By Sam Switzer | May 5, 2018
This week is Choose Privacy Week. After a turbulent year of data breaches and hacks, fallout from breaches like the GOP, Equifax, Yahoo, Uber, Facebook etc. may be on your mind. How do you know if you were affected? How can you protect yourself? How can you prevent exposing your data in the future?
- Assume you were affected
In the past year, the breaches were so bad, affecting over half of the population of the United States with Equifax alone. It’s best to assume your data was breached if you haven’t already taken action this year.
Another action you can take is check haveibeenpwned.com a website that collects data about email accounts exposed to hacks where the data was released to the public to see if your passwords are out in the wild. This, however, will not tell you if you were affected by hacks where the data is still in the black market.
- Change your passwords
Let’s be honest. You probably have dozens of online accounts. Do you have dozens of passwords? Probably not. Now is the time to really have a different password for every single one of your accounts. To accomplish this, there are two good options. You could use a password manager that randomizes your passwords into unguessable nonsense and let the program plug in your password for you. You won’t even know what your passwords are. However, this is not a perfect solution. It requires having an app or USB drive with your passwords everywhere you go, and cloud-based password managers have been hacked before.
Another less-secure, but still more secure than what you have now, option is to create a password that is the same everywhere but includes several “cyphers” that change depending on the site you visit.
First, make a randomized password that you can remember using a method like Bruce Schneier explains here:
So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.
Now you need to make it unique to each site so even if the data is breached, their bot will be unable to use your password anywhere else, and you will still remember it.
In the above example, instead of ending with “m” for “market,” let’s end it with the first three letters of the site the password is for. So for Google, the password would be “tlpWENT2goo” and Facebook would be “tlpWENT2fac” You now have a password that is impossible to guess, and that can’t be used elsewhere if your data is exposed.
Now, in the event of a data breach, I’d still recommend changing all your passwords that use this root password, but you no longer need to panic and change them all at once, just as you access them.
- Enable two-factor authentication
Do you have a smartphone in your pocket? There is something you can do right now on most of your high-profile accounts (Google, Facebook, Steam, most bank accounts) to make yourself more secure. Two-factor authentication requires not only a password but your physical phone or tablet to be with you. If you sign into a place you haven’t before, it will ask your device through a corresponding app if you just logged in, or it will send you a code via text that you must then punch into the website to finish the login.
It is a bit of an inconvenience every day. But it is a huge inconvenience to those trying to gain illicit access to your accounts.
- Prevent your accounts from using your SSN and birthday as alternate authentication
A big issue I have seen in the wake of these breaches is companies like your cable company, some banks, your utilities, etc. don’t seem to care. Even though over half of the nations Social Security numbers could be out on the black market, many will use that number by default as a backup to change your password or gain access to your account.
So they can pay my power bill, who cares? Well… they can do a lot more than that. Say you have a neighbor who lacks morals and isn’t your biggest fan. They’ve decided to really stick it to you and right before the biggest freeze of the year. They call and using your SSN to shut off your gas and change all your security questions including the use of a SSN to authenticate you as an account holder. When you wake up freezing, pipes bursting in your basement desperately trying to get the heat turned back on with an account you now have zero access to, it quits being a joke. Most companies have the option to use a passphrase or PIN instead of your social, even if the representatives aren’t aware of this. If any representative says that it has to be your SSN, ask for a supervisor, as I’ve never heard of a situation where the number is a required password on your account.