A quick acknowledgment and thank-you to my supervisor at work is in order. I had him look this over before I posted it, and he thought of a couple of things I didn’t. In particular, the note about URL shorteners is to his credit.
This post has been on my list of things to write for quite a while; Grant actually requested it some time back in 2019 and I’ve been dragging my feet on getting it written, but since it looks like we’ll all be relying on digital tools even more than usual for quite a bit longer than we’d initially hoped, this seems like as good a time as any to get this information out there.
First, I’d like to toss out a few disclaimers: this is not all-encompassing advice, and it does not put you into a state where you are digitally impregnable and immune to all attack. It likewise doesn’t do a whole lot to ensure your privacy or lessen your digital footprint. This is a basic primer. It is, however, more than most people do, and it will get you to a point of diminishing returns. (Also, if the size of this thing is daunting to you, feel free to skip down to the TL;DR in the conclusions. The advice is relatively straightforward, I just spent a lot of time on the hows and whys.)
To be more specific about it, what this advice does do is close off or at least decrease the convenience of a number of common attack vectors. Avoiding being the victim of malware and cybercrime is a bit like avoiding being hit by lightning; you don’t want to be the path of least resistance. Your goal is to be someone who has implemented enough security that circumventing it is annoying and sends a potential bad guy off in search of easier prey.
Second, and related, this is not anywhere near everything you can do. If you really want to spend time (and money) hardening your digital environment against attack, there’s almost no limit to how much you can do. But at a certain point, your security measures will be so secure that all you’re going to be doing is making it harder for state actors to get in, and I assure you, if the NSA or FBI or some foreign intelligence service wants access to your stuff that badly, they will at some point decide that the hackers are taking too long and resort to some combination of legal pressure, HUMINT, and violence instead.
But let’s not kid ourselves: most of us are far beneath the notice of the “three letter agency” community and are really much more concerned about more common stuff that can mess your life up, like identity theft and ransomware.
One of the other things that you have to accept, particularly in the US, is that the cat is already somewhat out of the proverbial bag. The Equifax data breach from a few years back got basically everyone who was an adult at the time. There is no un-ringing that bell. But there is a measure of security in being just one data point in a vast digital sea, too. So with those caveats acknowledged, let’s take a look at some simple stuff you can do to make yourself a little bit safer online without spending a huge amount of effort on the process.
Passwords and Other Authentication Concerns
There’s been a lot written about passwords over the years and how to use them, but it all boils down into just a few basic criteria. Don’t worry if terms are unfamiliar, I’ll get to them later.
A good password is:
- Unique – in your usage. You don’t want to reuse passwords at all with a couple of very specific exceptions that I’ll get to later.
- Unique – in the world. If you’re only using “pa$$w0rd” for one site, that’s still no good. I guarantee you that password (or at least its cryptographic hash) is in databases of common passwords that have been compiled from prior cyberattacks.
- Complex – use the full character set.
- As long as possible (up to around 32 characters or so, anyway).
Let’s talk about each of these a little bit.
Unique to you: Password reuse is a bad idea because even if you have a really strong password, all it takes is for one of the places you’re signing into to suffer a data breach and a bad actor has a set of user credentials that they can try in other places. Even if you have a “special” password for your bank (for example) you can still suffer a breach if a bad guy gets access to your email and uses that to reset the password on your bank account. One place you can get away with reusing passwords is when you’re not going to keep them. For example, at work when I’m doing an initial OS install on a computer, I create an account with “temp” as the password. When I reset the system to an out-of-box experience, that account goes away and takes its weak password with it. The other, for the record, is when multiple websites are under a single corporate banner and all share common login credentials. In the TTRPG hobby, I’m thinking especially of Onebookshelf sites – DrivethruRPG, the DM’s Guild, DrivethruComics, and so on. You can use a single account there to keep your entire digital library in one place, and it’s okay to do so.
Unique in the world: The other potential pitfall is that if you use a password that is out there in the world in widespread use, especially if a lot of other people are using it, there’s a good chance that it can be reverse-engineered. Most places don’t actually store your password any more these days – what they store is a cryptographic hash of your password. However, that can still be reverse-engineered from other peoples’ password hints (and other means). This XKCD comic gives you an idea of how that can work.
Complex: If the bad guys can’t get into your account with a so-called dictionary attack (so named because early versions literally just used a dictionary to see if someone had used an ordinary English word as their password) to get in with a list of known passwords, they will have to do what is known as “brute forcing” their way in, which is the process of trying every single possible password. In that case, you want them to have to try as many possible characters as you can. Let’s say you have a four-character ATM PIN. Each of the four digits can be a number from 0-9. Which means that your password is 0000, 9999, or some value between those two. It doesn’t take modern computer technology very long at all to zip through 10,000 values; they can perform thousands of checks a second. But now let’s add the lowercase letters from the English alphabet in. Now your list of potential characters has grown from 10 to 36 for each place. Add the uppercase letters in? Now we’re at 62 possible characters. Add in the special characters like “!,” “@,” and “#” and you get even more – 33 to be precise, for a total of 95 possibilities for each character.
