More and more of our lives are moving online with everything from communication, social interactions, banking and investing, entertainment, and even online businesses. This, of course, leaves us vulnerable to potential exploits by bad actors, which is why it is super important to take some simple states to better protect yourself online.
It seems like stories of major hacking or ransomware attacks are becoming more prevalent each year. While most of us are not likely to be targeted for something like that, you can still leave yourself vulnerable to low level attacks that sort of just blindly target groups of people through mass mailing or phishing.
Recently, I received an email with one of my (oldest) passwords right in the subject line, saying they had access to my account and to send Bitcoin to such and such address. It was alarming for a second… Like, how did they get my password? But I quickly realized it was an obvious mass mailing with no connection to me beyond the password, which had been generated from a data breach on some website. The spam email did jolt me into action though in terms of making a more concerted effort to keep my online accounts and data safe.
I think there are a few simple things that everyone can and should be doing when it comes to protecting themselves online, and this is especially true if you are a digital nomad, remote worker, or run an online business.
So let’s jump into a few simple ways to dramatically ramp up your personal security online so that you aren’t an easy target.
Use a Password Manager
We’ve all heard a million times about how we should not be reusing passwords across different sites and platforms, but that is exactly what most of us do. Not only that, but we often don’t change those passwords for years on end.
Using an online password manager like LastPass allows you to create one master password in order to store the passwords of all the websites you use behind an encrypted database. This obviously means that you don’t have to exert a lot of brain power trying to remember complex passwords across dozens (or hundreds) of websites or resort to using weak, easy to remember passwords across multiple sites.
I’ve been using LastPass for a number of years now, but despite that, I still had the bad habit of using the same variation(s) of a few basic passwords whenever I signed up on new sites or simply didn’t bother updating old sites with those weak or repeated passwords. In the spam email I got demanding Bitcoin, it had one of my oldest password variations from who knows which website (since I had often repeated the same weak password many times over the years on many different websites). Very bad practice!
With LastPass you should be using the password generator to create long and complex passwords that are very hard to crack and which you can save into the database so there is no need to even try to remember them.
Check out the website How Strong is My Password to see how long a computer might take to crack a password similar to yours. The old leaked password I was using said it would take about 42 minutes for a computer to crack! Compare that to a random 18-digit password generated by LastPass which says it would take 7 quadrillion years.
I highly recommend signing up for LastPass so you can better manage your online security via an encrypted password database. It also has other cool uses like being able to share passwords with friends or family without actually revealing the password or being able to set an emergency contact. For your master password, be sure to consider something like a long passphrase rather than a short and simple password. Consider using a website like Diceware which can help you generate a random five word passphrase, for example:
hexagon easily province railway overbook
This passphrase (without spaces) is estimated to take 600 nonillion years to crack. You could then customize that with a few numbers, symbols, and caps (like every third letter or something) to create an passphrase that is virtually impossible to crack, like:
This password is estimated to take 80 vigintillion years… Whatever that means! That number is way beyond my comprehension, haha.
I’d recommend using Diceware to help brainstorm a few random words that you can combine into a vivid and memorable image and then customize it like above. Beyond having a strong master password, there is an even better way to lock down your password manager and keep your info safe, which we will get into next.
Use a Security Key
Two-Factor Authentication (or 2FA) is probably familiar to most of you. This second confirmation usually comes in the form of a six digit code texted by SMS to your cellphone that you must enter before gaining access to an account. You often see this form of authentication as a minimum standard for banks or other more sensitive sites.
At first glance, you may think this is a really secure way to protect yourself because someone must both have your password and physical access to your cellphone. While SMS 2FA is better than nothing, it is still shockingly insecure.
There have been a growing number of cases known as sim swapping or sim hijacking where a dedicated hacker who maybe already has partial access to your account (probably through a phishing email) can use social engineering to call your cellphone provider pretending to be you and have the customer service representative switch your phone number to a new sim card in their possession. This means the 2FA SMS code goes straight to them and they can access your accounts.
Or worse, they could sim swap you in order “recover” your Gmail password and then go to town accessing sites linked to that account, all of which can happen in a surprisingly quick manner, perhaps before you even notice you’re without phone service.
Hackers are obviously most likely to do this for things directly related to money (banks, investments, PayPal, crypto, etc.). The first step is to avoid phishing and be wary of suspicious links sent to your email or SMS related to financial matters, but the second is to definitely change your 2FA method!
