Please, think about your online security (with 8 ways you can improve it)

There are a few simple things you can do to improve your online security. By no means to I pretend to be an expert, but this is stuff I like to think about.

#1: Please change your password.

I know there's at least one person reading this that probably uses the same password for all of their online accounts. Just c'mon. Think about it: if someone figures out your Netflix password (maybe you even share it with someone!), they might have access to your bank account. You might trust your friends or family enough to watch movies, but do you trust them enough to have access to your money?

Please, just change your passwords. Dedicate an hour of your life to this, secure your accounts a little bit.

Some tips: All your passwords should be different (yes, seriously). If you don't have a nomenclature (naming system), use a password manager (see next section). Don't use your name, or anything that can be easily guessed. If I'm manually creating a password, I like to think about stuff around me, adding some characters - like Speak3rs+Watermel0n. But honestly, just use a password manager. I use LastPass, but there are plenty out there - 1Password, NordPass, Apple iCloud Keychain.

#2: No like seriously, update your passwords.

It really, really doesn't take much. Please, please do it.

#3: Use a Password Manager

Seriously, just do it. I lived 21 years of my life without one, and now I don't think I could live without. Everything is randomized, secure (more on this later), and it's easy to use across devices. A password manager will generate a random password for you, keep track of it, and allow you to automatically input it across devices.

There are free options for password management, and there are paid options. I think I pay about $50/annually for LastPass Premium, and there are also family plans available (if you need to share passwords with family on the regular).

#4: If you can use Two-Factor Authentication (2FA), USE IT.

Two-Factor Authentication sounds complicated. It really isn't. Many of you have probably used it before without knowing. Essentially, it's two levels of security, or two different passwords. There's a few levels of it:

  1. Security Question + Answers 2FA (least secure): (Not) Surprisingly, the big five banks (RBC, TD, Scotia, CIBC, BMO) all use this still - I think. Essentially, upon registering, you choose a few questions, and input your answers to them. When you log in to your account, if the system doesn't recognize you, it will ask for your answer to your security questions. The reason I mark these as least secure is because for a lot of people, a quick browse of your social media accounts or online posts and one could find the answer. Which city did you grow up in or were you born in? Location pinpointed on Instagram post. What was the name of your first pet? Photo of your dog. See what I mean?
  2. SMS/Text Message/Email Based 2FA (mildly secure): Ever log into an account and then be asked to input a code from your text messages (or email)? That's this. It's decent. There can be issues sometimes - what if your email gets hacked? What if your text messages are being hijacked (this can happen). What if you're in a different country, trying to get into a different account, but aren't paying roaming fees on your typical cell phone number? This type of 2FA is good - and easy to use. Use it if you can.
  3. App-based, time-sensitive 2FA (good security): Some companies *only* allow this type of 2FA. Arguably a good decision. Essentially, instead of receiving a text with a code, you'll open up an application like Microsoft Authenticator, Google Authenticator, etc. These apps are relatively easy to set up, especially for my generation that lives on their devices. These systems are better than SMS/Email: less susceptible to intrusions/hacks/hijacks, based on open-source code, and time sensitive. These codes reset every 30 seconds (depending on settings). However, you'll want to ensure you have your backup codes saved somewhere (like a password manager!) in case you lose access to your app (like a lost phone).
  4. Hardware-based, time-sensitive 2FA (great security, but advanced): Arguably nobody reading this needs this level of protection, but if you're feeling like you want to secure some important accounts (like your password manager), hardware keys can be an option. But like seriously, they take a while to learn how to use. Unless you want to dedicate time to security, I wouldn't recommend this option. Essentially, for any application/company that you can use an app-based 2FA for, you can use a hardware key. Instead of simply opening an app, you must insert or tap a USB drive to your computer or phone/tablet (respectively), and either use an associated app to access a time-sensitive code - like app-based 2FA - or to directly access your account. For example, Facebook and Twitter support what is called the FIDO U2F protocol (I'm not that technical, but the info is there if you want), that essentially work as such: Log in to your account using your username & password. Upon verification of your credentials, the service will ask you to insert/tap your hardware key (literally a USB device). Upon successful usage of your key, you will be allowed access to the account. An example of hardware keys with FIDO support are Yubi keys. The biggest cons of this option are 1) the cost, and 2) you need to ensure you have multiple keys - in case you lose one - and keep them safe.

