My thoughts on security and privacy
With the latest exploits found named Meltdown and Spectre, it’s more important than ever to protect your personal identity, including but not limited to address, password, phone number, credit cards, and even your account you use to access your online activities, including banking and e-commerce.
I’ve been carefully paying attention to the security and privacy since the early days of the Internet and always try to update to the newest method and ways to secure my privacy, e.g. updating my password every once in a while, activating 2FA, and so on.
For some people, 2FA is a magic thing and they’re afraid, if not lazy, to use it in their everyday lives. Even for people who understand about basic security don’t want to use 2FA.
Here’s the list of things you should know and do to secure your online activity.
Is your password ‘abcd1234’?
People want to remember their password without or very minimal effort. That’s why lots of people use their pet’s name, address, phone number, birthday, and other simple things to be their password. But with exponentially increasing computer power today, someone can use brute-force attack with the help of rainbow table to rapidly guess your password. Recent research showed that 8 characters password can be cracked in 6 hours. If your password was abcd1234, I don’t think it took 6 hours to crack it. It’s surely faster than you think: in under a minute or two.
So what is my suggestion for the so-called strong password? I, myself, use at least 16 characters to form a password. In 2018, as part of my new year’s resolution (don’t laugh, of course, I have that, too!), I’ve planned to update all of my passwords to be 40 characters long at the minimum.
Below are some examples of the randomness of my passwords:
and so on.
“But how do you remember those passwords?”
My answer is pretty simple: I don’t.
“And how to form a password that’s 40 characters’ long?”
I write a very simple Python code to randomly create a password of any length (you can set the standard random length without giving any arguments or you can set the length by setting the argument at the command line. Your call).
If you are simply not a programmer, just use a password manager.
The power of password manager
With the answer of “No, I don’t remember my password”, they asked me how do I log in to all my accounts if I didn’t remember the password? Use a password manager.
There are lots of free and premium services for this and you can choose one of them that fits your needs. those services (along with their own app and plugin for browsers) will remember your long and random passwords and save it in a secure vault. All you have to do is just go to the website you want to log in and the password manager will do the rest. They usually also provide a function to generate a random and secure password.
Oh, and they also sync across browsers and devices.
Dare to ask for more?
2FA or 2-Factor Authentication
User authentication is built based on a combination of two or more things. we usually called them “something you know”, “something you have”, and “something you are.” The idea of 2FA is that it’s built based on “something you know”, that is the password, and “something you have”, that is your phone or email or similar things.
If someone steals your password, intentionally copy your passwords’ file, or taping your keyboard or network to get your password, you’re doomed. All of your accounts associated with that password will eventually get hacked and your personal information may be leaked, if not stolen.
2FA will enable you to provide one more layer if your password was cracked. A thief must steal your phone too in order to crack your account. Considering your phone is probably locked using PIN or pattern swipe you’ve set earlier, it becomes hard and cumbersome to steal your account.
If you’re not sure whether your services you use provide 2FA, you can check it here.
Activate 2FA now. I mean, right now.
With an increasing network taping activity on public WiFi such as the airport, cafe, waiting room, bus shelter, and shopping mall, it’s more important than ever to know whether your website you’re connecting to is secure or not. S in HTTPS stands for secure and if you visit a website still using HTTP instead of HTTPS, you should be aware that you’re giving any sensitive information to that site in a plain text, or, in other words, not secure.
Now you know that your information is transmitting securely by site using HTTPS, I think you would also consider using VPN to secure your communication between you and the server you’re communicating with.
Use Virtual Private Network or VPN
A Virtual Private Network or VPN is like a tunnel you use to communicate with the outside world. Your ISP, people who tapped into your network, and man-in-the-middle will just know that you’re connecting to a server (VPN) and nothing else. You can freely browser or connecting to other servers behind that VPN and no one will see you (except your VPN itself).
Choose your VPN wisely as it’s the only one knowing your activities. If you can afford more, pay for a premium service that offers zero log policy. Trust me, it’s worth it.
VPN is my go-to solution when I doubted that the wireless or wired connection I’m using on is not really that secure.
Encrypt sensitive information using OpenPGP
There are times when you want to send a username and password, PIN number, recovery codes, or even authentication/confirmation code using email or plain text file to someone over the Internet. This is very dangerous and not recommended since you’ve already known that lots of vulnerabilities exist along the way from the time you hit the “Send” button until it is received by your peer across the Internet.
I’ve used GPG (an implementation of OpenPGP) for years and selectively use it to encrypt important emails and files to be saved in the cloud. I’m not saying that cloud services such as Google Cloud and iCloud are not safe, but I think we need to have our own encryption. Google Cloud and iCloud are already secure and if we also have our own, it’s a double-win.
Did you know that Facebook has email encrypted available since 2015? I’ve used that feature ever since.
I think lots of you have your own tips for securing your privacy over the Internet. Please share your unique and secure way on how you build your own presence without worrying about privacy and still protecting the most valuable assets of yours: your personal identity.
Comments are welcome!