1) Thou shalt have complex passwords
Your passwords should look truly
random. It should be a minimum of 10-15 characters long, contain upper case
letters, lower case letters, digits, and (if possible) special
characters. There should be no dictionary words in it.
There are two password managers I can recommend that will automatically do this for you and you will be oblivious to
what your actual password is. They are LastPass and 1Pass4All. This will make life easy for you. You
still need to make your master password very strong using these services. There is a
wonderful password checker at howsecureismypassword.net.
2) Thou shalt not have the same
password on more than one website
Never, ever, ever, ever, not ever have
the same password for more than one website. There are no exceptions
to this rule. There are numerous SAFE ways of not having to
remember the actual password for each website. LastPass, mentioned above, is a
watertight password manager that uses servers to store your keys in
the cloud. However, your passwords are encrypted and decrypted locally.
1Pass4All allows you to have one password for all your websites. It
simply runs your password through a complex hashing algorithm that's
specific to each website.
Finally, you can come up with your own
algorithm. For instance, you could assign each letter of the alphabet
a specific three-character alphanumeric string, and use the first
three letters of the URL address as your password. Or the last three.
Or whatever. Come up with your own solution that takes into account
the website URL as part of the password. Make it hard to figure out
in case someone hacks one of your accounts.
3) Thou shalt not type your password
You should never type your password for
your bank account. This is because there could be a software-based or
hardware-based keylogger on your machine. LastPass and 1Pass4all can
both fill out the password field automatically, so it is a non-issue with these.
But if you must type your password, simply type the characters
out of order, using the mouse to move the cursor at some point while
you're typing. Or you can use an on-screen keyboard. On a windows
computer go to Start → All Programs → Accessories →
Accessibility → On Screen Keyboard. Linux also has an on-screen keyboard under Preferences -> Universal Access.
A
copy+paste of your password from a file on a USB isn't 100% secure.
It's possible that a piece of malware could have access to your
clipboard data or the file. Also, storing your passwords without encryption would be a bad idea.
4) Thou shalt change your password
often
Many times websites' databases will get
hacked and will contain improperly hashed passwords. When passwords are stored on a webserver as hashes, they can be cracked in time with high power computers. If you change your passwords every
1-6 months you will be much less vulnerable to these breaches. You create a moving target for a would-be account thief. If your
passwords are strong enough, it will take someone more time to crack it than a weak password, but it can still be cracked. By changing passwords often you make it virtually
impossible for someone to keep up within the timeframe. Conversely, by never changing your passwords you allot them more time to crack your password from a password hash.
5) Thou shalt secure thy operating system
5) Thou shalt secure thy operating system
Run a supported version of Linux or
BSD, if at all possible. If you need to use Windows applications you
can still run them inside a virtual machine. If you must run
Windows or Mac as a full time environment, keep it patched (security
updates), do regular virus scans, and keep abreast of security news
for that OS (operating system). If you don't know what an operating
system is, you probably shouldn't be using the Internet.
6) Thou shalt keep thy browser and
plugins patched and up to date
What browser are you running? Is it the
latest version available? It better be. Do you know what plugins you
have enabled for that browser? Are those up to date as well?
To check the browser version go to "Help
→ About" (Firefox and IE) or just "About" (Chrome). To see what
plugins are enabled in Firefox, open up a new tab and type
“about:plugins” (without the quotes). To check if those plugins
are up to date go to mozilla.org/en-US/plugincheck/.
To see what plugins are enabled in Chrome type “chrome://plugins/”
(without the quotes). It should automatically list which plugins need
to be updated. Internet Explorer does not have a sufficient built-in
plugin checker (correct me if I'm wrong), but Mozilla's
plugin checker should work, although it is very limited with IE.
7) Thou shalt know thy browser
settings
For instance, when I close out my Firefox session,
it automatically clears out all browsing history, download history,
active logins, cache, saved passwords, and offline website data. I
keep cookies and form history enabled. I set it to automatically
block reported attack sites, web forgeries (phishing sites), and
automatic add-on installs.
There’s a Firefox add-on called
“HTTPS Everywhere” that forces Facebook, Twitter and popular
websites to use secure log-in pages. Another great add-on is
NoScript. It keeps website scripting under control. It is very
annoying the first week of use, but after you whitelist all of your
most commonly used sites it's well worth the trouble.
If using a public computer, always use
private browsing mode. In Firefox go to "Tools → Start Private
Browsing". In Chrome go to "New Incognito Window".
Again, know how to use your browser.
8) Thou shalt guard their email account with their life
This means don't let friends or family
have access to your email account that's associated with your bank
accounts. Change your email password 1-6 months or any time you
have suspicion it might have been compromised.
