Security Resolutions – Be Safe out There!

Making sure your accounts are secure should be a priority this year. Image courtesy of the Library of Congress.

Making sure your accounts are secure should be a priority this year. Image “Secret Service” (1938) courtesy of the Library of Congress.

At this time of renewal at the start of the year, it’s traditional to resolve to make improvements in our lives — infusing our health and habits with more virtue and less vice. We change our smoke detector batteries, eat more fish, and sign up for gym memberships. It’s also a good time of year to consider your digital “health.”

2014 was a bumper year for security breaches. Ebay, Home Depot, Chase, and Staples were all compromised in one way or another before the year credit monitoring services Target had to provide for millions of customers expired. Do you have an account at any of those places? If so, does that account share a password with other accounts you use?

At this, the start of 2015, let’s reflect on a few practices that might take a little exertion in the short run, but could save a lot of head- and heartache in the long run.

Consider Email Security

First, consider your email account. Your primary email is, at this point in time, your most precious resource. In fact, it’s probably more important than your bank password, since that’s the place password reset links from any source — from Tumblr to to your stockbroker — get sent. If your email shares a password with any other account anywhere, it’s time to change it, and change it to something good. (Google “How to choose a good password” for a zillion resources.)

If your email provider offers two-factor authentication, turn that on, too — commonly, that involves giving your email provider your cell number so that if your email is accessed from a previously unused computer or browser, you’ll need to input a code that they’ll text to you. I was reluctant to do this for a long time, but now that it’s done it causes me zero trouble, as I’ve already approved every device I use to access my personal email.

Checking up on Your Other Accounts

Next, think about all the *rest* of your accounts. Do they share usernames and passwords, too? Maybe you signed up for an account at $randomwebsite a couple of winters ago to buy a hilarious gag gift. You probably never returned after that. Did you use the same username and password you always do? (And if multi-million dollar chains can get compromised, do you really trust $randomwebsite’s security? It’s time for you to get serious about your health — your digital health. It’s time for you to start using a password manager, and using that manager to keep track of your many, many passwords. Once you get one (LastPass, KeePass, Keeper — there are many, and some are even free!), be determined to make use of it! (Maybe a good strategy would be to get one that costs money — then you’ll want to get your money’s worth out of it.)

Every time you log into a site with the “usual” password, that should be your hint to change that password. Over time, you’ll have fewer and fewer sites that use the same ol’ same ol’. There are sites I only use once a year or so — to download tax forms, for example — and for those I use the password generating feature of my password manager to generate a few dozen random characters — something like >AAX!s”nWEt”SrekNAQq~9s?vRH^2gBDy_)f$J+’?&b8tqSC@}Zb-9@*czV* — because I already know I’m going to have to copy it out of the password manager, so it might as well be a great password.

Don’t Forget About Your Devices

You should passcode protect your phone. With newer iPhones you can even quickly use your fingerprint to unlock it, so there's no reason not to!

You should passcode protect your phone. With newer iPhones you can even quickly use your fingerprint to unlock it (“Touch ID”), so there’s no reason not to!

Finally, consider your own devices: Like politics, all security is local. Do you use your browser to remember all your passwords for you? I don’t like doing that, personally; anyone who sits down at my computer can now log in to places as me. If you do, and you can’t give up the habit, then get in the habit of locking your computer every time you get up from the keyboard (on Windows, that’s Command-L; the “windows” key plus the “L” key — on Macs it’s Ctrl-Shift-Eject).

Do you have your computer set to boot to your desktop? I wouldn’t, especially if you have all your passwords saved in your Web browser! Not even your home computer. That may seem paranoid, but houses do get broken into, and computers get stolen. The same goes for your smartphone: Put a code on the lock screen.

That’s probably enough for you to chew on — but if you want general computing security tips from the professionals, contact your friendly neighborhood IT person. No security regime is completely secure, but these measures will separate you from easier targets.

Here’s to a safe and secure 2015!

About John Drummond

John Drummond is the Academic Technology Manager at the College of William & Mary. Originally from Mathews County, VA, John graduated from James Madison University with a BA in English in 1996 and an MS in Technical and Scientific Communication in 2002, and is currently studying for an Ed.D. in Higher Education at the W&M School of Education. He has been with W&M since 2007. In addition to working in IT, John has taught occasionally at W&M and previously at Tidewater Community College, and in other roles has been an author, a musician, a Perl programmer, a UNIX systems engineer, and a network manager. He resides in Toano with his wife Andrea and daughter Rebekah.

Comments

  1. John,

    One more security control that I would recommend to your blog readers is FIDO U2F / FIDO UAF. If the Service Providers supports, use it, if not, ask your Service Provider to support it.

    FIDO U2F and FIDO UAF are Open Standards for Strong Authentication. Not only they provide a Second Factor for authentication, but also protect the end-user from becoming a phishing victim. And the best things is that FIDO is Open Source and Open Standard so any Service Provider can implement it without any licensing cost.

    Saqib