No matter how safe and secure you feel when you use your computer, there’s always room for improvement.
Why not make Safer Internet Day the excuse you need to do all those cybersecurity tweaks you’ve been putting off…
…such as picking proper passwords, turning on two-factor authentication, downloading the latest security updates, making backups of your most important files, and revisiting your privacy settings in case you’re oversharing by mistake?
So, let’s go through those five tweaks one-by-one – they’re easier than you think, and much less hassle than you might fear.
1. PICK PROPER PASSWORDS
Yes, we say this every year and we’ve been doing so for years. But we still see plenty of people – at work and at home – taking needless shortcuts with passwords, using “secrets” that any crook could easily guess, such as 12345678 or nameofcat. (By the way, nameofcat99 isn’t any better – the crooks can figure that one out, too.)
If you’re struggling to come up with decent passwords (and to remember them) then you aren’t alone; consider getting yourself a password manager that can help you pick passwords properly.
2. TURN ON TWO-FACTOR AUTHENTICATION (2FA)
2FA usually takes the form of those 6-digit codes that get texted to your phone or generated by a special app. As well as your username and password, which are the same every time you login, you also have to put in the one-time code, which is different every time.
We know that many people don’t like 2FA, and we know why – it’s a bit of a hassle, and if you’re logging in from your laptop it means you’d better not leave your phone at home or you could be locked out.
But 2FA is a lot of extra hassle for the crooks, because they can’t just grab your password from a data breach any more and then go wandering into your account at will.
3. GET THOSE PATCHES
Most software patches these days aren’t just cosmetic – they typically close security holes that could let crooks sneak in without you even realising. So if you don’t patch, you’re much more likely to encounter a crook, because lots of attacks will succeed against you when they’ll fail against everyone who has patched.
So why leave yourself in the at-risk group if you don’t need to?
Remember, however, it’s not just your laptop that needs patches these days – you also need to keep your eye out for updates for your apps, your phone, your home router, and any of those cool “connected devices” you might have, such as internet doorbells, webcams and home assistants.
4. MAKE YOUR BACKUPS
Backups aren’t just for protection against ransomware, where the crooks scramble your files and squeeze you for money to unscramble them again.
Backups are there to help get you going again no matter what – whether it’s a lost or stolen laptop, phone left in a taxi, tablet computer dropped into Sydney Harbour (it happens!), fire, flood or plain-and-simple user error.
Remember: the only backup you will regret is the one you didn’t make.
5. REVISIT YOUR PRIVACY SETTINGS
Your operating system, your phone, many of the apps you use, and almost all of the online services such as Facebook and Twitter, have a range of privacy and security settings that help you to control how widely your personal data gets shared and indexed.
Unfortunately, every app and website does it differently, and it’s a bit of a science project to comb through the privacy menus in every one of them to make sure you’re as safe as you’d like.
But we urge you to make the time to do so – the only thing worse than realising you accidentally overshared your phone number or other personal information is to realise that you could have turned on an option that would have kept you safe.
Have a safer day
If all the tips above sound too much for one day, here are five words that you can say to yourself whenever you are online, to help you have a Safer Internet Day:
“Be aware before you share.”
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Paul
First, I really appreciate your site. Just one comment on 2FA. I spend a reasonable part of the year travelling, and I normally get a local SIM card if I’m going to be somewhere more than a week because I’m Canadian and my roaming charges are insane. I get that 2FA is a good thing, but it doesn’t work for me about four months of the year. Can you suggest any work-arounds or alternatives? There must be a lot of people in my position.
Paul Ducklin
Many sites let you choose to use a 2FA code generator app (there is one built into the free Sophos Intercept X mobile security product) instead.
Or you could simply use your Canadian SIM overseas just once to authorise a change to your new phone number (most sites also let you use a pre-printed one-time “backup code” that you keep somewhere securely to switch phone numbers, in case you lose your current number). Then switch back on return and the temporary number will no longer receive the codes.
I have switched my SMS numbers before while on the road, from my “home” SIM to my “overseas” SIM and back, with not much trouble. I even bought a dual-SIM device to make the process easier.
GoggleBot
Does “accidentally overshared your phone number” include giving Google your phone number for 2FA purposes?
Paul Ducklin
That’s an open question :-)
Most social networks will let you use your phone number for 2FA, and will tell you that if you supply your number for that purpose they will never use it for anything but.
How sure can you be that the number will never leak out into other databases? You have to decide that for yourself, I’m afraid.
Googlebot
Or that the same number used for 2FA on another site(s) does not get leaked/sold to the great google data harvester for the purposes of it not actual jigsaw identification, jigsaw profiling?
Presumably registering 2FA “dongles” has the same potential threat to privacy unless you are prepared to have a “key” ring full of the things – one per site!
Paul Ducklin
Depends on the dongle (or app if you use a mobile phone as your “dongle”). Many of those will support N different sites, each with its own independent authentication sequence. The website you are logging into never gets access to the cryptographic keys or “seeds” inside the dongle, which are stored securely and are used internally by the dongle’s processor to generate each sequence on demand.
Gogglebot
Thanks, that sort of information – if I can get it at dongle/app level – helps me balance the significant security benefits of 2FA against the hassle of multiple “authenticators”, fears about privacy and the cost of an up-to-date “smart” phone (and the need to regularly replace it when Android won’t upgrade).
Is there some form of BSI/ISO (or more relevant?) standard for “authenticators” which covers these sorts of issues?
Paul Ducklin
FIDO Alliance? Probably a good place to start.