[edited to make clearer and shorter!]
The first few steps take less than 30 minutes to set up. Do them! The last step takes a few hours but really that's just one Saturday morning, and I think it's well worth the time. These steps will make it more difficult for hackers to break into your computer, and will limit the damage if an online site you already trust (like your bank, or eBay, or Sony) gets hacked and your login info at that "trusted" site gets stolen.
The short version: I only have to remember three really secure passwords.
- The first is for my main computer/laptop, which is set to require a password on start-up, on wake-up from sleep, and even from the screensaver, which kicks in after just a few minutes.
- The second is for my Gmail/Google account, which is important because any website I go to has a "Forgot password?" link which would send that site's password to my Gmail! So that's critical.
- The third is a master password which protects a file listing all my other website passwords, easily accessible from my desktop and my phone.
Now, the details:
1. Set your computers and laptops to lock with a password when they sleep or shut down. (takes 5 minutes)
If someone steals your laptop, it's as if a burglar broke into your home and stole your filing cabinet. It's so easy to protect yourself, and yet these settings aren't the default:
- Use a strong password for your account login.
- Set your machine to require that password on "wake up", so you must know the password to get into your account. On Windows and Mac this is under the Power Settings in the control panel. This protects you from someone opening your web browser and jumping straight to your mail or other websites which probably "remember you".
- Set up a Guest Account on your computer so friends and visitors can use it easily without having to type your password. It's so simple: on both Mac and Windows it's just in the User Accounts control panel.
- Set a lock timer so that the screen automatically locks after 5 minutes. This is also in your control panel, either under "Screen Saver" or "Power Settings".
(If you're on a Mac, you can optionally turn on "hard drive encryption" for your user account. This makes it even harder for a thief to get your information, so long as he doesn't know your account password. On Windows this is not a built-in feature, but you can use third-party software such as TrueCrypt if you want to do this. I have not set up full-disk encryption and probably won't.)
2. If you're using Gmail as your primary email, turn on "two-factor" security. (15 minutes)
Two-factor is the online equivalent of an ATM card: you need your password AND a physical device (usually your cellphone) to log in from a new location or PC. The login attempt causes Gmail to send you an SMS message to your phone with a one-time PIN number that you then key in. Without the PIN, you can't login.
With two-factor, the Chinese hackers would not have gotten into Sparky's mail, even if they had stolen his password, because they could never have received the extra PIN number unless they had also physically stolen his phone. See this two-factor explanation from Google for more info.
Set it up carefully, the details are important! If you have a smartphone, you can also use an app to get the PIN instead of waiting for an SMS. It's pretty cool.
3a. Stop using the same passwords for all your websites and accounts. Change ALL of them.
If you're like me and just about everyone else out there, you probably have a small handful of passwords memorized, and you use the same ones everywhere. Maybe your banking password is harder to remember than the one you use for Facebook or that book-sharing site. This is a terrible idea, because if one of those sites gets hacked, they have the keys to all of your online identities. You KNOW this is a bad idea, but you don't want to memorize 30 passwords.
Especially for sites that really are the key to your identity, such as your primary email, it's absolutely critical that you use a separate login with a really tough password. Someone with access to my browser and my Gmail, for example, could go to every site in my history list, click "I forgot my password", and have my password for that site emailed to them.
Scary, huh... and the solution?
3b. Use a password manager to create and save all your new, tough passwords (a few hours)
I installed KeyPass on my desktop computer, and on my Android phone. It's just a password manager; it requires you type in a master password before it shows all your stored passwords. It's free and open source, which means it's very secure, and there are versions for Windows, Mac, Android, Blackberry, and iPhone. It lets you group and sort passwords any way you want; and it can auto-generate long, random passwords for every site you use. There are other similar apps too (this isn't an advertisement!).
Make sure your master password is very strong and very memorable; if you lose it, you're screwed. See this xkcd comic for a reminder of what good and bad passwords look like!
I trust the security in my main browser to save my passwords, so as long as my computers are safe and locked down (see below), I don't have to type any of these long passwords in more than once in a while. And KeePass lets you cut/paste the passwords anyway, so actually there's no typing at all. KeePass is great.
So I logged into every website I use, navigated to the "Manage Account" page, and changed my password to a random one suggested by KeePass. Some websites enforce length, numbers, letters, spaces, no spaces, etc -- just check the right boxes in KeePass and it will do it for you. Then, after all of my logins were reset, I copied the KeePass database file from my PC to my Android phone. Now I have all those complex passwords anywhere I need them.
4. Keep your security software up-to-date.
Boring but important: make sure that your software updates are set to run automatically -- both system updates, and antivirus/malware such as MS Security Essentials. And if you're on Windows, I gotta say... just uninstall everything from Norton, Symantec, or McAfee, and just go to the MS Security Essentials website and use that instead. It's free, quiet, unobtrusive, and just works. That other stuff is just crap.
That's all I got. Hopefully this is helpful to some folks out there!
5 comments:
All of a sudden I don't feel so good.
Thanks, BC. Will share this...
Windows 7 and Vista have hard drive encryption built in - It is called Bit Locker. If you have a certain chip in your computer - a TPM chip - then you need nothing else. Otherwise you can use a password or a USB stick to encrypt your hard drive. I assume that this is the same as on your Mac.
Also - Passwords are so last century - Pass Phrases are what you should use:
http://www.xkcd.com/936/
~ Matt
*Love* that comic! Thanks for the comment.
Note, though, that Bitlocker is not available on the versions of Windows that come on your desktop or laptop when you buy it. It's only on Windows "Ultimate" which no one buys.
That's why I recommend TrueCrypt for my patients who need crypt. :-)
Post a Comment