- How to set up two-factor authentication for Twitter
- How to set up two-factor authentication for Tumblr
- How to make two-factor authentication easy with Authy
Don't click on links in emails
Phishing is when a hacker sends out huge volumes of fake emails saying there's a problem with your account, a special deal you can get, or anything else designed to entice you to click on their link. Spear phishing is similar, but targeted just at you and is often more personal and even more enticing.
The link is to a fake account page where they hope you'll type in your real password so they can get it. Never click a link in any email asking you to enter your login information anywhere.
Do go to account sites directly
If you get an email from Apple, Google, Microsoft, Dropbox, or anyone stating there's a problem with your account, open your browser and type in the website address yourself — iCloud.com, Gmail.com, dropbox.com, etc. — and then use your password manager to log in.
If there really is a problem there should be a notification for that problem on the account page along with any real steps you need to follow.
Having your personal data leak is a horrible violation and should never happen to anyone. If you're storing sensitive information or content online, though, do everything you can to protect it. If you're sending it to someone else, make sure they do everything they can to protect it as well.
Any questions or additional tips, drop them in the comments below!