A letter to my siblings about digital security, part 1.
Dear siblings,
I’m your brother, but over the years I’ve also been your tech guy. I’m the guy you go to when your laptop has a virus on it. Or your wifi isn’t working properly. Or you’re trying to figure out what product to buy. Over the years I’ve spent many a holiday visit in your home office, or kitchen, or in your basement happily fixing technical issues with a glass of whiskey while the rest of the family drank wine and caught up in another part of the house.
Truth be told, as an introvert, I’ve never really minded being the tech guy. I’m pretty used to coming to visit and after the pleasantries hearing “hey before you go, I’d like you to take a look at something for me.” It gives me a purpose and a way to apply my skills to bring value to the family. I live far away from the rest of you and it’s nice to feel needed when I’m in town.
Lately, consumer technology has gotten good enough that you don’t really need my skills the way you used to. Your children have grown up and taken on much of that responsibility. I like the fact that my nieces and nephews are the first lines of support when things go wrong- I am sure that even as they groan “what have you done now?” they are thinking “cool, I’m going to do something useful.” And as they say “omg, I can’t believe you installed that” or “why are you still using that outdated browser” they’re enjoying that moment of teaching you something. It’s a rite of passage that I enjoyed when I started teaching our parents about technology and I know how good it can feel.
But the world is changing. There are things that are going wrong that you might be unaware of. The problems that we’re all facing are getting more sophisticated and when they do finally go wrong, it may be too late for me to do more than help comfort you. The problems that you’re likely to face now are not about backing up your hard drive (please do this) or getting a modern router (also a good idea) or updating the firmware on your devices (talk to me about this and I’ll help you).
The problem that you’re going to face next is identity theft. And it’s a big one. And the best way to fix it is to never expose yourself to it in the first place.
There are many ways that a thief can steal your identity. And if you put on your tinfoil hat, there are endless ways that you can try to protect yourself from it. You can shred all your mail, and use fake names, and disposable email addresses. But those things are a pain and I’m not advising you to do that. Today, I’m just going to suggest one thing: use a different, secure password for every website, app, and service.
To understand why, allow me to tell you the standard horror story: One day, you get a phone call from a credit card company‘s fraud department. They’re verifying that you really are the person who just signed up for a credit card providing your name, address, and social security number. You tell them it’s not you.. but then you go digging. Somebody has been making repeated credit checks. Each of these is to open up an account in your name somewhere. You dig further. It’s been happening for six months. Over 50 accounts have been opened in your name. Digging your way out is endless. This is a real story.
Or perhaps one day, you’re about to use your iPhone and it powers down in front of you. You turn it back on again to find it is back to the setup screen. You try to restore from a backup, but your backups are mysteriously gone. You open your laptop to log into Gmail and your password is wrong. Then your laptop shuts down and asks for a 4 digit PIN. You don’t have a 4 digit PIN. You’re offline now, and somebody is ransacking your life, reading your email, resetting your passwords and taking over your digital identity. They’re trying to make progress on your bank accounts. They’re forging emails to your lawyer, your banker, your friends. This is also a real story.
Scary. But, there are a billion people out there. Why would you be a target? In the case of Mat Honan (the guy from the second story), he was a visible figure and he was chosen by attackers. But in many cases, attackers just use systems to attack many people at once and try to pick off the people who are the most vulnerable. So if you tighten up your security it makes it harder and they just move on to the next person.
So let’s tighten up your security a bit. The easiest, first step is to make sure that you use a different password for every website that you use. Why? In brief, it’s because if you use the same password on every website, then if one of those sites has low security and gets hacked and they crack your password — they can use it everywhere. And they will. They do it a million people at a time. Crack a weak website, decrypt hundreds of thousands of passwords, use the email address and password combination to see if it works anywhere else, compile a big database and when they have enough accounts for one identity, sell it on the black market.
If you already use different passwords everywhere- that’s awesome! But many people don’t because they just don’t have a good way to keep track of all the passwords, so they have one or two passwords, then maybe they have a few really secure ones for financial sites. I get it. That’s what I used to do. But now there are really easy ways to avoid that.
The first thing I recommend is for you to install a password manager. I like to use LastPass. It’s free. Or you can get the premium version then it’s $24/year. LastPass and other systems are very simple. They store all of your passwords in a secure fashion (I can go into detail about how they do it, but for now just take that at face value) and they make it convenient for you to have a different password on every website.
Starting with LastPass is easy. Just install the browser extension. Every time you log onto a website it’ll pop up a little dialog saying “hey, do you want me to remember this password?”. All you have to do is say “yes” and you’ll have a database of sites and passwords. Then at some point, it’s going to start saying “hey, you’re using the same password on a bunch of websites” and you’ll have to do a little bit of work. In some cases, LastPass can automatically change your password for you. In some cases, you need to go to that website and change your password manually. Either way, LastPass will keep track of the new password and over time you’ll get more and more secure. Make absolutely sure that your Gmail and Apple accounts use unique passwords since most places let you reset your password through your email or your phone number.
You won’t know your passwords anymore. But that’s ok. All you have to remember is one master password for LastPass itself. I suggest that you avoid the gibberish passwords like “IG8o437qLQ9m” — who can remember that? Instead, use four random common words like “eggs iron trophy cable” and memorize that. It’s just as secure and will be easy to memorize. If you do write it down somewhere, put it in a safety deposit box and don’t label it. This one password will unlock all your other passwords.
LastPass is convenient. It will automatically fill in your passwords for you. It runs on your laptop. It runs on your iPhone. It can autofill apps as well as websites. It lets you share passwords with loved ones if you want to. And it’s an easy thing you can do today that can dramatically reduce your chances of getting hacked down the road. I encourage you to be proactive about this, it’s important.
Ok! That’s all for today. In future letters maybe I’ll talk about two-factor authentication, freezing your credit rating, and backups and more. But that’s for another day!
love,
your bro.