As long as possible: Combine the large possible character set with the longest allowed string and you wind up with a password that is murderously hard to break. Like “even accounting for Moore’s Law, it will take trillions of years to crack this” hard once you get to a certain length. Every additional character you add makes the possible list of combinations exponentially larger. To go back to a simple numeric PIN – if it’s 1 digit, there are 10 possible values. Two digits and you have 100, three and you have 1000, 4 and you have 10,000, and so on. Even with a character set of 10, a 4-digit pin is 1000 times harder to guess than a 1-digit one is. If you want to have some fun, take a look at this analyzer from Gibson Research Corporation.
At this point you may be saying “okay, this is all great in theory, but I have things to do with my brain other than just remember passwords. Plus, I’m not that creative – how the heck am I supposed to come up with a password that nobody else on earth is using for anything?”
The answer to that is “use a password manager.” There are a bunch of them out there. I personally use LastPass and have been for around a decade now. They have been audited multiple times by security firms and professionals much smarter than me and passed. I also use Keepass at work for my work passwords, which I do so I have a completely separate repository. Work/life balance and all that. These utilities solve a lot of the problems of password maintenance. You can use them to generate and store passwords that are just strings of random characters, and they save you from having to remember them yourself. Some (like Lastpass) can even autofill your login information, which is one of the rare instances where security and convenience intersect.
But that also means you need one really amazing password to secure the password vault with, because if someone gets their hands on that, they’ve got the proverbial keys to the kingdom. And to make matters more difficult, you have to be able to remember it, because if you can’t, you won’t be able to get to all of your other passwords and that’s no good either. So what to do? This XKCD comic is mostly correct, but I’d suggest a small tweak: append a small batch of characters to the words somewhere to stretch the length and character pool size. Here’s an example: grazingchevroletwalnut294768#X
Now, even a really long, hard-to-break password is not going to help you much if you make it easy to guess. If I used MontyGeorgePelorGarrus7242004! instead of the string above, that would be significantly less secure for me, even though it’s the same length and same character pool size. It might be more secure for you, though. Why? Because everything in the second password is personally significant. Monty is one of my cats. George is the name of the street I grew up on and a former coworker I had a very favorable view of from a previous job. Pelor is a D&D deity. Garrus is a companion from Mass Effect. And the numbers? That’s the date my wife and I got married. Everything in there is personally-significant and could easily be found in a customized dictionary for me. Pet names, former streets of residence and characters from IPs that I publicly like are no-brainer guesses for me. So I don’t use them.
So where should you pull from? Find words that you don’t use super often but find delightful for some reason. An example could be “bookkeeper” – it’s long, and it’s also got the unique linguistic quirk of being three sets of double letters in a row. Use words from professions you aren’t part of and have no interest in. Use the names of professional athletes that play for teams you don’t care about. Throw in a word from a language you don’t speak. Put in the name of an old player character you don’t talk about anymore that had a goofy name. Or some other combination. But use more than one. And then put a string of characters that gets you up to the full character set size in there somewhere. What you are looking to do is thwart someone who did an hour or two of research on you from having a better chance of getting into your stuff than someone who doesn’t know you at all.
This should also go without saying, but do not share your passwords with anyone except maybe your spouse if you’re married. If you are sharing an account, you will both need to get into, that’s one thing, but I wouldn’t share passwords with anyone who didn’t have to see a lawyer to break up with you, including your parents (if you’re an adult) and children. In particular, don’t share them with IT workers unless they specifically ask. And in over 90% of the cases, they won’t. I would much rather have a customer enter their own password than tell it to me. If I know your password and something goes wrong with your system, I’m on the list of possible parties responsible for that. Not knowing your password protects me. It horrifies me how blithely some end users will just volunteer their passwords without me even asking them first. (A specific trick for that particular 10% situation: if you are in a position where you do need to share a password with someone who is fixing your computer or something, change your password to something weak and convenient first, share that with them, and then change it back as soon as they’re done. This protects both of you.)
Finally, for places that are really important, such as your password manager or your bank account, set up two-factor authentication. Two-factor authentication still uses the username and password (something you know) but adds another requirement to get in. This is typically either something you have (a mobile device that gets SMS notifications or is running an authenticator app or possibly a dedicated security token) or something you are (biometric data like fingerprints). It’s a little bit inconvenient to have to enter a code or provide a fingerprint, but it makes getting into an account secured with it a lot harder for bad guys. It’s still not foolproof – a sufficiently-motivated and nasty attacker can resort to rubber hose cryptanalysis after all – but again, most cybercriminals aren’t that motivated in regards to any specific target. If your stuff is hard enough to get into, they won’t dig in their heels, they’ll go looking for someone less security-conscious to steal from. Time is money in crime, too. Unless you’re worth bazillions, there’s always an easier target that’s just as valuable to them.
