I don’t remember if I wrote about changing your passwords last year or not but it’s that time again! April first is a mischief day on the internet and people want your information and I enforce it to be the annual “change your password day”. Let’s get on top of it now so you can do some planning and go read the weird headlines with peace of mind instead.
We so willingly give up our information to trusted companies like Google or Facebook that sometimes we don’t think about the security that holds it all together. It’s easy to be mad when a company’s database is breached even if your password is “password1”. The absolute truth is that nobody is unhackable. Your best bet is to be more secure than most. There are so many bad passwords and poor security policies out there that a hacker won’t waste their time if something is too difficult. That is, unless you’re really worth it.
How long have you had your email password? A year? Five years? That’s too long. Google, Microsoft, and all of the big names are extremely secure in their email hosting but if you hand the key to someone, there’s only so much that they can do. Change your passwords.
Get a password!
You used to want a more complex password. Complex passwords are still very important but today you should put your focus more on creating a long password. I encourage people to type something memorable and make sure to throw in some of the odd characters. How about this;
“I a1ways e@t the la$t slice!?”
That’s 29 characters! We’ve got a few odd characters and it’s not too difficult to remember or to type. It might be a bit tedious but guessing a random 29 character string is harder than any 8 character string. Maybe that can be your master password. More on that soon…
Get a bunch of passwords!
There’s a lot to remember. I recently realized just how many passwords I have as I gathered all of my financial information for tax reasons. There are two important things that I learned. One, I log into Bank X a few times a year, only to look at my mortgage. Second, that’s a lot of money and very important.
What’s the answer? Make it more difficult and super long. Why? You shouldn’t have to remember it anyway.
Get something to manage your passwords!
My password to my bank is 22 characters long. It’s a random string that a computer made for me. After it is entered, I get a text message with a second code to enter to verify that the person logging in also has a hold of my cell phone. This is cumbersome, yes. Would you wish you had it when you wake up with a credit score of 400 and $800,000 of debt? Damn right.
There are several great tools for managing passwords and most are free (or offer a free trial). It can take a lot of time to type in all of your information but once you do, it’s always with you and much more secure than before.
- LastPass will store all of your passwords for free. If you want to pay a dollar a month, you can get a handy app for your devices, a nice browser plug-in, and some extra security features.
- 1Password is less popular and offers the same level of encryption.
- Sticky Password has picked up steam recently and offers some of the best encryption.
- …and many others.
What is the business model? Passwords suck but they’re necessary. Filling in forms online suck but you have to do it. These will give you tools to be more secure. Setup will take some time, expect to burn a few hours of looking up and resetting passwords. But once you’re done – you’re in really good shape. It’ll tell you when you’ve possibly been compromised, if a password is too simple, if it’s too old, and some tools will actually go to the specific websites and change the password for you. What else do you want?
I used to keep passwords in a text file, on a flash drive, encrypted with my own PGP key. It existed only on a single flash drive which was so cumbersome that it was easier to remember the horrible passwords than it was to use it. It was probably the most secure way to do things but, wow, what a pain.
Got it? Ask yourself if your security is worth a few bucks a year. The tools are great. What now?
What is this? I mentioned this earlier when I said that after I logged into my bank, they sent me a text message with a short, expires-in-ten-minutes password that I had to type after I logged in. Why is this good? Imagine that someone does get your bank password and the bank doesn’t find it too suspicious that you’re suddenly logging in from Moldavia. Just to be sure, they send you a second “hey, is this you” message to your cell phone. The likelihood of your cell phone and your password being stolen is less than of just one.
Some sites and most bank and email sites will offer some form of dual factor authentication. They’re all implemented a bit differently but some will come with an authentication app to be used on a cell phone that will skip the text message step entirely to allow you to just check an “allow this login” box.
Use this if it is offered, even at just a few places. For your email and bank, especially.
Keep them unique!
Most of all, keep your email password complex and never, ever reuse your email password. It’s dangerous. You know that you can reset most passwords by clicking “I forgot my password”. Where does that email go? Hopefully not to the same account with the same password. And change it. Aim for every six months but annually is good if it’s a good password.
Got it. Now what?
You’re vulnerable online regardless. There is no such thing as a safe browser or a safe operating system. There are good arguments on either end for what’s better or worse, but if you are connected to a network, you are not safe. How do you survive a bear attack? Be faster than the next guy. How do you survive getting hacked? Be a bit safer than the next guy.
If you ever look up at the URL bar up at the top of your browser and see http instead of https, then the information that you’re sending is not secure. Sometimes the browser will turn this green to show you that the connection is secure. If a certificate to encrypt the site has been revoked, then it’ll be red and suggest you go elsewhere. But plain old http is not secure – at all. Lots of modern browsers hide this in the address line but they should not.
Your access to my site is not secure. It’s public and holds no data that needs to be secure. It’s also backed up regularly.
What else is insecure? An insecure wireless network at a coffee shop. It is very easy to see what is going on in those networks. Your phone automatically connects and unless your phone is using an encrypted protocol, you’re visible. And who knows who is on the other end.
What’s the answer?
A VPN is a virtual private network. It is essentially a heavily encrypted tunnel that serves many functions. Safe browsing, unrestricted access, and security are all VPN selling points. A VPN client is a small tool that you can install on your device or computer that will create a secure tunnel to a server somewhere and allow you to browse through that server, mostly anonymously. Most of these servers do not store any personal information. They’re popular outside of the United States for lots of reasons. Some countries don’t get Netflix, some countries don’t have freedom of speech.
