Account Security basics

The most important part of security is you the user, not a firewall, or antivirus software but you. Computers can only do what they are programmed to do and can be awful at sensing things out of place that is not technically a problem but you all have a much more keen sense for what’s wrong. The purpose of this is to better educate you on what you need to look for and how you can best protect your accounts and identity.

  • Make sure you have a password on your computer/phone. Its purpose is not to lock out your family but other nefarious users who could be physical or remotely trying to get in.
  • Don’t save passwords if possible in anything other than a proper password manager. This includes not using password-protected spreadsheets, browsers, or similar. I know how hard it is to remember all these passwords but the repetition of typing in passwords helps the brain remember them better. Not saving passwords is especially important for banking, your email, anything that gives someone access to financial, sensitive knowledge, or your main password recovery and authentication methods such as phone, SMS, or email.
  • Use different passwords for every account. Hackers commonly get lists of previously compromised usernames and passwords from one site and will try these on other sites in the hope that they used the same username and password everywhere else. This is called credential stuffing.
  • It’s more important to have a long password vs a short complex one. Phrases from books or movies are a great start and just mix in some special characters and numbers to meet complexity requirements. You can read up on good password habits here.
  • Use a password manager such as LastPass, KeePass, Bitwarden or similar. This will make having a separate password for each account significantly easier.
  • Check out to see what accounts you have that have been compromised. This won’t be all of them but most of the publicly known ones. You can also check passwords on this site too. I highly suggest signing up for their notifications. 
  • Use multi-factor authentication(2FA/MFA) whenever possible. Always opt for non-SMS styles if you have a choice so you can avoid being SIM Hijacked/Swapped or have your password viewed as SMS sends everything in plain text. If you have no choice but SMS it is still a better option than no 2FA at all.
  • Don’t have your passwords publicly viewable or accessible. Don’t put them on sticky notes attached to monitors or anything like that. This happened at a news station where they showed a sticky note on a monitor in a newsroom with a password clearly visible on live TV. You never know when an image of something will be captured.
  • Email attachments are one of the most common ways ransomware gets installed. Make sure you know the person sending you an attachment and you are expecting it. A good antivirus will also help here.
  • Careful connecting to public wireless networks with devices. By connecting to a network you are giving access to the data that your computer sends out and receives over that network as well as shares you have open on your computer. Verify the officialness of the wireless network by asking personnel working there or seeing posted signage with information before connecting. Use VPN when connected to public networks. Anyone can broadcast a network to connect to so make sure it’s official.
  • Keep your devices up to date. If the device is internet connected it’s your responsibility to keep it updated for your security and help the general health of the internet. This isn’t just your phone and laptop but all those doorbells, lightbulbs, thermostats, and refrigerators that are internet-connected. I personally purchase as few “smart” devices as possible because vendors are terrible at securing and updating them, especially after the first year of ownership when it’s not sold in stores anymore.
  • A common but extremely important device that gets forgotten about is your home router. If you have one that you purchased and installed it still needs security updates. Typically vendors like Linksys and Netgear only keep security updates coming as long as the product is still being sold. Which is a year or two, after that they can stop releasing patches for your device. This is why I suggest using the modem the Cable/DSL company provides you as they are responsible for updating it and replacing it when they don’t want to support it anymore.
  • Don’t open up ports to the internet on your router unless it’s needed and secured. Especially RDP (Remote Desktop Protocol), this one has had a lot of security problems as of late.
  • Almost all free and most paid VPN software gathers your data and sells it. They can sometimes cause more data to get out than not using a VPN. Make sure you read the policies on the VPN provider first before using it. ProtonVPN has a decent data policy.
  • Always read message boxes that pop up on your computer, don’t just click yes to get rid of them. We have become desensitized to these over the years and need to re-train ourselves to pay more attention to them.
  • Don’t plug in random devices to your computer. That random USB stick you found could contain malicious data intended to infiltrate someone. It could be purposely dropped in the parking lot or common places for people to find and bring back to their computers. This is how the Stuxnet worm was designed to disable some Iranian nuclear centrifuges back in 2010.
