Are You Risking Your Online Security with These 6 Mistakes?

Could your email account be compromised in a matter of minutes?

Here’s a crazy story. One day, my friend and I were sitting on the couch together, working on our own projects. The subject of online security came up, and he mentioned he wasn’t using two-factor authentication for his gmail account.

My jaw dropped. One of my best friends, someone with lots of experience in tech, didn’t have his account properly secured.

I offered him up a challenge: with his permission, I could break into his email account in less than 15 minutes. He agreed to let me try, and less than 5 minutes later, I was in.

I didn’t use any kind of hacking tools or exclusive knowledge. I just went to, typed in his email address, and clicked “Forgot password”. After a few generic questions, Google allowed me to reset his password.

If this story scares you a bit, good. Online security is vitally important and often doesn’t get enough attention.

This post will show you some of the most common security pitfalls and how to avoid them so you can keep your accounts safe.

1. Using the same password twice

Do you remember every single online service you’ve ever signed up for? Neither do I.

According to the Identity Theft Resource Center, there were 1,339 data breaches in 2017 alone. Ouch.

One scary fact about this report: it only lists breaches that were publicly disclosed by a credible source, ie government websites or the mainstream media. How many more go unreported? No one knows.

So what?

Well, if you used the same password on multiple sites and one gets compromised, hackers will be able to log in to all of those accounts.

You can check if your email address has ever been involved in a breach here. Protip: it probably has.

Seriously. Use a different password for each and every service you sign up for.

How are you going to remember all these passwords? That brings me to my next point.

2. Writing your passwords down

Writing down your passwords on a sticky note or in your journal is a terrible idea. Exception: If you write them down on a piece of paper and lock that paper up in a safe or other secure location.

Think nobody would bother stealing your passwords this way? Think again. In the era of online everything, there’s a lot to gain from accessing someone’s online accounts. Here are some possible suspects:

  • A shady coworker
  • Your kid’s new friend
  • A burglar — they just got your physical goods and your online accounts all at once

Writing down your passwords in a file on your computer is just as bad. Anyone who uses your computer could easily search for the file and email it to themselves in a matter of moments.

So how can you remember hundreds of unique passwords?

Enter the hero: password managers

Password managers are the de facto solution to this problem. Password managers are fantastic because they:

  • Allow you to have unique passwords everywhere while remembering just one master password
  • Act as secure storage for other information like your bank account number
  • Save you time by autofilling your password on saved sites

Here are three popular choices.

LastPass —

I use LastPass every day. It supports two-factor authentication and using it in Chrome or Firefox is as easy as installing a browser add-on. They also have a mobile app for iPhone and Android.

When you get a new computer or phone, all you have to do is provide your master password and you’re back up and running.

They have a free and a paid version. Personally, I have had no problems using the free version for the last couple of years. Sometimes the interface is a little clunky, but overall I’m really happy with LastPass.

Dashlane —

Dashlane is a similar product to LastPass, but I haven’t used it. It’s a newer service that seems to be gaining popularity.

KeePass —

KeePass is great because it’s an open source program that’s completely free. If open source is your thing, give KeePass a shot. Since there are no corporate servers involved, you’ll need a way to sync your “key file”, which is an encrypted file containing all of your passwords. Dropbox works well for that.

The main downside to KeePass is that it has poor browser integration — it supposedly supports autofill, but when I used it, I couldn’t get that working. Instead, you just open up the program and copy+paste your password into your browser.

It also has worse cross-platform support. I really only recommend KeePass to folks that really dislike the cloud and want to support open source software.

3. Not using two-factor authentication

Using two-factor authentication is one of the best things you can do for your account security. Most modern services support it nowadays, and using it is easy.

The most common method is to add a phone number to your account. Every time you log in from a new device, a unique code will be sent as an SMS to that phone number. That way, even if a hacker does get your password, they still won’t be able to log in. Pretty cool, huh?

Many security-conscious companies such as Google and LastPass also provide a mobile authenticator app that you can use instead of an SMS. It’s more secure and doesn’t require a connection on your phone to use it.

4. Not choosing security questions carefully

Like, very carefully.

In the age of social media, many security questions can be defeated with a quick glance at your various profiles. Even obscure questions can be answered with a bit of digging and social engineering: “Hey, do you remember Carl’s first car?”

Honestly, my best recommendation is to not use security questions at all. If a website requires you to fill them in, make the answer a unique password such as “cJ4Hc6yK” and save the question/answer set in a secure note in your password manager (see tip #2).

Most email accounts will ask you if you have a phone number or secondary email address you want to use in case you forget your password. The problem is that expired phone numbers can be given to a new owner, and a hacker with some determination could try to get access to your old phone number.

Even worse, some email services allow email addresses to expire. If you haven’t used your recovery email address in a long time, it’s possible that someone else is now using that email address. It’s even more possible that a hacker could register that email address and then recover your password.

In particular, hotmail and yahoo emails can be re-used if they haven’t been used for a few months. Seriously, what were Microsoft and Yahoo thinking?

Actionable tip: Check your account recovery information and ensure it’s up to date.

6. Logging in without checking the URL bar

Avoiding phishing is a complicated topic, but here’s one piece of advice: always carefully check the URL bar when logging in to a website to verify it matches what you expect.

Another bonus for using a password manager — they will only autofill your password on the correct domain.

Phew, we made it

That’s a lot of pitfalls to avoid. I hope your accounts are a little more secure after reading this post. If this helped you, please share this post with your friends and family to help keep them secure.

Originally published at