As we carry out more and more of our lives remotely, it becomes increasingly important that we keep ourselves and our information safe online.
The online world is evolving fast. What was good advice just a couple of years ago does not necessarily apply quite the same today.
In this post we will describe seven things you can do to keep yourself safe online. All these steps are relatively easy to take and are worth the time and effort. But we will also look at other options beyond these seven, and explain why we think these are less useful in most situations.
Seven steps to staying safe online:
- Use an effective password strategy
- Switch on two-factor authentication
- Keep software updated
- Use encrypted email for important emails
- Use private browsing when you need to
- Avoid phishing, smishing and vishing attacks
- Watch out for confidence tricksters
1. Use an effective password strategy
Using passwords properly is one of the most important things you can do to stay safe online. Luckily, it’s not as hard as you might think. If you follow a few simple rules, you do not really need crazy strong passwords that are incredibly hard to remember.
The logic behind super-complicated passwords is that they are resistant to ‘brute force’ attacks in which criminals try billions of passwords a second until they get access to the account. But in practice, brute force attacks are not much of a problem online. Nowadays, most online log-in forms only allow you a certain number of attempts (typically three) before locking your account. So, unless your password is particularly weak for some reason, a hacker needs to get extremely lucky to access your account via a brute force attack. Note that this is still true regardless of whether the allowed number of attempts is one, three or ten.
But whilst brute force is not so much of a problem, there remain two other types of attack you should be concerned about: ‘password spraying’ and ‘credential stuffing’.
In a password spraying attack, hackers try the same password across a massive number of different user accounts. Since account usernames are typically email addresses, the hacker might try guessing email addresses, for example: email@example.com or firstname.lastname@example.org, or they might obtain a list of email accounts from elsewhere – typically from a previous hacking attack. The hacker then picks a website and then uses specialist software to try to access user accounts on that site, going through each email address in turn and trying popular passwords such as ‘123456’, ‘password’ or the name of the website. The theory is that if the hacker tries enough usernames, sooner or later they are bound to gain access to some accounts.
The second type of attack to be wary of is ‘credential stuffing’. This is where a hacker gets hold of stolen account credentials (typically usernames, email addresses and passwords) and uses these credentials to try to access user accounts on other websites. The logic behind this attack is that people tend to reuse passwords across different websites.
You can check if your email address has been exposed in a hack at https://haveibeenpwned.com/. And at https://haveibeenpwned.com/Passwords you can check whether any of your passwords has been leaked too. Of course, these are not exhaustive lists, but if your password is there at least you know to change it. And if your password is not on the list, that’s encouraging but it’s certainly no guarantee.
How strong does my password need to be
Clearly your password should not be something obvious like ‘password’ or ‘123456’. But you need to go further than that. A password should ideally consist of a combination of words and numbers. You can go the whole way and use a very complicated password, such as ‘f%H2£5,sO43>q!9-P;s’, but you will need to store it in a password manager. Ideally you would use a strong password that you can remember. One way of doing this is by using three random words and throwing in a couple of numbers, for example: ghost3light2sea.
Over the last couple of years, many websites have started insisting that your password contain a combination of special characters, numbers, uppercase letters and lowercase letters. The idea behind this is to encourage people to come up with passwords which are less likely to be guessed in a password spraying attack. But this approach has a serious drawback: it unintentionally encourages people to reuse passwords, increasing the likelihood of them falling victim to a credential stuffing attack.
It is also questionable whether there is any value in the extra complexity introduced by insisting on a combination of symbols, numbers, upper-case, and lower-case letters. The logic below explains why it may well be simpler to demand longer, rather than more complicated, passwords.
There are 52 upper and lower-case letters, 10 digits and roughly 16 symbols or special characters which you can realistically use (there are more symbols available on full-size keyboards, but you would want to choose symbols that are easy to access on any device). This gives a total of 78 characters, which means that for an 8-character password there are 788 or approximately 1.37 quadrillion (that is a 1 with 15 zeros after it) possible combinations.
If instead, we use just the 26 lower case letters to create an 11-character password, there are now 2611 or approximately 3.67 quadrillion possible combinations, which is a bit more than for the 8-character, more complicated password. The question is whether it is easier to remember 11 lower case letters or 8 characters of any form? Most people would choose the former.