If someone has unrestricted access to
your email account, they are more than halfway there if they want to
ruin your life. Most banks even offer to reset passwords through your
email account and some other rudimentary personal information. Yikes!
9) Thou shalt not follow links
provided in emails
We've all heard this one before. Just enter the address using bookmarks
or your keyboard (making sure not to mis-spell the URL).
10) Thou shalt know how to identify an
institution
Phishing continues to be one of the
primary ways people get hacked. There are several ways to identify a
website. Google, Facebook, and banks with online access all offer https access. Keep in mind this is not always by default. Sometimes
you have to type in the “s” part of https manually. When their
secure page is displayed, you can click on the left side of the URL
address bar (right side for Internet Explorer) and it will display
identity information for that website including third party SSL
validation, encryption specifications, and the date of last visit.
Also, most banks invoke a SiteKey for mutual authentication.
11) Know thy public WiFi dangers
Check your WiFi connection before
connecting. If it's WEP or open access, it's totally insecure. If
it's WPA2, it might be secure. To make a WPA2 connection completely
secure you must (a) not broadcast its existence publicly (to
keep a low profile), (b) use a unique SSID (to protect against
rainbow table attacks), and (c) use a long, complex and unique
password (the most important step).
Any information that you don't want in a stranger's hands should be encrypted when using a public WiFi connection. This means that all URLs should be https and not http. Also, if a clandestine hacker is lucky enough to have access to a forged SSL certificate, know that you could be the victim of a man-in-the-middle attack. In this case your banking session or whatever would be encrypted, but it would be going through that person's laptop and he/she would be accessing your bank on your behalf. That's a very bad situation. The only way to protect against a MITM attack is to stay on top of the news regarding forged SSL certificates, not something the average person is willing to do.
Any information that you don't want in a stranger's hands should be encrypted when using a public WiFi connection. This means that all URLs should be https and not http. Also, if a clandestine hacker is lucky enough to have access to a forged SSL certificate, know that you could be the victim of a man-in-the-middle attack. In this case your banking session or whatever would be encrypted, but it would be going through that person's laptop and he/she would be accessing your bank on your behalf. That's a very bad situation. The only way to protect against a MITM attack is to stay on top of the news regarding forged SSL certificates, not something the average person is willing to do.
Another consideration when using a
public WiFi connection is to use a VPN (virtual private network).
This allows for anonymous, secure web browsing in public locations.
12) Thou shalt monitor their logged on locations
Many websites supply this information
at the bottom of the page or on the log-in page. If you suspect foul
play, check your settings and then reset your password immediately.
13) Thou shalt not download illegal
content
Anytime you download illegal content,
you're asking to get hacked. If you absolutely can't live without
pirating something, do it in a virtual machine and don't ever use the
file on the same OS (operating system) you do your banking with.
14) Thou shalt secure all sensitive
computer data
If someone gave me a computer to
I hack, I could clone the drive in an hour and read the files without
having that person's administrator or user password and return it
without them knowing. What about if a trojan/virus had access to your
file system? What data could they plunder?
The only acceptable way to store
sensitive data on a machine is 256-bit symmetric AES encryption
(minimum). Personally I use 4096-bit asymmetric PGP encryption. Some
people prefer to encrypt the entire file system rather than just the
files that need it. You can also encrypt emails before sending them
and use encrypted chat rooms to communicate. If you keep your backup data in
“the cloud,” encrypt your data before sending it out. If you live
in a country where encryption is legal, use your rights! If you don't,
well there's always TrueCrypt.
If you delete a sensitive file, make
sure you use a program like Eraser
(Windows) or the “shred -fuz” command (Linux). Otherwise it can
still be recovered.
15) Thou shalt add extra security layers
Two-factor authentication (AKA two-step
verification) is the new security layer in town and it's here to
stay. Google offers it. Facebook offers it. My Chase credit card
offers it. It essentially does not allow someone to get to the page
where a would-be hacker can guess your password unless they also have
unrestricted access to your cell phone and/or email account. Once you
log in from a computer, the website will remember that computer for
30 days (if you want it to). The process repeats every 30 days. This
process automatically phases out computers that you don't use anymore.
Also, make sure your security questions
are next to impossible for anyone to guess, including law
enforcement, who might have access to your mother's
maiden name, previous addresses, etc. FYI Sarah Palin's email account
got hacked this way. If Sarah Palin had multi-factor authentication
and strong security questions, she would have been safe. Google is
one of the few websites that lets you type in your own security
questions and answers. This can be a great thing or a terrible thing
if used improperly.