Using an app like Google Authenticator is MUCH more secure than SMS text messages because it is uniquely linked to your device which displays a changing six digit code in the app. This is not easily hacked like the aforementioned sim swapping (and is better than Authy which links to your phone number, leaving the same vulnerability). Using Google Voice (like my digital nomad phone) for SMS 2FA is also surprisingly a step up compared to normal cellphone providers, but it is still far from ideal. You would be best to secure your most sensitive accounts by purchasing a security key.
A security key like the YubiKey from Yubico is a small and simple physical device that connects by USB to your computer, which must be physically present and touched in order to access the account for the 2FA. In this way, it is kind of like the keys to your car or house. This means that even a hacker with remote access to your computer can not login to sensitive accounts without being able to physically touch the device.
This level of security isn’t necessary for every single one of your online accounts, but it should be a top priority for your most sensitive items, particularly something like your Gmail account and the LastPass application. Remember, if a hacker gets access to your Gmail account, they can quickly and easily do a password reset request for any and all sites that they want access to. With access to Google and some basic personal info, they could check your cellphone provider online and sim swap you to get into accounts that require SMS 2FA.
YubiKeys are really cool since all it requires is a touch after you enter your password. Best practice is to buy more than one YubiKey though (just like you would with your house or car) so you don’t end up getting locked out of your account. At $45-60 per key, they aren’t exactly cheap, but they are definitely worth it for the peace of mind. You could keep one inserted into your computer or laptop and keep another on your keychain. Or just keep one on your keychain and another in a safe place.
If you lose the YubiKey, it doesn’t mean that whoever finds it could access your account (they would have no idea who it belongs to and would still need the password in any case) and since you have a backup key, you can just login to your accounts and unlink the lost YubiKey from Gmail and LastPass.
You can also download the Yubico Authenticator app which functions just like Google Authenticator or Authy with the randomly changing six digit codes but also only functions by physically touching the connected YubiKey to display the code.
Use a VPN
There are a variety of reasons to use a VPN, especially among travelers, which is something I’ve already covered on this blog previously. But using a quality VPN service is something you should have access to normally so you can encrypt the data you are transmitting over WiFi. Bad apples on the same unsecured WiFi network can easily steal information like passwords or other sensitive data that you are transmitting.
This is especially important for those of us that often find ourselves using strange and not necessarily trustworthy public WiFi like those in coffee shops, hotels, hostels, airports, coworking places, and so on. But I’d still argue that it is good practice and worthwhile to use a VPN pretty much all the time.
I use NordVPN because it is a very affordable but reliable VPN service that does everything that I need it to, namely, reroute my geographic location to the USA (important for some websites that require a US IP address to access) and encrypting my data on untrustworthy networks.
Adding a VPN is a pretty simple set it and forget type of thing that can greatly improve your online security and help you better protect yourself online. NordVPN is just a few dollars per month, there really isn’t any reason not to get a VPN if you somewhat regularly use public WiFi networks with your phone and/or laptop (the VPN does work across devices).
Protect Yourself Online
So there you have it, a few simple ways to dramatically improve your online security and drastically reduce your probabilities of getting hacked or compromised.
- Download LastPass – using a password manager ensures that if one password is compromised, hackers won’t be able to access other important or sensitive sites.
- Buy a YubiKey – locking down your password manager and your Gmail with a physical security key will ensure that your most sensitive data is protected even if your password is compromised.
- Download NordVPN – using a VPN in general is best practice, but becomes even more important when using public wifi networks.
Purchasing a YubiKey will set you back about $50, LastPass can be used for free or you can add the premium membership which I have for about $35 per year, and a NordVPN subscription is $100 for two years, or about $4 per month.
Nobody likes extra expenses, of course, but these services all buy a big peace of mind, particularly when you realize just how much sensitive data we all have out there online, including many things with direct financial implications.
Did you enjoy this article about how to protect yourself online? Take a second to share it on Pinterest, Facebook, or Twitter. Thanks!
Latest posts by Ryan (see all)
- Gaining Traction Against Distraction: Indistractable Summary - June 28, 2021
- The Sovereign Individual: Lessons for the Information Age - June 17, 2021
- How to Protect Yourself Online: A Simple Guide - June 3, 2021
- Reimagining Remote Work and Startup Cities in a Post-Pandemic World - May 7, 2021
- 3 Clever Ways to Save Money on Amazon Purchases - April 26, 2021