I’ve been interested in computing and cybersecurity since I was fairly young.(1) I’ve noticed that this is a fairly uncommon, so I’ve listed here a few simple steps toward a more secure (and private) computing existence (these are also important considerations for mobile devices, like tablets and phones).
- Brian Krebs’s three basic rules for online safety provide an excellent starting point:
- If you didn’t go looking for it, don’t install it.
- If you installed it, update it.
- If you no longer need it, remove it.
- Enabling update checking is very helpful for ensuring that all your software is up to date (just make sure you actually allow the updates to take place). This is especially important for anything you use that interacts with online resources: your operating system, word processor, PDF reader/editor, and web browser are key.
- Creating a calendar reminder to check for and install updates every month can be helpful.
- To prevent random people from accessing your personal data, set up a sign-in passcode or biometric solution (such as a fingerprint) for your devices.
- A dedicated security suite will protect you from most additional online threats. PC Magazine maintains a list of their top choices.
- UCL provides free subscriptions for students and staff for both F-Secure Premium and Sophos Home through the ISD software database, both of which are fairly good options for both Windows and Mac.
- Consider using disk encryption if you have that option.
- Use a unique and complex password for each account, and keep these in a password manager. This way, the only password you really need to remember is the one you set for your password manager. It can also generate complex passwords for all your online accounts and prevent you from entering a password into the wrong website. 1Password and Lastpass are top choices, but a wide range of options exist, which should work on all of your devices. Keepass is a good free open-source alternative, although much less user-friendly than the others.
- Avoid allowing the browser to save passwords (or other personal information). Browsers are popular targets for attack by malicious actors and have had a mixed record on their ability to appropriately secure private information.
- Using insecure storage options, like a text file, Evernote page, or phone contacts list is a bad idea.(2)
- Don’t reuse passwords.
- There’s a running gag on Archer involving sensitive information, from personal medical records to nuclear launch codes, being protected by the password guest.
- Long, complex and unique passwords don’t necessarily need to be impossible to remember. The XKCD method for generating strong passwords is quite popular, but you may need to add special characters and/or numbers to fulfill password complexity rules. For example, something like Brave+BUNNY+h0pp3r is long, complex, uses special characters, and is fairly easy to remember.(3)
- Even if you go the XKCD route, you should use a password manager to avoid repeating or forgetting passwords.
- Security questions are an antiquated form of security.(4) One way to deal with these is to use your password manager to generate more passwords. If you ever have to deal with a customer-service representative, reciting one of these can make for a fun conversation!
Backing Up Your Data
Back up your data. Performing regular data back-ups is as important as performing regular checks for software updates. The simplest option is to use a cloud-based storage provider. UCL’s Office 365 subscription includes the use of OneDrive. Dropbox is another very popular solution, although free accounts are virtually useless. Box provides a similar service, and you can usually get 50GB with a free account.
If you have privacy or security concerns relating to the data you are backing up, you’ll need to encrypt it before sending it to your cloud provider so that it remains encrypted on the server. Boxcryptor provides a fairly straight-forward approach to this.(5) Alternatively, Backblaze, SpiderOak, and Sync provide good no-knowledge cloud storage solutions (that is, the data remain encrypted on the server); the caveat is that you’ll need to ensure that your login credentials are securely stored, because if you lose them, you’ll lose your data.(6)
- This is partly due to where I grew up, as well as the fact that a number of people frequently mistake an early gmail address of mine for their own. I’ve been sent a ton of sensitive information (both personal and business) as the (un)intended recipient.
- The first two examples have enabled publicly-disclosed breaches. The third is simply a poor practice, because many mobile apps access contact data, so you have no control over who sees your passwords.
- Unfortunately, this specific example is no longer secure, as it’s been published online. However, you can use it as an example to form your own long, complex, secure passphrase.
- If you answer security questions truthfully, the information is probably available through public searches, Facebook, and/or social engineering.
- Other options for more technically savvy users include VeraCrypt or a password-protected archive, but these require far more work.
- ProtonMail is currently developing ProtonDrive, so may soon be another entrant into this space.
Version: April 2020