It is National Cybersecurity Awareness Month (NCSAM) and I thought I will share some of the ways I protect my information. Spoiler alert: you may not find anything that you already don’t know and I may have written about these earlier. And if you came to the event at Wellesley last Friday, you already heard about these from me. But I hope this serves as a good reminder about some of the best practices for keeping your information safe.

Passwords & Passphrases

I use fairly long and complex passwords. I prefer passphrases wherever they are supported. It is so sad that so many systems still do not support passphrases and are restrictive in terms of the length of the passwords. As a rule, I use different passwords for different systems. I will be very happy to privately share with anyone who is interested in knowing more about how I maintain/remember all of these passwords. I also avoid saving passwords for some of the critical systems and financial institutions in my browser’s password manager. They are safe and continue to be safer, but, if ever someone steals my Google Password AND bypasses two factor authentication, they will have access to all my passwords (paranoia!).

To change the passwords often or not is an age old question and I believe that having a long and hard to guess password is much better than changing passwords often. One of the reasons for mandating the password change was that if hackers had access to your password, changing it prevents them from accessing your data and that it is hard for them to guess your new password. With the exponential increase in computing power, the moment your password has been hacked, a lot of your information has already been accessed before you can change the password. Secondly, it has been shown that mandatory password changes result in predictable password patterns that are easier to guess than one can imagine. I encourage you to read this article “Time to rethink mandatory password changes” on this subject. So, my advice – make passwords long and hard to guess. 

Two Factor Authentication

I always opt in for this whenever any system makes it available. I use DUO as well as Google Authenticator for this purpose. Some systems such as banks may not support these, but instead send a code via text message to your phone as an additional step to logging in. Is it inconvenient? A little bit and you will get used to it over time.

Some things to be aware of. When you are flying and you connect your computer to the plane’s WiFi and you want to access a system that requires two factor authentication, you may be out of luck, unless you are prepared. If the two factor system works over WiFi like DUO Push or Google Authenticator, you also need to connect your phone to the plane’s WiFi. That may or may not be possible depending on the cost. These two factor authentication systems always provide a backup codes (that you can save on your laptop) that can be used or you can carry a USB Key like the Yubikey.  Also, make sure to follow the steps to install Google Authenticator on your new phone first before discarding your old phone and your life will be much easier.

Complicated? Yes. Worth it? Absolutely… Unless you are the type who taps yes on DUO Push screen without paying attention. Because, when a hacker who stole your password tries to login and you get a push notification, you don’t want to do that!

Protect your phone & laptop

Set up screen lock on your iPhone or Android phone. If your phone supports facial recognition or has a fingerprint reader, set them up. In case you lose your phone, you want to be able to find it and if it happens to be stolen or lost (not in your home or office), you also want to be able to erase its content. All of these are possible if you can spend a few minutes and set them up early. Obviously trying to do this after the fact doesn’t always work! iPhone instructions are here  and Android instructions are here.

Do the same for your laptops. Macs – Lock your screen, have it go to sleep after some idle time and require password to wake up. Also, encrypt your disk using Filevault so that it becomes unreadable if it is removed and a hacker tries to read the content. Windows – do the same. For encryption supported at Wellesley, see here.

Verbal Passwords

Many financial institutions will support a “verbal password”. There are still some instances when you have to call a financial institution. Many hackers who steal your personal information call banks to get addresses changed, request money transfers or do other damaging things. To prevent this, you can ask them to set up a verbal password. When you call the bank, in addition to the usual personal information, you will need to provide it before they will move forward. It is a great added security. I also have it on ADT.

Additional Thoughts

Consider enrolling in Credit Freeze.

The most important thing is for you to figure out a safe method to remember all these steps you took because in some cases, such as FileVault, not remembering how you set it up and what the password or recovery key was, can cause some headache.

Many of us have shared back accounts or shared Netflix accounts, so the other person needs to know what you are doing so when that person needs to look up account information or transfer money, they are not frustrated. So, having a plan to share your methodology with and getting a buy-in from a trusted partner is essential. Otherwise, all your work can potentially be undone by that person.

Hope you found some of these pointers useful. As overwhelming as these are, most of the time it is all about a good plan and execution. Many of these are one time activities, which has the advantage that it is a one time deal, but has the disadvantage that unless you planned it well and documented it somewhere safe, you might forget it! But, you will be thankful for taking all of these precautions and keeping an eye on all of your information so that it is safe. Others can help, but, it is a shared responsibility and you have a lot to contribute to keeping your information safe!