Hackers and Spoofers and Thieves, Oh My!
A basic guide to protecting your accounts
Over the past several weeks, I’ve watched a number of women in the gaming industry be publicly and privately harassed and threatened. I’m not going to rehash the what and why of “gamergate”—there are plenty of other places to find that information. I’m glad, too, because I’m not sure I’m brave enough to speak out against this misogynistic culture war masquerading as an ethics movement. But because even mentioning gamergate in passing, or joking about it, can result in epic levels of personal harassment, I’ve spent the past several days working at locking down most of my online accounts. Am I 100% safe now? No, of course not. There’s no such thing as complete security. But I’m a lot more secure than I was before I started. The bad news is that I felt I had to do this because I was frightened of online lynch mobs. But the good news is that I was probably more at risk from run-of-the-mill identity thieves, and the steps I took will protect me better from both. These are things I should have done long ago, and they’re things that you can—and should—do, too.
Much of what I did was based on the excellent advice provided by Jon Jones in his #GamerGate Survival Guide. But for people who are perhaps a bit less tech savvy, I’m going to go through the steps I took, and the rationale and tools I used for each.
Because I use a variety of devices to access most of my data—a Mac laptop, a Windows laptop, an iPhone, and an iPad—I looked for solutions that were cross-platform. That influenced many of my choices along the way.
I’ll warn you up front: Setting all of this up is a time-consuming and tedious process. However, the process of recovering from being hacked is significantly more time consuming and tedious. Think of this as a not-very-pleasant vaccination process. Short term pain, long term gain. Assume that you’re going to need to set aside at least a few hours to get the basics working. The good news is that once it’s all up and running, most of it requires little or no ongoing attention.
Step One: Unique Passwords and a Password Manager
Why? One easy way for someone to break into your accounts is by using a password that they’ve hacked from one site to access other accounts that you have. Because many people use the same password or passcode on multiple sites, all it takes is one server with poor security for a hacker to get access to many of your accounts. That’s why you should never use the same password on multiple systems. You also shouldn’t use passwords that are easy for others to guess (including words that appear in the dictionary, or names of people, places or pets associated with you).
How: The problem with having multiple unique and complex passwords is that it’s really hard to keep track of all of them. That’s where password managers come in. The way a password manager works is that you create an account with their system that has a very secure and hard to guess password. For many people, the best way to do this and remember it is to use a phrase or easy (for you) to remember series of words, numbers, and/or names.
Here’s a nice explanation of how to do this from security expert Neil O’Farrell:
A passphrase is a short sentence that’s easy for you to remember – that describes something about you and your life, for example — but that a hacker would have a very hard time knowing or guessing.
For example, the phrase could be something like “I graduated from Notre Dame University on June 1st 2002.” Pick the first letter from every word in that phrase, making sure you include the upper and lower case, and keep all the numbers.
That would give you the following password: “IgfNDUoJ1st2002” That’s a massive 15 characters and includes upper and lower case letters and numbers. Change the “I” to the symbol “!” and now you’ve made it even harder to crack. (From Business Insider’s “Idea for Easy to Remember Passwords”)
It’s really important that you be able to remember this passphrase, but the good news is that it’s the only one you’re going to have to remember!
There are several good password management programs out there. I’ve chosen to use LastPass. It costs me $12/year for the paid premium version, which gives me apps for my mobile devices as well as the addon for my browsers. (You can use the browser addon for free, and upgrade to the ad-free and mobile-enabled version if it seems worthwhile to you.)
LastPass will be able to import any login information you’ve stored in your browser, and then can clear that information from your browser—which you should absolutely let it do, because the browser is not a secure space for storing that information! LastPass also provides utilities to check for insecure sites and passwords.
When you go to new sites, LastPass will generate a new randomized password for you and then store it—then when you return to the site, it will fill in the login information for you based on the site’s domain name. If you’re on a computer that doesn’t have LastPass installed, you can either use a mobile app to view your account information, or you can go to the LastPass website to view your “vault.” (Note: Do not log into the LastPass website on an unfamiliar computer, or one that you aren’t sure is on a secure network—more on that later in step 3, which addresses the risk of public computers and networks!)
(While LastPass is the system I use, two other well-regarded password managers are 1Password and Dashlane.)
Step Two: Two-Factor Authentication
Why? Once someone has your password—especially if it’s the password to an email account linked to other services you use—it can be very difficult to keep them from logging into all of your accounts and locking you out of them. (Read Mat Honan’s chilling tale of how that happened to him, for instance.)
How: That’s where two-factor authentication comes in. It involves a two-step process the first time you log into a service from a new device or program. After you enter your username and password, you’re prompted for a special code that’s provided to you through another channel—usually either an SMS message, or a code-generating tool that you run on your mobile device. That prevents someone who’s managed to get your password from logging into your account unless they also have access to your phone when they’re doing so. It’s a bit of a slow process to set this up, but it provides a much higher level of security than passwords can offer.
You can find an excellent list of providers offering two-factor authentication at http://twofactorauth.org —the list shows not just who offers you this type of security, but also which options they support.
Because I’ll be going overseas for several months next year, and won’t be using my US telephone number while I’m there, I’ve been slowly migrating most of my two-factor authentication away from SMS and to the Google Authenticator program that I can run on my phone. But for most people, SMS authentication works perfectly well.
Step 3: Beware Public Computers & Networks!
Why? If you’re using a computer other than your own, there’s always a risk that it has been compromised in some way—it’s not at all uncommon for computers that aren’t protected with good and up-to-date anti-virus/anti-malware software to have a malicious keylogger program or other spyware installed. Be very cautious about logging into secure systems from a computer that you’re not sure is well-maintained.
Even if you’re using a safe computer, however, there’s enormous risk involved with connecting to public wifi signals. The Medium essay “Here’s Why Public WiFi is a Public Health Hazard” gives you an idea of just how dangerous public wifi networks are. I’m not going to tell you not to use public wifi—“Just Say No” is almost always an entirely impractical solution.
How: Since nearly all of us do use public networks, one of the best ways that we can protect ourselves is by installing VPN (“virtual private network”) software onto the devices you’re connecting with. A VPN creates an encrypted tunnel through the network for all of your data, so even someone who’s spying on the data going through the network won’t be able to extract your information from it.
If your employer provides a VPN, use it (and not just when you’re required to, as in the case of restricted in-house systems). If it doesn’t, or if it doesn’t work on all of your devices (my university doesn’t support mobile devices with its VPN, for instance), consider using a third party VPN option. Lifehacker has written some nice things about VPN options, including “Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs)”, and “Five Best VPN Service Providers”. After reviewing the options, I decided to go with TunnelBear, which has a free option if you don’t expect to use more than 500MB of month of data on public networks. I opted for the paid version ($50/year), which gives me unlimited data on up to three devices—I installed it on my Mac, my iPhone, and my iPad, which are the devices I’m most likely to use when I’m out of the house. Tunnelbear is a great option for people who aren’t very tech-savvy, because it provides a very simple user interface and requires no complex configuration. (A side benefit of a VPN is that it allows your computer to look as though it’s connected to the Internet from the VPN server’s location—since I’ll be traveling abroad for a good chunk of next year, that will help me keep access to my paid accounts with providers like NetFlix, which otherwise might be inaccessible to me.)
Those three steps—using good passwords and a password manager to keep track of them, setting up two-factor authentication on as many of your accounts as possible, and using a VPN on public networks—will greatly reduce your risk, and make you a far less attractive target for identity thieves. And while they’ll take some time to set up, they’re inexpensive and powerful tools that are worth the time and effort involved.