4 Cybersecurity Basics
October is Cybersecurity Awareness Month! In keeping with the theme, this month I’ll be sharing some thoughts on the security side of privacy and security. Let’s start with a quick review of the basics, and for anyone new to this stuff, consider this a “getting started” guide.
1. Strong Unique Passwords
The single most important thing you can do to protect your accounts is to not reuse passwords, and to make sure that each password is strong. What does “strong” look like? Conventional wisdom says at least 16 characters. I like to future-proof and say at least 30 or more if the site allows it.
Passphrase or password?
This is where we arrive at the never-ending debate about whether passphrases or passwords are better. A good, strong, password is a randomly generated set of uppercase letters, lowercase letters, numbers, and special characters. A good, strong passphrase is a series of randomly-selected words (five or more words).
Many people argue that a passphrase is superior to a password because of the length. The crux of this argument mainly rests on the fact that most people tend to use short, easily-remembered (and therefore easily-guessed) passwords. It stands to reason that a randomly-generated passphrase of five or more words is better than a password because even a short passphrase would be 25+ characters and a criminal would have to guess every possible combination of uppercase letters, lowercase letters, numbers, AND special characters. Each character you add exponentially increases the amount of time spent guessing.
However, this argument also rests on the idea that you have to remember your password. There are definitely some that you have to remember, like the password to unlock your device or to login to your password manager (which I’ll discuss in a moment). Those should definitely be passphrases so you can get the best of both worlds: easy to remember, but still long and secure. Beyond that, I don’t think there’s a right answer. Without going into technical detail, from a cybercriminal’s perspective, a 30-character passphrase and a 30-character password require the same amount of work to crack. It’s entirely personal preference. Personally I prefer to go with passwords because most sites will require uppercase, lowercase, numbers, and characters anyways, and it saves me the time of switching my password manager back to “password” mode from “passphrase” mode, but again that's just personal preference. As long as they're long enough, there's really no difference. (But I wouldn't go around advertising that you use a passphrase if that's your choice, for reasons that fall outside of the scope of this post.)
How to Get Started
Regardless of whether you choose to go the password route or the passphrase route (from here on out, I’ll just say “password” as a catchall to save time), one of the most important practices is to not reuse your password anywhere. Even with only a handful of accounts, this can quickly become unrealistic, especially if you only use some of those accounts rarely and therefore are likely to forget the password for those accounts. I strongly encourage the use of a password manager: a program that can record all your login information in a secure manner that keeps it reasonably safe from data breaches or attackers. Here, you can safely record all your usernames, passwords, login link, and other information. As an added bonus, doing this can help you avoid phishing attacks because you have the login link saved for easy and direct access. At this time the only two password managers I recommend are Bitwarden and Keepass. You can find more information about both of them and how to use them here. Be sure to enable the next feature on your password manager of choice's account, too, for added security.
2. Multifactor Authentication
Multifactor authentication is when you have to use more than just your username and/or password to login to a service. A username/password is considered “something you know.” A second factor could include “something you are,” which takes the form of biometrics like a fingerprint scan, or “somewhere you are,” which could be the geolocation on your phone when signing into an app. The most common second factor is “something you have,” which usually takes the form of a code on your phone. In some cases, this code is sent to you via SMS or email, but it can also be generated by an app (known as a “software token”). According to Microsoft, using two-factor authentication (or 2FA) can stop up to 99% of unauthorized account access. With 2FA, even if a criminal gets ahold of your username and password, they still need that code to get into your account. Combining 2FA with the password advise above can make you almost (but never 100%) unhackable.
How to Get Started
First, try to avoid two-factor codes that are sent to you via SMS or email if you have other options. These are largely considered to be insecure because SIM-based phone numbers can be easily taken over by an attacker. Email isn’t much harder either and can have much further-reaching consequences if compromised. Some services offer “push” authentication – For example, Google may ask you to confirm the login on your Android device. This is marginally better, but for the best blend of “easy-to-use,” “widely available,” and “secure,” you probably want to use a software token. I list a few different options here, as well as some information about hardware tokens. Hardware tokens are the most secure two-factor option, but are not without their drawbacks and are not for the faint of heart. That link has all the information you need to know if you’re curious.
3. Zero-Knowledge Storage
These days, most of our lives are online: email, real-time communications, social media, many of us even have automatic cloud backup on our devices for photos or files. From a cybersecurity perspective, this is incredibly dangerous. This would be the equivalent of giving your house keys to a stranger every day when you go to work, then giving them your car keys every night when you get home and hoping that they don’t take your stuff or abuse it. (Spoiler alert: they often do.) An easy way to reduce this risk is to switch to zero-knowledge storage solutions. For email this could be Ctemplar, ProtonMail, Tutanota, or a whole host of others. For real-time communications Signal dominates the market but is not alone. There are a plethora of good choices. For storage I’ve had good experiences with services like Filen, Nextcloud, and ProtonDrive. For social media you are unfortunately less likely to find options that meet your needs. If you’re just a lurker, there’s tons of great front-ends like Libreddit, Nitter, and Invidious that can help protect your privacy and reduce tracking. If you actually want to post and contribute, there are platforms like Mastodon and PeerTube, but they may not scratch your social itch. Instead, the best I can offer is to remember that anything you upload to a mainstream social media provider like Facebook or Twitter becomes theirs and more often than not becomes public. Once you hit “post,” “tweet,” “share,” whatever, you instantly lose control over what happens to it from there, for better or worse.
4. Full Disk Encryption & Backups
Of course, not all threats to our digital lives are digital in nature. A broken device can result in loss of important documents and a stolen one can result in exposure of sensitive information. Many of these risks can be mitigated by using good backup habits and full disk encryption. Let’s start with the first one.
There’s a lot that goes into good backups. For a full rundown, see this page. Here’s the short version:
Figure out how much space you need
Decide how often you need to back things up
Come up with a system that works for you – automatic backups, calendar reminders, whatever.
Don’t forget the 3-2-1 rule: 3 copies of your data (including your “live” in-use copy), 2 formats (cloud and external hard drive, for example), and 1 off-site (such as the cloud).
Full Disk Encryption
So what if your primary device gets lost? Or what if a criminal breaks into your home and steals your external backup drive? This is where full-disk encryption comes into play. Even before I was into privacy and technology, I learned that I can use a $20 cable from Newegg and a second computer to remove a computer’s hard drive and access it, even if the computer won’t boot up (related note: never pay Geek Squad to recover your dead computers. It's a scam. Just use that). But full-disk encryption makes this drive unreadable and inaccessible unless you have the password. Macs come with a program called FileVault, many Windows versions come with Bitlocker, and some Linux devices offer LUKS. If your device doesn’t have these, or if you’d prefer using something else, I recommend Veracrypt. (This is good for encrypting external backups, too.) For Android and iOS, these get encrypted automatically as soon as you enable a password to unlock. You can learn more about all of this here.
Originally this post was supposed to be “5 Cybersecurity Basics,” and #5 was going to be network security. However, my sublist of tips kept growing and growing and now it’s basically a blog post of its own. So tune in the week after next (next week is a review week) for the conclusion with some tips on how to secure your home network better.