On Friday, hundreds of millions of MySpace account details, including passwords, turned up for sale online. It’s a reminder that your data, wherever it’s held, is at risk – and it’s not always your own account security that can let you down.
Even so, there are many easy ways to minimise the risks to you and your information. (For one – if you had a MySpace account, delete it now). I’ve asked a range of tech and security experts for the tips and tricks they use online themselves, and ordered them with the most important first.
Each should only take a few minutes, or a tweak to your online routine – but each could save you from weeks of headaches over lost data, stolen money, or hacked accounts.
1. Never duplicate passwords
Sounds obvious, but you do it all the time, right? Caitlin Pantos, a privacy expert at Google, tells me that repeating a password is “even more dangerous than having a weak password like ‘12345’ or ‘password’ – hacking due to password reuse is something we see a lot”.
Using different passwords for everything is, needless to say, a faff. But there are a few tricks that can help, Pantos says: “Use the first letters of a phrase that means something to you, and include numbers and symbols if you can.” Failing that, you can…
2. Use a password manager
These are easily downloadable tools which generate long, complex passwords for each of your accounts and stores them for you behind a single password. You do, of course, need to make sure that one password is very secure.
Many tech professionals use LastPass, which you can download or use as a Chrome extension, and has a free version. You can also try Dashlane or Sticky Password, both of which come recommended by PC Magazine.
3. Use mobile recovery
If you forget a password for an account, you usually reset it by email. Yet increasingly, you can set up a “mobile recovery system”, which sends you a code by text before you can reset the password. It means that if someone hacks your email, they can’t then just reset all your passwords to access other accounts.
A point on this, though – if you have mobile verification (see below) or recovery, it’s a good idea to turn off message previews on your phone’s screen, so someone can’t just see the code flash up without needing to unlock the phone. Here’s how for iPhone and Android.
4. Use two-step verification (or even three)
Increasingly, online banking or email accounts have login systems which ask both for a password, and a code sent to your phone or generated on a handheld key. This, Caitlin Pantos says, massively increases your account security, and you should enable it whenever it’s offered for accounts you want to ensure are secure: “People who work at Google have to use it – it’s mandatory.”
Even better than two-step verification, though, is three-step: “That involves something you remember; like a password, something you have with you; like a phone, and something you are, like your fingerprint,” Pantos says. If you have mobile verification, and a fingerprint lock on your phone, it’s very unlikely a hacker could gain access to your account.
5. Use encrypted messaging
Thankfully, this no longer necessarily involves installing complex software. Encryption means that when the message passes from your device to someone else’s, it can’t be intercepted and unscrambled on the way (which goes for both government surveillance and hackers). It’s a good idea if you’re sending private information, or if you’d rather no one else read your messages.
WhatsApp now offers encrypted chats, though you need to make sure it’s turned on for both sender and receiver.
Dave Hrycyszyn of digital agency Head, who has designed software systems for the NHS and Tesco, also recommends the app Signal: “Signal is built by a guy named Moxie Marlinspike who has an excellent security record and is well-known in the security community. I just happen to trust the people who make Signal more than I trust Mark Zuckerberg, who owns WhatsApp.”
6. Know your privacy settings
Most social networks give you a fair amount of control over your privacy, if you choose to take them up on it. As Mark Goodchild, a media strategist who has worked on digital policy for the BBC, tells me, “most people don’t know what their privacy settings on social media are”.
This can be more dangerous than you may think, he says: “There are a whole bunch of tools being used by PR firms and marketers to scrape data on influencers. In the wrong hands these can be used to get a useful profile on anyone. It would be very easy to find out your pet’s name from Facebook and then use that to do password retrieval on a system that asks ‘special questions’.”
Facebook is a little less straightforward, but this Wired write-up takes you through the major ways to control who sees what.
On Snapchat, you can change the privacy on your “stories” to be seen only by “my friends” or a “custom” group of users; and can choose only to receive snaps from your added friends. On Instagram, you can make your profile private, so others have to request to follow you.
7. Browse incognito
Andrew Åkesson, head of digital at Venn Digital marketing agency, says he always browses using Google’s “incognito” function when using public computers. “It means the search history won’t pop up at a later date, if, say, you were searching a private medical condition.”
The equivalent for Firefox is Private Browsing, and for Microsoft’s Edge it’s InPrivate. All allow you to browse without collecting cookies from sites or sending information to your browsing history.
8. Public generally means insecure
Lee Munsen, a security researcher at tech testing company Comparitech, recommends caution when you connect to public Wi-Fi. “Hackers can easily set up free Wi-Fi connections which have legitimate sounding names such as ‘Starbucks free Wi-Fi’, to dupe trusting members of the public in to connecting. These can be used to intercept your communications and collect personal data.” As a result, make sure you check the name of the network with staff first. It’s also a bad idea to do financial transactions on any public Wi-Fi network.
9. Limit who’s tracking you
Targeted advertising can be annoying (especially when it shows you clothes you’ve looked at but decided were horrible) but it’s also good online hygiene to limit the number of companies building up a profile of you. If you would rather advertisers didn’t track your online behaviour, you can download tools to evade them.
Lee Munsen recommends Privacy Badger, which is a free tool from the Electronic Frontier Foundation: “It stops third parties including advertisers tracking where you go online”.
Your Online Choices has a great tool which tells you which companies are sending your targeted advertisements, and lets you control which ones can do this.
Getsafeonline.org has more tips, and regularly posts updates of known scams.