You can check out the 2FA Directory to see which online services support two (or multi) factor authentication.

#5: Keep your shit private. (Seriously.)

Look, I guess we all love the instant gratification of likes on our posts - that's great. In terms of this section, I don't have a problem with people having their accounts public - that's fine - just a bit less privacy for you. I keep mine public sometimes! That being said, keep your stuff private - that could mean keeping your accounts on private, or just simply not putting your entire life out for people to know.

As some will know - it's not always the best idea to keep your location data going into your posts. Keep your location private, and it's less easy for someone to stalk you. Seriously. While we're at it, there is absolutely no reason to have your location public on Snapchat. Seriously. If you must share your location with someone, there's other ways of doing so. If you have an iPhone, share your location with a friend by using Find My. It's more secure, and private, relative to other apps. If you're on Android... IDK.

#6: Keep your shit even more private, use a Virtual Private Network (VPN).

This might seem complicated - but I promise, it's easy. Essentially a VPN creates a secure, private "tunnel" for your information to flow through on it's way to connect to the internet writ large. A VPN conceals your Internet Protocol (IP) address, and hides your data (somewhat) from prying eyes - like your internet service provider. Some ISPs will sell lists of which sites you visit - don't like that? A VPN is your friend. It's doubly good if you often connect to public Wi-Fi networks. Basically, a VPN keeps your shit private from prying eyes, allows you to appear in different places (sometimes can be used to view content from different locales!), and in some cases, can make your internet faster (often a millisecond or two slower, though).

There are plenty of VPN options out there - free and paid. If you just want a quick, free, no hassle option, CloudFlare (one of the internet's most successful security companies, led by a Saskatchewanian) offers a very simple, free option called Warp, offered on the 1.1.1.1 DNS framework. You can check out 1.1.1.1 for more information and to download the app(s). I use WARP all the time, on every device.

If you're looking for more premium options, such as the ability to appear in different locations, you'll likely need to pay for a VPN (especially to get decent speeds). Below are some of my favourites (I have used FastestVPN and Mozilla before - Mozilla is the organization behind the Firefox Browser, and Pocket, one of my favourite tools):

There are many other options, all of them are very similar.

#7: Use your browser's anti-tracking features to your advantage (might break some websites).

Google Chrome is mediocre (as far as I recall) for this, Firefox is good, and Safari is decent (Apple products are decent for this too, especially after the recent anti-ad-tracking updates).

In Firefox on a computer, you can go to Options -> Privacy & Security to choose various options. I usually keep my Firefox browser set on Strict Enhanced Tracking Protection. However, when I need to attend classes, I have to shift to moderate in order to be able to load my WebEx meetings - it does break things!

On your phone, no matter what the app asks, just say "Ask App Not to Track" -> while not necessarily good for security, it's good for privacy, and makes companies like Facebook scared. That's good.

Oh, and use an Ad Blocker. Disable it for the indie media sites that you really want to support, but otherwise, keep one on. I use uBlock Origin.

#8: Practice good habits (the most important)

This sounds wrong, but honestly - this is the most important one. All of the above are great, but if you share all your passwords with multiple people (or in public, or write them on a piece of paper), or click links in messages or emails without thinking, the other points are moot.

  • Do not share passwords. Especially important passwords - your phone, your bank pin & account password, etc. Netflix? Meh.
  • Seriously, just don't click links in messages and emails if you don't have to. If a store is offering a deal in your email, go to the store website and enter in the coupon code yourself. Get an email from a lawyer or a prince? Ignore. A text message about a tax refund? DELETE IT.
  • For links that absolutely must be clicked, such as Amazon account verification links, you'll begin to recognize the numbers they come from. I believe Amazon, at least in Canada, uses a 7**** series (at least for some). These will typically stay the same for (good) companies - some will change, but you'll recognize the message based on the context and your actions.
  • For everything else, just use your judgement. Banks for example, will never (or at least, shouldn't) send an account login link via email - you must go to their website yourself. Outside of the internet, if you receive a call from someone - verify the call by hanging up and calling back the company/organization yourself on their public line (not just re-dialing the call that came to you)!

TRUST, BUT VERIFY.

BONUS: Check if your passwords have been released on to the interwebs.

Use have i been pwned? and check if your passwords need to be changed. Many password managers will do this for you (hint, hint)!

by Trey