dankim.org

Ten Rules For Staying Secure

16 Feb 2014

One thing I've paid a lot more attention to lately is my online security. It seems like every week a site is hacked, and our data ends up in some bad guys' hands. Take your pick: Adobe, Zappos, and most recently Kickstarter to name a few.

For my own peace of mind, I follow a few key rules keep my online presence as secure - dare I say paranoid - as possible. Keep in mind, I'm not a security expert. But I do know that following these rules will 1) give you a fighting chance the next time a site you're a part of is hacked and 2) help ensure nobody ever impersonates you and damages your finances or reputation.

  1. Use 1Password, period. Just about every other rule benefits by using 1Password.
  2. Use complex, strong passwords everywhere. Basically as ridiculously long and unreadable as a site will allow. 1Password can generate these for you.
  3. Change old, stale passwords frequently. 1Password can audit your old passwords for you.
  4. Never use duplicate passwords anywhere - one password should only be used on one site. 1Password can tell you if you're duplicating your passwords across sites.
  5. Use 2-factor authentication on any site that has it. (2-factor is just a fancy way of saying "when you login, we'll double check you have your phone to make sure it's you.") Here's a great list of sites that already support 2-factor authentication.
  6. Frequently check what applications are authorized by common social networks. I check the application authorization pages for Twitter, Facebook, Google, and Instagram regularly, and cut out apps that have built up over time. It's really easy to add applications back, so many times I'll just revoke everything and start over with a clean slate.
  7. Use a strong password to protect the 1Password master file - one that's easy to remember, but ludicrously long and complicated.
  8. Avoid using an email address from a personal domain (aka, jim@smith.com) as a username, or as the primary contact method on an account. Instead, use something like Gmail, which is less likely to be socially engineered like @N was.
  9. Use an SSL/https connection as the default whenever possible, especially on a public wifi network (in that case, using a VPN connection is even better).
  10. Look out for friends and family. The more secure they are, the more secure you will be.

In the end, there's no guarantee that doing any of this will prevent unauthorized access to your accounts - anything's possible. But security is about reducing risks, limiting exposure, and playing the odds. And these rules should help you move in that direction.