Nevertheless, this trend has caught on, so we find ourselves having to come up with complicated passwords for even the most innocuous of use cases.
This is a shame, because ideally a password should be both complex and easy to remember. At StayPrivate, we recommend approaches such as using three random words to create a password, for example: ‘golfhouseyellow’. Even better if you can throw in a couple of numbers or symbols, for example: ‘golf6house9yellow!’. Provided you avoid incredibly basic words and easily guessed patterns (don’t choose ‘onetwothree’), this sort of password is both easy to remember and very difficult to guess.
The risk of falling victim to a credential stuffing attack means that reusing passwords is generally a very bad idea, particularly if you reuse an important password (such as the one you use for your email) for a service which is less likely to be secure, for example, a small online shop.
Ideally you would use a different password every time, but if you do use the same password for two similar services, say for Reddit and for Quora, does it really increase your risk exposure much? If hackers managed to access one of these accounts, would it be significantly worse if they accessed both? The answer, in most instances, is ‘not really’.
A parallel argument applies to passwords for more critical services such as bank accounts. If you have accounts with two different banks and you use the same password for both, how much extra risk are you carrying? Provided it is highly unlikely that neither bank will ever divulge your password, then the extra risk is negligible.
What you absolutely need to avoid is mixing passwords between different levels of security: do not use the same password when signing up for an account with an online shop as you do for your bank account.
The other approach is to keep a list of your passwords somewhere safe – perhaps as a note on your phone, or as a private note in a secure app such as StayPrivate. Compared to password managers, this might seem somewhat old-fashioned, but provided the list itself is protected from external access, it is actually not a bad approach. It allows you to use different passwords for different services, and also still remember some of the most important ones. But just in case a hacker does manage to access the list, we recommend using a simple code for crucial passwords – you might, for example, use the abbreviation ‘h’ for ‘house’, so that you would note the password down as ‘23h7’ rather than ‘23house7’.
2. Switch on two-factor authentication
Two-factor authentication provides an extra layer of protection on top of your username and password. It usually means you adding a phone number to your account, so that when you access your account you are prompted to prove your identity by entering a 6-digit code sent via SMS to your phone.
Not all websites offer the option of two-factor authentication, but the vast majority of those that matter do. You should switch it on wherever you can, particularly for your email account – your email account is a backdoor into many other accounts, via the ‘reset password’ option.
3. Keep software updated
Much software these days is automatically updated, but it is still worth checking regularly to make sure that your operating system and browser are up-to-date, especially on older devices. And although you would be extremely unlucky to run into trouble if you are only a few days behind, it makes sense to try to avoid putting off software updates, where possible. Of course, updates are annoying, but you are going to have to do them sooner or later.
4. Use encrypted email for important emails
We are using email more than ever. The growth of communications services such as WhatsApp, SnapChat, Telegram, Slack and others has not reduced the importance of email as a communication channel, particularly for sending or receiving important documents to or from businesses. In fact, email has become more important as we have reduced our reliance on the postal service.
Unfortunately, email is one of the least secure and least private forms of online communication there is. Email never became popular because of its security; it became popular because it’s universal – anyone can use email with anyone.
Free email services are free for a reason. In return for providing you with functioning email, the email service provider gets access to all your email data, including all email content, any attachments, and the names of the sender and recipients. In fact, your ‘free’ email is not free at all, you are paying for it with your privacy.
Business email accounts, on the other hand, suffer from a different but related problem. In the case of business email, the service provider does not have access to your emails, but the business itself does.
The way around this is to use encrypted email for important emails. Continue to use your existing free email account on a day-to-day basis, but when you need to send or receive confidential, important, personal, or otherwise sensitive information use a secure or encrypted email service.
A service such as StayPrivate is designed to work alongside your current email account rather than replacing it, allowing you to keep important email conversations separate from your everyday email account, which has the added benefit of keeping things organized too.
5. Private browsing
Most web browsers offer ‘private browsing’. In ‘private browsing’ mode, the browser creates a temporary session separate from the main browser session and user data. Browsing history is not saved, and data associated with the session, such as cookies, is cleared when the session is closed. This prevents data and history associated with a ‘private browsing’ session from remaining on the device or being discovered by another user of the same device.