Okay, that covers the basics of good passwords. What to do about malware? The old advice used to be “make sure you have a good antivirus program running, and keep it up-to-date.” That still isn’t bad advice – though if you’re running Windows 10, you do not need to spend money on it or even go looking. The built-in Windows Defender utility is plenty of security in this regard.
However, there are two other pieces of advice that I would put in front of that – one passive and one active.
The passive action, the one-and-done thing is “put a good ad blocker on your browser.” I personally like and recommend uBlock Origin. It is available as an extension, for free, for most major web browsers, and it does a great job of blocking most advertising.
This used to be a little bit of a jerky thing to do on the internet. After all, a lot of web pages get some or even all of their revenue from advertising. However, the sad fact is that malicious ads (also known as “malvertising”) are one of the two primary places where you can get malware from. There’s also a fair bit of social engineering that goes on. Some malicious advertising doesn’t directly take over your system, but makes you think it has through annoying use of web design. I’ve seen some very scary-looking pages that purport to be from Microsoft pop up on the computers of one of our support customers at work. I assure you: no large tech company cares enough about your user experience to try to force you to call a support number because something went wrong. If you see one of these messages, hit [ctrl][shift][esc] to bring up the task manager, right-click on your web browser and kill the process. Then reopen the browser and find and close the offending tab as fast as you can, because most modern web browsers will reload your open tabs and the page will probably come back. A good general rule: if it looks like the computer is trying to get you to call someone, that is a scam.
Ad blockers stop both the real malvertising and the social engineering scare pages. They also give you a much nicer browsing experience overall. Try using one for a week and then shut it off and see just how much more irritating everything is.
The active thing to do is be extraordinarily wary of anything you get in your email, because email is also a massive source of scams and malware. A good general piece of advice is “if you didn’t seek it out, don’t click on it.” So in other words, if you generated a password reset request a minute or two ago and the email you were expecting arrives, go ahead and click that, but if you see a dire warning supposedly from PayPal, Amazon, Apple, Microsoft or whomever in your email, or even a tracking number you weren’t expecting? Delete it. If you’re concerned it might be legitimate, go directly to the company’s website via your web browser (type it in manually rather than clicking anything), log in, and check for yourself, or use the resources you find on their official website to contact their customer service people. I guarantee you they will be much less annoyed at helping you confirm everything is okay than they will be if they have to help you restore a hacked account.
If you’re looking at an email and aren’t sure if a link in it is legitimate or not, hover your mouse pointer over the link, but don’t click it. Most webmail clients and email programs (like Outlook) will show you where the link actually goes, either in a tooltip or at the bottom of the screen. If that link supposedly from amazon is going anywhere other than a URL that’s part of amazon.com? It is definitely not legitimate. Don’t click it. The same advice goes for links in ads, social media posts, and even blog posts like this one. Practice with this article if you’d like – the links go to safe places, but by mousing over them, you’ll be able to see previews for where they go. Also watch out for URL shortener links like bit.ly and ow.ly in email and advertising links in particular. If a trusted friend uses one in the middle of a conversation, that’s almost certainly fine, but be really careful about static pages like emails or ads that use them. It’s a way of obfuscating where the link actually goes.
If links are bad, attachments can be downright apocalyptic. PDFs in particular have been a favorite means of attack for malware for at least a decade, but even things like Excel spreadsheets can spread malware through macros. There’s ransomware currently going around Italy that uses Excel macros to deliver it.
None of this is to make you paranoid of every link and file; malware requires deliberate action on the part of a human being to arise. It’s not the sort of thing that will just spontaneously develop out of innocent files on your hard drive. The underlying message here is more “consider the source.” If you ask a coworker for a spreadsheet and they email it to you, you’re probably fine. If one shows up unsolicited in your inbox, that’s when you should be wary.
The Nuclear Option
If despite your best efforts you do get a malware infection, back up your data and reinstall your operating system, or if you don’t know how, get a technically-proficient friend or family member to help you do so. Most modern malware is basically impossible to get rid of once it’s gotten a foothold. Even a clean OS install may not get rid of the absolute worst stuff out there, but that’s mostly the domain of state-level actors and not something you’re likely to get from a bad ad on a sports scores site.
Okay, that’s about 3000 words, so that’s probably enough for now. I may do a part 2 of this at some point, but here’s a quick TL;DR for those who just want the actionable items:
- Get a password manager and use it. Put a really super-strong (and super long) passphrase on it and use it to generate random character strings for the passwords you use for passwords everywhere else. Don’t share that utility’s master password with anyone except maybe your spouse.
- Don’t share passwords in general. If you have to share them short-term, change them, share the changed password, then change them back when the other party is done.
- Install an ad blocker extension on your web browser.
- Be really careful with clicking links in emails, ads, and social media posts. Hover your mouse pointer over links before clicking them to see where they really go before clicking. Also be especially wary of file attachments in email.