Some thoughts on security on the interwebs
Now and then we get asked for security advice. It’s tough these days. The question I always have is, secure from what? If archeologists decrypt your banking data three centuries from now, who cares? It’s a lot different than if your neighbour’s teenager, or your corporate competitor does it next week.
And also, full disclosure, I’m not an expert. And nothing is 100%. Sigh. Between private snoopers, big business snoopers and government snoopers, the odds seem rarely in our favour. But I try to do small concrete things to avoid feeling overwhelmed.1
Security is a process. And I can tell you about a few things I do to attempt to manage the risks.
Passcodes and online accounts
First of all, I try to use strong passcodes and passphrases for my online outposts. What is strong? It’s not obvious, actually, and sometimes passcode testers can be wrong, but better to use them than just guess.
Secondly, I avoid reusing passcodes. Yes, keeping track of passcodes for hundreds of online accounts is annoying. But it’s safer to write down a password in your locked office, than it is to reuse a password on multiple online accounts. Large online businesses get breached all the time. And then your passcodes get shared online. If it’s a reused passcode, then you’re risk has just gone up. Here’s a handy tool to check if your online accounts have ever been breached: https://haveibeenpwned.com/
Another thing I do to manage this kind of risk is I decommission old unused accounts. I tend to keep track of my online accounts and I will occasionally review them. Here’s a cool tool for helping with this: https://www.deseat.me/
In order to avoid reusing passcodes, I use a passcode manager. I was a little skeptical of using one, but I’ve been using a passcode manager and I really like it. I still don’t use it for everything.
I think of my online accounts as levels of risk. Financial, work accounts and email that reset all other accounts, are at the highest level of risk. So I take the most precautions with them. And my recommendation is to take ten minutes and draw a little diagram, a thumbnail threat model if you will, that maps out your higher and lower risk accounts.
This threat model can be made a little more interesting by adding access points likes devices and offices. For example, I have a laptop and a desktop and a smart phone and some external hard drives and an office. I make a habit of backing things up and I make a habit of locking my door and also my devices. I’m amazed how many folks I know take the time to lock their office door, but don’t have a passcode on their phone or laptop. I choose to use a 7 digit passcode on my phone. Don’t use a common pin. And I use a passcode on my laptop.2
Browsing, URLs and wifi
Something I recommend to everyone, is to pay attention to URLs. Are you signing into twitter.com or twiitter.com? Is it HTTP? Or is it HTTPS? These days, if it’s not HTTPS, it’s not as safe. If it’s done correctly, HTTPS is your friend and encrypts the data between your browser and the server so snoopers can’t read the data transmission.
Related to this, I avoid public wifi. If I do use it, I don’t sign into things.3
I take care to make my personal wifi securish.4
And I use a VPN that I pay for. I like TunnelBear. It helps keep my web traffic encrypted.
“Encryption” is a fancy word for private
Also, a note about encryption: encryption is really just a fancy word for private. Or locked. When your data is encrypted, it has to be “unlocked” with a key. This puts the key holder in charge, and hopefully that’s you. It’s a fascinating field of research and, of course, there are varying kinds of encryption with varying levels of security.
But encryption is getting steadily easier to use. And many services are folding encryption into their service models. Whatsapp and Signal, for example, are both offering encrypted texting. So I tend to gravitate toward services that favour encryption.
Two-factor authentication
Oh yeah, for accounts that are important, I like using two-factor authentication systems. Usually this means I get a text with a second passcode, or I have to use my authenticator on my phone to enter the ever changing passcode. Apparently the authenticator is safer than the texting version, which I find fascinating.
In summary
So to recap, to try to stay securish, I:
- attend to URLs and favour HTTPS
- use a VPN
- gravitate to services that provide encryption
- avoid public or insecure wifi
- lock my office doors and devices
- try to use two factor authentication
- use strong passcodes
- avoid reusing passcodes
- try to decommission old unused accounts
Notes
- Folks crossing the border these days are being asked to hand over their passcodes. Yikes. Here are some helpful notes by journalists.
- I had a laptop stolen at an airport once – it can happen to anyone.
- I was using too much data on my cell phone, so I started using a VPN.
- Like each of these topics, securing your wifi and router is a big topic. Do what you can. There’s always more.