  • The most common form of “hacking” may not be what you’d expect, it’s called social engineering. Social engineering is defined as “The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” This could be someone claiming to be a person who might need privileged information. This could be a firefighter, contractor in person, or someone over email/phone pretending to be another employee or government entity. What they are after could be as simple as trying to ascertain your mother’s maiden name, first pet or car you had which are common security questions for account verification used in secure accounts or they could use the information to guess your password. So be careful of what information you divulge, it may seem innocuous but could be valuable or compromising in the right hands.
  • The password recovery questions that are predefined on websites such as banks have been too easy to attain and figure out most of the time. Your mother’s maiden name is easily looked up on the internet. People are constantly posting about their pets and such too. It’s best to use purposefully wrong answers for these so they can’t be socially engineered. A password manager will help with keeping track of these.
  • Don’t fill out those “about you” lists on Facebook and other social media. Although fun to learn about each other they give out too much personal information about yourself that can be used for social engineering. Be mindful of anything you post online that can be personally identifiable information. 
  • Go through the security settings on your phone/computer/social media and other websites. You will be surprised what they have access to, especially apps on your phone. Allowing Snapchat/Facebook/Google access to your contacts seems like a nice easy way to find your friends on these social media platforms but now you just gave them all your contact that they can add to their databases even if the contact in question doesn’t want that. Your friends may not be pleased with you sharing their information.
  • Companies will combine data from different data sources to build a better picture of you. If you have a phone number, birth date, and name at one company A and company B has your shipping address, name, and things you like to purchase. These two companies sell each other your data and now you have a much clearer picture of the user.
  • Your cell phone number and email address are replacing your SSN number as a unique identifier for you. If you lose access to your number (hacked/sim swapped) or email the new owner of it can gain control of your accounts by performing password resets to anything attached to them.
  • Get a Google Voice number to give out to websites and people you are not sure of. This Google Voice number can then be directed at your phone or email for calls and SMS messages. It’s free with basic options. If you start getting spam or other unwanted communications on it, ditch the number and get another. This protects your real phone number.
  • Setting up a separate email account for very important things like banking and other financial things can be a good idea. That way if your main email account gets compromised they do not get financial control over you. If you own your own domain name you can set up as many emails as you want.
  • It can be impossible not to share info with some corporations. Google has a lot of my personal info and if I were to stop using them now it wouldn’t make much of a difference. So if I do have to share information in return for a service I try and share it with companies that already have my information instead of new sources.
  • Just because you “left” Facebook and “deleted” your account doesn’t mean your data is gone from their servers. It’s still there being related to other data given to them from other sources. It’s just not publicly available anymore. But it is still used and correlated against. This isn’t just true for facebook but pretty much all social media and now it seems like any corporation.
  • Google search your name, phone, and email occasionally. See what comes up and delete or request to be taken down information you don’t want publicly available on the internet. You can never delete everything about yourself off the internet but doing some minor curating, locking down social media, and not giving out your information freely can go a long way.
  • Freeze your credit with the major credit bureaus. This makes it so no one (including yourself) can open up lines of credit. If you want to apply for a loan or open a new card simply unfreeze your account and then refreeze it after the application process has been completed. There is a difference between a credit freeze and a credit lock. A freeze is required in the US the credit bureaus are required to provide this to you at no cost. A credit lock is the same thing with other add-ons depending on the credit bureau that they charge you for.

If this all scares you, it should. You have to protect yourself as corporations are clearly not doing a good enough job on their own. I personally was affected by the Equifax breach as well as other breaches and had my identity stolen. Because of this, I was forced to learn a lot of what you just read quickly to protect my identity. My social security number and identifying info is forever on the web now and I can not fix that. I have to keep my credit frozen at all times so lines of credit cant be opened in my name. 

Now cell phone numbers and email addresses are turning into unique identifiers and need to be protected and secured like your SSN. Thankfully you have much more control over security and changing emails and cell phone numbers, unlike your SSN. But you need to start now before it gets too gnarly. Take baby steps and start with a password manager and work from there. It’s a bit of extra work at first but becomes easier as everything falls into place.