December 28, 2013 Leave a comment
Last updated: April 13, 2014
UPDATE: The Heartbleed security bug makes all previous security exploits look all small. It has the potential to affect everyone, so it is important you protect yourself soon. See the Heartbleed section below, for a quick summary of the actions you need to take now.
Ever wonder why some people get their Facebook accounts hacked and others don’t? It’s because they use easy-to-guess passwords on multiple sites. Start the year out right by protecting your online data. It’s free and easy to do.
Gone in 60 Minutes
As our lives move to the cloud it’s important that we protect our online identities. If you’re like most people, you use the same password on multiple websites. This is a problem, because once a hacker gains access to one of your passwords, they can use it to access your other accounts. Imagine having a big part of your digital life erased by a hacker in less than an hour. This happened to a reporter last year. His first sign there was a problem was when his iPhone powered down and his iCloud restore didn’t work. Next, he found his Google account had been deleted and hackers used his Twitter account to send offensive messages. His problems weren’t just limited to his iPhone, the hacker gained access to his Apple account and remotely erased all of the data on his iPhone, iPad and MacBook. As bad as this was, it could have been worse. Since the hacker had access to his Amazon account, he could have bought thousands of dollars worth of merchandise or gained access to his online banking and financial accounts.
According to the victim, “one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an Apple ID, every time you call Pizza Hut, you’re giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.” The reporter added that the Apple ID “has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this Apple ID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on.” He continued, “It’s shameful that Apple has asked its users to put so much trust in its cloud services, and not put better security mechanisms in place to protect them. Apple IDs are too easily reset, which effectively makes iCloud a data security nightmare.” This isn’t just an Apple and Amazon problem. The list of high-profile online security breaches includes Adobe, Evernote, Facebook, Gmail, LinkedIn, LivingSocial, Microsoft Xbox 360, Snapchat, Sony PlayStation, Twitter, UltraViolet and many more. Chances are you’ve used one of more of these hacked sites. Read more about the nine biggest security breaches of 2013.
Heartbleed: The King of All Exploits
Although it’s not really new, a newly exposed bug called Heartbleed can reveal the username and passwords of many popular websites. As a result, it is recommended you change your password on all affected services after you confirm they have fixed their systems. This chart shows which sites have been affected. Also keep in mind that this vulnerability could have revealed more than just passwords, it could have allowed attackers to obtain information including credit card numbers, medical information, private emails and more.
- Never use the same password for two sites – It’s essential you use unique passwords for every website. This isn’t as hard as it sounds because there is special software that keeps track of every password for you. This software automatically fills-in the correct username and password every time you visit a website. Although your browser can do this, your password data isn’t encrypted and can be easily viewed by anyone with access to your computer. A better solution is to use a cloud-based password locker like LastPass or 1Password. See the next section for tips how to setup a password locker.
- Use strong passwords – It’s hard to believe the most common password of 2013 was 123456. That’s not exactly hard to guess. Even if you create a password that has numbers, letters and special characters, it may not be strong enough that no one could guess it. Here is a website that will check your passwords to see how secure they are. If you need help creating strong passwords that avoid common mistakes check this out. Fortunately you won’t need to create your own secure passwords, your password locker software will do this for you.
- Backup your important data – It’s a good idea you backup all the important data on your computers and mobile devices. The easiest way to do this is to make sure all of your important documents, photos and other files are stored in folders that are synced with a cloud storage locker like Dropbox, SkyDrive or Google Drive. This backs up your data, and provides access your files from any smartphone, tablet or computer.
- Start by installing free password locker software on all of your computers and mobile devices. Based on my research, LastPass is the best solution for Windows PC, Chromebook and Android users, while 1Password is the best solution for Mac and iOS users. If you decide to use LastPass, I recommend you use it with the Chrome browser.
You’ll be asked to create a new password for your locker. I strongly recommend you use a long password you can easily remember — but have never used before. Here are some good tips how to do so. For example, you can easily convert the first part of the Gettysburg Address into a secure password that is easy to remember. “Four score and seven years ago our fathers brought forth” becomes “4Sa7yAoFbF.” Notice how I alternate capitalized letters and replace the numbers to make it more secure.
- After installing your new password locker software, I recommend you disable your browser’s built-in password manager. If you’re a Chrome user, click on the Chrome menu in the upper right-hand corner and select ‘Settings.’ Then scroll down and select ‘Show advanced settings/Passwords and Forms’ and make sure the two options below are not checked. I also recommend that you click on the ‘Manage saved passwords’ link and delete all of your saved passwords several weeks after you are confident your new password locker is working fine.
- Your password locker software will import all of your existing passwords, but you need to manually change them to secure passwords. I suggest you start by only changing a single password using your computer and the auto-generate password option on your password locker (e.g. LastPass). Since you’ll never need to remember or type your new secure passwords, I suggest you create passwords that are 12 characters long. Then, go to the site and make sure your password manager logs you in correctly. This is important because once you convert your passwords to secure passwords, you won’t be able to remember them.
- Next, you should try accessing the same site on your smartphone and tablet and make sure it logs you in as well. I’ve had some problems in this area. Here is how I handle this with LastPass:
- For websites, I access the site using the LastPass app. After you log-in, you’ll be shown a list of websites. Select the site you want and touch ‘Launch.’ This should take you to the site and automatically log you in using your new secure password.
- For mobile apps that require passwords like Evernote, I suggest you go to the your password locker app and copy the password first. Then open the mobile app and paste the password in the log-in screen. In most cases you’ll only have to do this once. The next time you open the app, it should remember the password for you.
- Once you are sure your password locker is working reliably on all of your devices, you should create new secure passwords for any of the sites listed above which have been hacked. Next, create passwords for the rest of your high-risk sites. This includes your online banking and other financial accounts, e-mail accounts, e-commerce sites (Amazon, eBay, Ticketmaster, etc.) and social media sites (e.g. Facebook, Twitter and LinkedIn). This is easier to do on your computer than your mobile devices. Once this is done, you can do this for lower-risk sites.
Important: I can’t stress enough that you should copy and paste each new password you create to a temporary document that you keep around until you verify your password locker has correctly captured the new password and logs you in correctly. Although it doesn’t happen often, a few times I’ve had to manually copy and paste the new secure password into the password locker because it wasn’t automatically saved.
- When you’ve finished creating secure passwords for all your websites, use your password locker to run a security scan to identify remaining problems. You’re not done until you make sure that no two sites are using the same password and all passwords are secure.
A 3-Step Solution
Tips for a Smoother Transition
Here are some tips that will make your transition into a more secure online world smoother.
Congratulations! You’re Now Safe and Sound
Your online data is now much better protected than before. It is now extremely unlikely that a hacker could log-in to your accounts as long as you keep the password to your password locker safe. If you want even more security, here are a few more extra tips. Back up your data to a NAS (or a large thumb drive) and store these backups outside of your home. Don’t store your credit cards with online merchants and lastly, consider using two-factor authentication for data that is really important to you. I’ll leave you with a few extra tips for mobile security. Have a safe new year!
Copyright 2013-2014 Rick Schwartz. All rights reserved. Linking to this article is encouraged.
Follow me on Twitter @mostlytech1