How to Protect Your Online Accounts

Alex Alex 17 June 2020
How to Protect Your Online Accounts

If you haven't had one of your own accounts hacked, I bet you know someone who has. That can be a pretty violating experience - we store a lot of personal information in our online accounts; but it gets worse than that. That is often just the first step. The next step might be to attack your friends or family over social media, or your employer's place of business, or even steal your identity. Here are some tips that can help you protect yourself.

This article is probably going to be the first in a series on how to protect yourself from hackers. This one's going to be about how to protect your online accounts; but I'm thinking of doing follow up articles on how to protect your devices, as well as your home. Let me know in the comments if that's something you'd like to see.

There's going to be a bit of a theme here, and that theme is "passwords". Virtually all of your online accounts are going to be protected by a password, and that's a problem because as a security mechanism, passwords really suck. The world is moving away from passwords, but that process is going to take a long time. In the meantime you're going to need to know how to use them safely. The first golden rule you need to know is "never use the same password twice". Here's why. You can't trust any website not to get hacked. Do you know what Apple, Sony, Adobe, and Yahoo have in common? They've all been hacked! And that's just the tip of the iceberg. If they can get hacked, anyone can.

When a company that you've got an account with gets hacked, the hacker is going to take that username and password that they got from that first company, and they're going to use it to try and log into lots of other websites as well. That, or they'll sell it to someone who will. This is called credential stuffing, and it causes something of a domino effect. If you've used that same password on other accounts, there's a good chance they're going to get hacked as well.

The first time it wasn't your fault. Some other company got hacked. There was nothing you could do about it. This time it is your fault, because you've used the same key on every lock. That's easy to say, but I have literally hundreds of accounts. How am I supposed to remember all of those passwords? You don't. You use a password manager.

Password managers

A password manager is an application which stores all of your passwords for you. You just need to remember one password to get into the password manager itself. That one password obviously needs to be a good one, but the rest after that can be randomly generated nonsense, because you don't have to remember them.

Because that password manager is essentially the basket into which we're pacing all of our eggs, you need to choose it carefully. A couple of good examples are LastPass and KeyPass. These are both good solutions, but they are very, very different. I've chosen them because they illustrate both ends of the spectrum for you. 

For most people, LastPass is going to be the better option. You just sign up for an account and everything's pretty much them for you. You can access it via a website, a browser plug-in, or a mobile app. The free plan is pretty comprehensive for individual needs, although there are paid plans as well that add additional features, like for example the ability to delegate emergency access to someone else. If you just want something that works, and works well; LastPass is a good option.

KeyPass is more of a DIY solution for advanced users who know what they're doing. It's not a website, it's an application that you download to your computer and it stores all of your passwords in a single regular file. It's less user-friendly than LastPass, but it is more customisable. If you don't trust anyone else to look after your passwords, or if you want complete control over the solution; then KeePass could be for you, and it's completely free.

Because it stores all of your passwords in one file though, you need to take responsibility for protecting that file. The security is up to you. Backing it up is up to you. If you lose that file you're in a lot of trouble, because now you don't know any of your passwords. If you want that available on multiple devices, then you're going to have to implement some kind of synchronisation. Fortunately, KeyPass is open source and quite popular. That means there are lots of third-party plugins that can add pretty much any functionality you can imagine; and there are unofficial builds that will work on any operating system. Now, it's up to you to put all of that together and to vet the trustworthiness of those third-party plugins, but if you're up for the challenge then you can pretty much make it do whatever you want.

There are plenty of other password managers, but these two have been around the block, and have been sufficiently proven that I can feel comfortable recommending them. That recommendation is really for individual or family use, so if you're looking at this for storing the credentials for an IT department or a managed services provider then that's a completely different topic. LastPass do have products for that space, but essentially that's a different market with different requirements that I don't have time to get into in this article.

The important thing with any password manager is that that password you use to get into the password manager itself needs to be a secure one; because, remember, that's the key to your kingdom. With both LastPass and KeePass it's more important than that, because that master password is also used to encrypt your data. So if someone steals your KeyPass database or they hack LastPass and get the data from their servers, then they still can't do anything with it without your master password. That's important, because (remember) you can't trust any website not to get hacked; and that includes LastPass.

LastPass have actually been hacked before, but as long as you keep that master password a good one, and you keep it secure, the bad guys even if they steal the data from LastPass' servers, can't get access to your data because LastPass themselves can't access your data. Not without you typing that master password to decrypt it.

In fairness to LastPass, the password vaults themselves were never actually compromised; but the point is you shouldn't assume that will always hold true - for LastPass, or anyone else for that matter.