Private browsing does not necessarily protect you from being tracked by websites or your internet service provider (ISP), but for most uses it does offer a reasonable amount of extra privacy.
Do I need to use a VPN?
A VPN, or ‘virtual private network’, offers an extra layer of privacy. When you use a VPN, all incoming and outgoing data passes through the VPN, hiding the details of your actual location from the website you are visiting, and hiding the details of your browsing from your ISP or Wi-Fi network provider. This certainly improves your privacy, but is it necessary? These days, again the answer is largely, not really.
These days, all reputable websites are delivered via SSL (this is represented by the ‘s’ in ‘https’) and so your ISP or Wi-Fi network provider cannot see any details of your browsing activity beyond the name of the website you are accessing, meaning that all your usernames, passwords and even search requests are completely hidden from them.
VPNs are very useful is if you want to indicate to a website that you are in a different country. The prime example of this is if you are travelling and you want to access a geo-restricted service normally available to you at home. And there are other scenarios where a VPN is useful, such as for accessing blocked websites, avoiding government censorship, and avoiding price discrimination, but these tend to be more specialized. Plus, since you can use a VPN to pretend to be in a different country, you can use it, for example, to access content not available in your location. Next time you are watching a sporting event on TV and you see an advert for a VPN, this is the use case they are targeting. Strangely, the TV networks do not seem to have caught on to this yet.
6. Avoid phishing, smishing and vishing attacks
Phishing, or the sending of fraudulent emails, is the most common form of successful cyberattack. This is perhaps not surprising, as phishing preys on human emotions. Most of us will have received emails from a ‘Nigerian prince’ offering to transfer us a small fortune in return for our bank details, and we know to ignore them. But phishing attacks have become a lot more sophisticated and are ever harder to spot. Furthermore, the success of phishing has bred further variants on the theme: notably ‘smishing’ where the attacker sends a fraudulent text message, and ‘vishing’ where the attacker makes a fraudulent phone call or leaves a fraudulent voice message.
Whether delivered via email, phone, SMS, or any other messaging service, these types of attacks work similarly. Here are a few things you can do to avoid becoming a victim:
- Check the message sender – are they who they say they are? Likewise, if you do not recognise the incoming phone number, be very careful. It is generally better to let the caller leave a voicemail, giving you time to consider whether this a fraudulent approach or not.
- If a conversation seems suspicious simply end it – whether it is via email, phone, or instant message. There is no need to be polite. In the unlikely event that it turns out that the person was genuine, they will understand.
- If the caller or person emailing or messaging you is trying to scare you, this is a red flag. End the conversation immediately. And if it is still worrying you, speak to a friend about it.
- If the caller or person emailing or messaging you claims to be from a company, do not believe them. Call, message or email the company back using a different device.
- Use encrypted email for important messages (this will reduce the chance of hackers getting information that they can use to defraud you and help identify suspicious senders more easily).
- Avoid clicking on links – but don’t worry if you do, see below.
Clicking on links
We are told not to click suspicious links. This is good advice, but from a purely technical standpoint, it’s just fine these days to simply click on a link. Modern browsers provide a ‘sandbox’ environment for each separate tab, meaning that the script on any webpage is unable to access other tabs in your browser or to infect your computer. A problem can only arise if you go further.
There are two main ways this can happen: the first is that you may be prompted to download a file. Do not do this! The second is that you could be conned into thinking that you are on a legitimate website when you are not, leading you to click on further links and ultimately ending up either downloading a dangerous file or revealing some sensitive information, for example your bank account username and password. This is a lot easier done than you might imagine, which is exactly why we are told to not click suspicious links!
7. Watch out for confidence tricksters
As in normal life, there are people online who will try to trick you. The difference between the physical and online world is that online there is much more scope for tricksters. They can create totally artificial identities, set up fake websites and build fake social media profiles. Furthermore, we lose many of the usual cues for spotting dodgy behaviour. Online, you cannot look someone straight in the eye.
The only way to avoid being conned is to be very careful and apply common sense. If something seems too good to be true, it almost certainly is! And trust your instincts. Our subconscious can be very powerful. If something does not feel right, there is a reason for this. Stop, do some research, and ideally discuss with friends before going further with whatever relationship or opportunity it is.
Thank you for reading.