tl;dr: The five easy steps are: (1) start using a password manager, (2) set a password for your computer and devices, (3) install HTTPS Everywhere, (4) setup two-factor authentication for your important accounts, and (5) install Signal Private Messenger. If you do nothing else, start using a password manager, like LastPass. (2,127 words)
Let’s start by doing the easy steps that can make your computer and phone more secure, right now.
- Download Lastpass. If you are not using a password manager, you should be (see below for why). LastPass works on mobile phones and tablets, such as iPhone/iPad and Android. It also works on personal computers, and there is a download page for Macs, PCs and for Linux. Passwords you add on your phone are also available on your computer, and vice versa. If you use all Apple products, the best manager is 1password for your Mac, iPhone, or iPad. However, it costs $2.99 a month for individuals and $4.99 for families to use.
- Set a password for your phone and computer. Instructions for setting a password rather than a pin on iPhone are available. In Android, it can vary, but you can search for “lock” (without quotes) in settings to find the Lock screen settings and select password. Most computers have lock screens on by default, but if you need to set it up, instructions on how to turn the lock screen on for a Mac and Windows are available.
- Install the HTTPS Everywhere browser extension. This extension is available for three major browsers: Chrome, Firefox or Opera. If you do not currently use one of these browsers, you will need to download one of them to your computer or device using one of these links: Chrome, Firefox, or Opera. Then, install the relevant extension from the links above. If you aren’t sure which browser to use, try Firefox.
- Set-up two-factor authentication for your important accounts. Your debit card for your bank account is two factor authentication. You have to have the card and the pin number in order to access your money. You want the same kind of protection for your online accounts. The easiest way to do it is to have a text message sent to your phone that has a six digit code that you use in addition to your password to access your accounts.
- Install Signal Private Messenger. Signal is easy to use software for encrypted messages on iPhone or Android. To the person using it, it looks and works no differently from Facebook Messenger, Hangouts, or whatever default messaging app that’s already on your phone.
The How & Why
Knowing what you should be doing to keep your information safe online can be hard. It’s work. It can be complicated. It means changing the way you do things. The goal of this essay is to talk about five easy changes that everyone should consider doing, explain why as simply as possible, and point you to the tools and techniques you will need to get off to a good start.
1. Download LastPass
The most important change you can make to improve your online security is to start using a password manager. People are bad at creating passwords. We are bad at remembering them. We also tend to reuse them. With a password manager, you only have to remember one password, i.e., the master password. The good news is that there is a technique for creating a secure master password called Diceware that takes less than 10 minutes. Here’s how:
Take a six-sided dice, and roll it five times. I rolled a five, five, five, one, and a one. You then take the number 55511, download a Diceware wordlist, open it and look up the number. (If the wordlist doesn’t display correctly, open it in Word or WordPad.) The word corresponding to 55511 in the linked wordlist is “splendor”. You then repeat the process six times to get six words. At the end, you’ll have a strong password like “splendor applicant gooey attentive composite cramp” (without the quotes). You’ll have to write down your password initially, but eventually, you’ll just remember it.
Once you have a good master password, then you can use it to create an account and log into LastPass. Then, you can start the time-consuming part, changing the passwords on all your online accounts using LastPass. LastPass uses an algorithm to create unique strong passwords for every site you use. It then stores them in an encrypted database, so it is only available to you. If you are logged into LastPass, then it will automatically paste your login information into the login page and enter the website. Start with your most important passwords. It can be hard to remember all the accounts you have made over the years, so you can look for saved passwords in your browser, reset emails in your email, and other ways to try to get them all. Expect the process to take a few weeks, if you do a few every day.
Note: Instead of giving correct answers to security questions like, “What was make of your first car?”, consider answering them incorrecly or input additional passwords and put the answers in the Notes field for that account in your password manager. This makes it more difficult for criminals to reset your password on your account using online account recovery or by calling customer service, if they know personal details about you.
2. Set a password for your phone and computer
If LastPass is open in your computer browser or phone app, it means anyone with access to the computer or phone can access every site you use with it. As a good general precaution, you’ll want to make sure that anything that uses LastPass requires a password so that if you misplace your phone or a burglar is in your home, they cannot use LastPass to access your banking account or other online services. You can always logoff and login again with your strong master password for LastPass, but it is often easier just to use the lower level protection of the lock screen that is already on these devices.
3. Install the HTTPS Everywhere browser extension
Some websites you use may still sending your passwords in the clear when you login. It doesn’t matter if you use strong passwords created by a password manager like LastPass, if you are going to show this password to everyone who cares to look when you are connected to a open wifi hotspot at the airport, coffee shop, hotel, hospital, conference, library and so forth when you login. HTTPS Everywhere turns these postcard passwords and puts them in sealed envelopes that only you and the website you are connecting to can read.