How to choose good password

So how do you pick a good password, then? Well, instead of a password use it passphrase. I'm going to use the website howsecureismypassword.net to help illustrate this. This is a handy site that gives you a rough idea of how secure your password is. It's not completely accurate - it's more focused on the brute-force method of attack than anything else, but to give you a sense of things: here's a complex password Xkf31y9J. It has upper case characters, lower case characters, and numbers, and it can be cracked using a desktop computer in about two hours. Now let's mix things up. Let's add some symbols in to make it extra complex Xk$3-y9J. Now it will last about nine hours, but that's still not a lot!

This password is already difficult to remember and if we continue doing this route of ultimate complexity we are really going to struggle. So let's try a different approach. We're going to take a few random words, and jam them together, for example BrocolliBalloonHouse. Testing this one out, we see it will stand up to 17 quadrillion years of cracking. This is the passphrase.

Longer passwords are a lot more difficult to crack than shorter passwords; so make it a long one, forget the complexity, and you've got a password that's a lot more secure, and a lot easier to remember. To make your passphrase even more resistant to attack, chuck a couple of numbers or symbols in the middle of it somewhere. That way if someone figures out that you're using a series of normal words, it's a lot more difficult for them to run a dictionary attack against it. If you use long, randomly generated passwords, stored in a password manager, protected by a strong passphrase, you've gone a long way to protecting your accounts; but passwords still fundamentally suck. In order to use them you have to type them into your computer and then transmit them to someone else. That leaves far too many opportunities for them to be stolen along the way. These days, relying on a password alone just isn't enough.

Multifactor authentication

If you're account has the option to use multifactor authentication, do it. Multifactor authentication might also be called two-factor authentication or 2-step verification. It uses a second factor such as your fingerprint, a text message, or a prompt in your phone to authenticate you, as well as your password. That's important, because as I've already said: passwords suck .They can be cracked, guessed, or stolen. Your phone can be stolen too, obviously; but the chances that your phone is going to be physically stolen that by the same person who's cracked your password are very, very remote. It can happen if it's a very targeted attack; but the vast majority of hacking attempts are just fired at random people over the internet, hoping for a soft target.

Microsoft have run the numbers on this, and enabling multifactor authentication stops 99.9% of account compromise attacks dead in their tracks.  An account with a strong passphrase, protected by multi-factor authentication, is going to be very resistant to attack; but there is another weakness... you! This brings us to your next tip: don't trust anything.

Social engineering

These days a lot of hacking attempts are targeting human flaws, rather than technical ones. Quite often this takes the form of a phishing email that tries to trick you into following a link or downloading a file. These emails masquerade as legitimate messages, and can range from poorly written and obvious scams, all the way to almost indistinguishable from the real thing. Here are some tips to help you avoid the trap.

Firstly, does it even make sense? If they say they've got a parcel for you, were you expecting a parcel? If it's from a bank, is it your bank? Is it in keeping with the communications they'd normally send you? No bank for example, is going ask for your account details via email. If you're even remotely suspicious, verify it. If you get an email saying a friend is trying to share a file with you, ask the friend if they're trying to share a file. If it's an organisation that you legitimately have an account with then log in or contact them by using the details on their main website. Not by following any links or phone numbers in the email itself. Don't trust the email - go to the website and that way you know you're talking to the real company.

This isn't just for email. If someone calls you out of the blue and you weren't expecting it, then call them back using the contact details on the company's website. It really annoys me when companies phone me and then they ask me to provide security information so they can validate me. No. You called me. You prove to me you're not a scammer. I'll hang up and call them back from the number I found on the website

There are other things you can do, like checking the website is secure and checking the link goes to legitimate address, but I don't want to get too deeply into that. Just because a website is secure doesn't mean it's not a scam, and the address can be hidden to some extent. Now yes, you can peel back those layers to find out what the real address is, but I'm a little bit worried that if I start showing you the steps you can take, I might miss something or not explain something properly, and give someone a false sense of security. What I will say though is that if the website isn't secure, if it doesn't start with HTTPS and have that padlock icon, then don't give it any sensitive information. Don't give it a password or anything you care about. It doesn't matter if it's a scam or not. If it's not using HTTPS then anything you do on that site can be intercepted, so you shouldn't trust it.

So now your accounts are nice and secure; but there's one weak link remaining. Your device. It doesn't matter how secure the account is if the device you're using the access it has been compromised. That's a topic for another article. 

Comments (0)

    No comments yet

You must be logged in to comment.