This is the third of a series of articles by Stranger Than Fiction member Keith Houston, about protecting your work from the pitfalls of computer and online usage. We’re very grateful to Keith for giving his time and expertise so freely for our benefit. You can read Part One here and Part Two here.
Passwords and security
Ask yourself this: if a thief was to steal your computer or other electronic device right this minute, what could they do with it? If you’re logged in to your email account, they could read all your correspondence and impersonate you to all your contacts. (A similar problem exists for social media sites such as Facebook and Twitter.) If you’re logged into an e-commerce site such as Amazon or eBay, they can spend your money. Perhaps most dangerous of all, they could read all the files on your device that are not otherwise protected. Quite aside from its material value, an unsecured laptop or mobile phone can be a treasure trove for a fraudster or identity thief.
Protecting your devices and files
The most fundamental part of securing your computer or mobile device, then, is to place some barrier between unauthorized users and your data. Typically, this means protecting it with a password or PIN so that only you, or people you trust, can use it. The details vary as to how to do this, but the following links provide basic instructions for the most common operating systems:
If a simple password isn’t quite glamorous enough for you, there are other, more esoteric means of protecting your device. If your laptop or phone has a front-facing camera, for example, you may be able to configure it to unlock only when it recognises your face. Other computers, tablets, and smartphones have fingerprint readers that obviate the need to type in a password.
Having set up a password or other protection mechanism, you will be prompted to enter that password (or look at the camera, or place your finger on the fingerprint reader) whenever you switch on your device; after it has been woken from sleep; or if you have explicitly locked it. (It is worth getting into the habit of locking your computer whenever you step away from it; phones and tablets, on the other hand, tend to go to sleep after a few minutes of inactivity, and lock themselves as a result.) Though it may be frustrating at first to have to unlock your laptop or phone each time you want to use it, it quickly becomes second nature. You wouldn’t want your bank card to be usable without a PIN number, and you should treat your computer and smartphone in exactly the same way.
Even with a password in place, however, a determined thief may be able to access the contents of your computer’s hard drive or your smartphone’s memory card by physically removing it from your device and accessing it directly. For an additional layer of protection, you may wish to “encrypt” your files: this is a process that obfuscates the contents of your files so that they can only be read when some predetermined condition is met, such as the provision of an additional password, the presence of a special USB key, or your computer being physically intact. The following links explain how to encrypt files on various common operating systems:
Though it may sound daunting, encryption can usually be enabled without presenting too many additional obstacles to you, the user, while preventing unauthorised access to your files and other data. If you have protected your computer with a password and encrypted your data, a thief will find it very difficult indeed to access your files.
So: you’ve password-protected your computer, tablet or smartphone, and perhaps encrypted your data. These are good first step! Unfortunately, however, there are other ways in which an attacker might gain access to your data.
Much of our day to day use of computers revolves around online services: library catalogues, newspaper archives, genealogy sites, email accounts, and more. Much of our important data lives in these services, too, such as emails, documents, calendar events and more. Protecting your computer with a password stops a thief from accessing services to which you are logged in on that computer, but there is always the danger that can discover the password to a particular service and so access that service without having to steal your device at all — and without you ever realising they have done so.
The best way to fight this is to ensure that you use strong passwords for all online services. Google has some excellent advice on choosing passwords, but here are some simple rules of thumb:
- The longer, the better. Each additional character in a password makes it an order of
magnitude harder to guess.
- Deliberately misspell your words. The first place a password cracker looks is the dictionary, so don’t make it easy for them. The best passwords are random strings of letters, numbers, and symbols.
- Don’t reuse passwords across services. Email addresses, which often serve to identify users of a given service, are easily guessed. If you reuse a single password across accounts and an attacker manages to guess what it is, they now have access to all those accounts.
- Change your passwords often If an attacker guesses your password, they may choose to observe your activity on a service rather than take control of it entirely. The best way to fight this is to periodically change your password.
It is safe to say that this advice is not universally followed. For reference, the top ten passwords used in 2014 were as follows:
If any of these look familiar, then for the love of God, stop what you’re doing right now and change the offending passwords. Lists of common passwords like these circulate among the hackers who attack lucrative services such as email providers, online banking sites, and credit card companies, and your best defence is to pick a password that they’ll have to work hard to guess.
The problem with all this is that a truly secure password — something like cyHhR4C*VY*8#yr&m&9f, for instance — is intrinsically difficult to remember. And, as we use more and more online services, we have more and more of these brain-twisting passwords to remember, increasing the temptation to use simpler passwords or to reuse the same password across services. Neither of these is a good thing.
Perhaps the best solution to this problem is to use a “password manager”. This is a piece of software (or rather, a software service) that will both generate and remember complex passwords for you. The basic concept is this:
- You install an application, app, or browser plugin to access the service. You pick a single, strong password to log into the service.
- As you log in to online services, the service offers to fill in username and password fields for you, and to generate and remember strong passwords for you.
- The service encrypts these passwords in such a way that they cannot be deciphered by an attacker, even if they succeed in obtaining the encrypted passwords. Only you, with the master password, can access them, so guard it with your life.
There is much more to password managers than this (LastPass offers a decent summary here), but that’s the basic idea. Try Lastpass, 1password, or Dashlane to get started. There’s a small learning curve at first, like the rest of the measures described here, but the reward is much better online security — assuming, of course, you choose a strong master password and keep it safe.
We’re almost at the end of this stroll through computer security, but there’s one last thing worth considering for even stronger protection.
Conceptually, password-based security is simple. The identity of a user is publicly known (or, like an email address, it is easily guessed), but that user can only access a service if they are also in possession of a secret, or “factor”, known only to the service — that is, their password. Recently, however, a number of services have started offering “two-factor authentication”, in which a second factor is required to correctly identify a user.
Most two-factor authentication systems require you, the user, to be in physical possession of some device or token that identifies you personally. If you enable two-factor authentication on Twitter, for example, when you try to log in with your email address and password the system will send you an SMS message with a numeric PIN that lets you complete the login process. Your mobile phone is the second factor: even if an attacker knows your password, they cannot know the PIN Twitter will send to your mobile phone.
Many services now support two-factor authentication (there is a list here) — including, for instance, the password managers mentioned above, which may assuage any concerns you have about using a single password to protect all your others.
Computer security is an enormous (and enormously complex) subject, but the measures discussed above will help you keep your data, files, and online identities protected with the minimum of effort.