Note: If you spend a lot of time using unencrypted connections or want to take the concept of HTTPS Everywhere to the next level, consider using a VPN. ExpressVPN is a good example. It costs about $100/year. Discussing VPNs is beyond the scope of this essay, but a look at the link above can explain why you might want to use one.
4. Set-up two-factor authentication for your important accounts
Like setting the lock screen, two-factor (or multi-factor) authentication provides an additional layer of security. With two-factor authentication set-up, you login normally. Once the website receives a good username and password combination, it then asks for an additional (usually six digit) code. The two most common ways of getting the code is either through a text message to your phone or in an phone app like Google’s Authenticator. If someone were to get your password using an email phishing attack, say a website that looks like your bank but is a criminal’s website where you were fooled and put in your password, they would still need the second factor from your phone to access your account. Additionally, two-factor authentication can warn you that there is a problem. If you receive text messages from a service you are not trying to logon to but has two-factor authentication, it might be an indication that someone has access to your password information that shouldn’t.
Note: Reading the EFF’s tutorial, “How to Avoid Phishing Attacks” is a good point to start, if the idea of “phishing” is new to you.
5. Install Signal Private Messenger
Just as we use HTTPS Everywhere to preventing passwords from being shared “in the clear” over wifi networks, Signal does the same thing for text messages. Text messages over a phone network can be read by anyone. For example, if a criminal sets up a device that mimics the behavior of a cell phone tower, your phone might connect to it, and any data passed through that connection will be readable by that criminal. Chat services like Facebook’s Messenger and Google’s Hangout’s also read the contents of your messages in order to serve advertising to you. Using Signal Private Messenger ensures that the only people that can read a message are the sender and the recipient.
If you have implemented the above changes, congratulations! You have significantly improved your online security. Since these steps were relatively easy, what else can you do?
The problem with security measures is that few things apply to everyone, and there are always trade-offs. Which trade-offs are worth making is a subjective judgment call. A few examples:
Browser extensions: There are many browser extensions that provide some measure of protection from malacious computer programs, advertising and third-party tracking online, such as NoScript, Privacy Badger, uBlock and others. While each extension is easy to install and use, it means sometimes a website will not work as you expect, and you may need to change some settings in your extensions in order to have a website display correctly. Do you need all three? Are you willing to figure out which extension is causing a page to not load the way you want? People’s tolerance for working through these kinds of issues differ.
Secure email: Are you comfortable with a service like Yahoo scanning your Yahoo email on behalf of the NSA? Is it worth it to start using Thunderbird with Enigmail with Yahoo? (Probably not.) Or what about paying $50/year for “secure” email services like Kolab, Countermail, or Protonmail? Even people that work in the software security industry have opinions for and against trying to secure email. Signal, which we installed above, is so easy to use. Why not just use it? Good question.
Encrypted files: Or, perhaps you have digital documents — such as an electronic college transcript, financial documents, medical information or a last will & testament. Do you need to protect that information from being stolen or being targeted by ransomware? What security measures do you want to take? Is a low tech solution like keeping these files on a separate USB drive enough? Do you want to use some type of encryption mechanism such as whole disk encryption available through Bitlocker on Windows, FileVault on Mac, or the device encryption options for iPhone and Android? The problem with full disk encryption is that maybe you’ll have a hard-drive failure and you won’t be able to recover the encrypted drive, which means you have to keep it in multiple locations and maybe use an encrypted storage service like SpiderOak, Seafile or use a standard cloud drive like Google Drive, Dropbox, Microsoft’s OneDrive, etc. in combination with something like LibreCrypt software in order to have encrypted data and the backups necessary to make sure you won’t lose your information. There’s no one right answer for everyone, but moving beyond putting files on a USB drive gets complicated, real quick.
For those concerned about survelliance, the EFF has a great guide called Surveillance Self Defense that discusses security concepts (e.g., threat profiles), software tools (such as PGP/GPG, VPNs, Tor, ChatSecure and so forth), and tutorials (like the one on Phishing mentioned above) that can help you better understand security concepts and trade-offs. Other sites like Prism Break can also offer software suggestions worth some consideration.
There are many options available, depending on your personal needs and concerns. While the many options can be overwhelming, taking small concrete steps, like we have done here, can make you much less likely to be a target for criminals online. The old saying is that security is a process. You cannot prevent everything, but it is prudent to do the small things that help prevent the most common problems.