Online Security Part 3 – More About Passwords

(This post is part of an ongoing series on Online Security. The other parts can be found here.)

These days, almost everybody has dozens of online accounts most of which are tied to their email address. It is tempting to reuse the same ‘easy to remember’ password but securing online accounts such as banking, email, Facebook, App Stores, and others with strong, unique passwords is critical to staying safe online. Email accounts are especially tempting targets for hackers because they not only provide the usernames for other accounts, but they also can be used to reset passwords and spread malware to other users.

For example, as reported in the news last December, hackers currently have data on over 1.5 billion Yahoo accounts. The Wikipedia article (https://en.wikipedia.org/wiki/Yahoo!_data_breaches) states that in the first part of the attack “The hackers had obtained data from over 500 million user accounts, including account names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers.” Hashed passwords can be translated as encrypted passwords, but to make a long story short, easy to guess passwords such as ‘123456 or qwerty’ are so common that hackers don’t even need to break the encryption.

Since user names are known by many other terms such as account name, user, user ID, email, login, login id, and screen name, this Yahoo data is an excellent starting point for more serious hacking. However, finding the time to change passwords is a daunting task. Each website’s password change option is in a different place and requires entering the old and new passwords. Then the new password has to be recorded somewhere safe. In a family, some of these new passwords also have to be available to others.

The good news is that the change doesn’t have to be done all at once. It is easier to start with the most critical accounts such as email, banking, computer locking, and cell phone passcodes. Next other accounts can be updated such as social media, utilities, games, etc. little by little as they are used. The problem then becomes how to safely store those passwords. Many people store them in a small notebook next to their computer or in a text file on the desktop named PASSWORD.TXT. Please do not do that! The next post will provide several options for storing and automatically entering safe, strong passwords. As a teaser, if you don’t mind paying less than the cost of a latte a month, try 1Password from AgileBits. It can automatically securely store, enter, and share passwords. Ahhh, finally a world where only ‘1Password’ has to be remembered! (https://agilebits.com).

Online Security Part 2 – Malware for the Rest of Us

(continued from Part 1)

However most malware is typically more subtle. A common sign of infection is when an internet browser (Internet Explorer, Edge, Chrome, Safari, etc.) displays a different website than the user types in. This can also happen to links clicked on from a Google search. The technical terms for this malware include a “browser redirect virus” or “browser hijacker.” It can also change the homepage, add new toolbars, display advertising, and create pop-up messages even when not online.

Other signs can include a computer that suddenly runs very slowly, constantly crashes / freezes, or if a user discovers new icons that appear on the desktop. Malware is a very complex topic, it can be difficult to detect and remove even for experts. Worse still, it can include spyware that steals passwords and emails itself to others so it’s obviously best to avoid getting it in the first place.

One key to avoiding malware is to think before clicking on any link online. Dangers can include free software downloads, links on shady websites of all types, downloading a “required” video player, and clicking on online ads. Even plugging in a friend’s USB memory stick can deliver malware. Another way it can be installed is through something called “social engineering” where a user is tricked into clicking on a dangerous link through a carefully written fake email, text, or instant message. These messages are also known as “phishing campaigns” and they can be VERY convincing (even coming from friends).

To summarize, here are a few tips for avoiding malware. Keep in mind that each of these suggestions could be expanded into an entire post!

  • Make sure computer and phone software is kept up to date (if you’re still on Windows 95, you’re really in trouble).
  • Never click on links or open attachments in messages from unknown sources. Unexpected messages from known sources should be also be treated with suspicion since some viruses can access a user’s email and send a message to friends in their entire address book.
  • Never click on links in emails from banks, Apple, Google, Microsoft, etc. Access the website directly.
  • Backup regularly! Backups are an effective way to recover from digital and physical disasters if the 321 rule is used: three full backups on two different types of media with one copy stored “somewhere else” (more details in a future post).
  • On Windows, at least use Windows Defender (anti-virus software is a massive topic on its own).
  • Use strong / unique passwords and a password manager. Two factor authentication is an advanced technique that is also very effective for securing critical accounts such as email, banking, and social media (another topic for a future post).
  • Look for secure connections to websites (the padlock symbol = HTTPS) and logout when done. The padlock is in different places on different computers / browsers. Some examples are below.

Additional Resources:

Online Security Part 1 – Malware for the Rest of Us

People are afraid of online threats for good reasons. We use computers and the internet for everything from banking to social communication to storing cherished family photos and videos. So many devices are portable, which can result in additional security issues. This series of posts will present a variety of simple and practical techniques to stay safe from the worst online threats such as malware (aka viruses) from infected websites and “phishing” emails, online account hacking, and the dangers involved when using public WiFi hotspots. It will also include an introduction to the terminology and symptoms of malware, hopefully making it a bit easier to figure out if a computer or online account has been compromised. It will conclude with suggestions for creating strong and memorable passwords. Each post will be relatively short and a deeper discussion will follow in future posts.

The problem for most of us is that the official definitions are unnecessarily complex. For example, the definition for malware is “Parasitic software fragments that attach themselves to some existing executable content. The fragment may be machine code that infects some existing application, utility, or system program, or even the code used to boot a computer system.” This definition means practically nothing to non-technical people. Actually, it’s possible to ignore most of the techno jargon, but knowing a few basic terms is necessary because even a Google search requires knowing a few right words.

More simply put, malware is the general term for computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, rootkits, and other malicious programs. The details of each of these types of malware will be provided in a future post, but for now it helps to learn the obvious symptoms of malware so it can be removed as soon as possible. Ransomware is the easiest to identify since the point of this malware is to tell the user they have been infected. The cyber criminal scrambles the files and will not unscramble them until the ransom is paid (if ever). Some messages even make it sound like the user has broken federal laws (you can’t even believe criminals these days!).

(continued in Part 2)