Normally there is a monthly or annual fee to use these networks. It’s worth it but you can almost always find them on sale. I suggest searching a Stack Commerce site for security tools. Lifetime subscriptions can go for as little as $30 and sometimes they’ll be bundled with the password manager tools we talked about above. Setup is easy and it keeps you safe in your hotel Wi-Fi.
Some of these VPNs do get blocked, however. Netflix is pretty wise to methods that people try to use to get its shows where they legally can not so they are pretty good about blocking some VPNs. I was able to use a VPN on a flight to access a streaming music service that would have been blocked by the airline.
- I personally recommend Private Internet Access which rarely goes on sale but worth the lifetime subscription when it does.
- PureVPN would be a close second which is almost always on sale and has the most user friendly interface.
- SurfEasy has a browser plug-in that will force only browser traffic through their service but my favorite feature on the phone is that you can have it turn on immediately when your phone connects to an insecure wireless network. SurfEasy offers free monthly data if you promote them.
I’ve also used IPinator, TigerVPN, and ZenMate which each have their ups and downs.
OK, great. I’ve got a VPN. I’ve got my passwords secure. What now?
Ads suck. Block them. More junk gets to you and you are tracked far more easily if you see ads. You think that seeing them doesn’t bother you. That’s great, I’m actually envious, but keep in mind that there’s a lot more to it. I can see where my ads were seen and who sees them.
Ad blockers are pretty good but they’re not the answer. Pass-through access is given to the highest bidder. You’ll see only a select few “premium” ads. It’s how the world works, someone has to pay for the service and if I give you a few million to make sure that the only ads you see are for Wal-Mart, then I sure will.
Another thing that isn’t great about ad blockers is that your computer still needs to access a remote site to get a list of ads to block. You’re still making an internet connection to see if a connection is safe. It’s marginally slower and possibly insecure.
Companies that hate ad blockers are those that live on ads, like Google and Facebook. They need you to see those ads to make money. Those ads watch you do things. If you have a moral objection to “cheaping” them out of their advertising money, don’t use the service or deal with the lack of privacy.
“I’ve got nothing to hide.”
That isn’t the point. That data is stored somewhere and can be retrieved by the wrong hands somehow. It takes work but it’s there. Lessen that risk. Remember what we said about not getting eaten by a bear?
OK, how do I do this the right way, for free?
The absolute best way to block ads is to use an old-school trick called a hosts file. It’s simply a text file hidden in the depths of your computer that says “hey, if you see this site, don’t go there”. It used to be a way of manually generating what is now a DNS…but you don’t need to know that. What we use it for now is to redirect websites, especially ad servers. Better yet, it lives on your computer, doesn’t use an ounce of RAM or CPU, and is totally free.
MVPS will explain more and how to get it copied over. You have a hosts file (a text file named “hosts”) on your cell phone, tablet, and computer. They’re harder to get to on the cell phones because interested parties pay to make sure you still see their ads but they are reachable. On the desktop, however, it’s part of the architecture and you have full access. Here’s how to do it in Windows. Apple’s OS is just as simple.
- Go here (http://winhelp2002.mvps.org/hosts.txt) and copy all of that text, save it as a file named “hosts” without an extension. Using notepad will be fine.
- Go to c:\windows\system32\drivers\etc and rename the current file that says “hosts” to “hosts.bak”.
- Copy this file into that folder. You may have to click on “continue” or “accept” because you will need administrator rights.
That’s it. There’s a batch file on that page that’ll do the exact same thing.
The catch? You’ll need to do it every few months to get the latest list of blocked sites. If you know me, contact me. I’ve written a little script that’ll do it for you.
Wow. Secure passwords, secure networking, no ads. What else is there?
I think that once you can browse and feel safer, you’ll realize how bad the and scary the internet is not. It’s a lot more like it was meant to be, a place to exchange ideas instead of a pile of insecure and shady commerce.
- I’m going to go out on the biggest limb and encourage people to not log into their browsers or just use a browser that won’t track you like Opera. (It will if you allow it, but you’ll need to check the box in the settings.) I know you probably won’t give up Chrome but it might be worth a look and Opera will run on anything.
- Also, don’t forget that Google knows more about you than our government. Try an alternative browser like my new favorite, DuckDuckGo. Try the shortcut ddg.gg to get there. It’s lightweight, clean, and claims not to track. You can set it as the default search engine for your browser or install the browser plugin.
- Encrypt your cell phone. There’s a lot of talk about this right now and I won’t touch on the politics. It’s a simple on/off setting. Do it. You won’t notice a single difference.
- Now that you’re storing your passwords in a password locker, go delete them from your browser. There’s a “delete history” button somewhere, delete that and all of your saved stuff.
- Make sure you have a good password on your computer and that it prompts you for a password each time you open it up.
- Encrypt your computer! Windows and apple’s OS both offer good, strong full-disk encryption. It takes a while and you won’t notice a difference once it’s done. If someone steals your computer, that data is safe. It’s free. Do it!
Man, that’s going to change the way I do everything.
Every one of these things can be a big step. If you’re unsure about anything, give me a call. I can set you up with a VPN I use and you can test it out. I’ll show an apple user how to change their hosts file. If you’re family or friend, I will happily help you make changes and answer questions. This blog post could have been ten times as long.
Ask yourself; is rebuilding your credit after identity theft is worth a weekend of work and, let’s say, $50 for all of the top, premium services that I mentioned? Is it worth a few hours and a few free services? How convenient does it need to be to be worth it before it happens?
What is secure at this moment will be laughable in just five years. The only way to be 100% safe is to not use the internet at all.
I love you, too.
(Visit toothpastefordinner.com for more hilarious comics!)