Many of us now work from home or stay at home and spend many hours online. Being online it’s almost a necessity: from ordering food through work to entertainment. I’ve been wondering how to keep myself safe online. It’s obviously not possible to not get hacked, just take a look at the richest man Jeff Bezos got hacked [1], or recently many big US corporations and government agencies [2]. So the question about being safe online is not so much about if it’s possible, but how to limit the possibility of it.
There is also one more problem: security often means additional work and better habits. And if we have to follow 100 rules to stay safe, we won’t do all of them. Complexity is the enemy of execution. For example, imagine that a website asks you for a strong long password with many special characters. And then you have to remember it… brr… There is a big chance that you won’t remember it or you will just reuse one of your well-known passwords. And you might use this password on other sites. And later you will get this password as plaintext in your email messages. Heh, it’s getting complicated. How to make it simpler? My top 3 steps are:
A) Use a password manager
B) Use hardware key, e.g. YubiKey (at least 2 of them for redundancy)
C) Pause for few minutes after a unexpected virtual stimulus (sms, email)
Let me explain a little bit of each of these steps.
(A) Password manager
To use password manager means that you have a single strong password that unlocks it. I myself use Bitwarden because it also allows for self-hosting, but there many good ones. The password manager gives you more than passwords. You can store important files or notes. Everything is stored encrypted of course. It also allows you to fill in website login forms based on URL. It basically saves you time and you don’t have to worry about many passwords. Additionally, it has features to generate random passwords with given criteria, so you don’t have to think of any strong passwords anymore. And you can use it with a hardware key and on a smartphone. Below screenshots are from the Bitwarden password manager because I use it myself and know it very well. Do your research and choose one that fits you best.
(B) Hardware key
A hardware key is a key you have to put into your USB port and you must be physically present to touch it. It’s the second factor of security but it is also much more. You can have some authenticator app on your phone and type 6 digits code… Or you can touch a key that sits in your USB port. Not only hardware key offers better protection but it also saves time. Of course, not all websites allow that, that’s why we have password manager, but even when websites allow you 2nd factor in an authenticator app, you can install the Yubico Authenticator app and use Yubikey [3]. Please, please, take a few minutes to read more reasons why here: https://www.yubico.com/why-yubico/for-individuals/ And remember, that it’s best to have multiple keys for redundancy (it’s also easier than having the app on multiple smartphones)
(C) Pause for few minutes
The (A) and (B) are really important, but there are many more things we can do. I wanted to only have 3 items for maximum value with minimum cost. So the 3rd one is a little bit more general and I think it’s easiest to understand when we look at these scenarios.
Scenario 1: Your friend on Facebook is asking you for money immediately, because <some reason>. You know him so why not just do it? He even sends you a link so you can finish the payment in a few simple steps. What should you do in such case? I’d argue that this is one of the cases where procrastination helps 😉 Take a deep breath, call your friend if this is what he really wants (it’s best to use some other means of communication, so you can confirm if he really sent this message and not some automatic bot)
Scenario 2: HMRC sends you an SMS with a tax refund. It happened to me a few months ago. See https://tomasz.jarosik.online/2020/03/gov-uk-warning/ I was excited… for about 2 seconds. But it is important to wait and think a bit. Without the pause, you don’t have a chance to notice weird or surprising bits that don’t match.
Scenario 3: You get an unexpected call from your bank. And someone just wants you to check your few personal details so they can authorize you. Well, again, you can just say: “sure, I’ll call you back in 5 minutes”. This gives you time to think if you have any open cases with your bank, how do you often contact them, even more important, it will be you who will now choose a phone number or website to call/go to.
I think these are steps that give the most protection with minimal effort. Sure, you can do much more than that, but you must ask yourself if you will follow through and if the effort is worth it.
[1] https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince
[2] https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html
[3] https://www.yubico.com/products/services-software/download/yubico-authenticator/
[4] https://www.yubico.com/why-yubico/for-individuals/