Clearance sale! Vans shoes cheap! I was as surprised as anyone to hear that I’d pivoted from blogging to hawking knock-off footwear on Facebook. After pulling down the scam posts and changing my password, I checked my activity log. At least three interlopers had somehow managed to access my account, one of them several years ago. Creepy, but unimaginative: they didn’t lock me out, or steal my identity, or use my password to access other sites. As far as I know, my nudes are still between me and Zuckerberg.
Then there was the second incident: I changed my Google password, immediately forgot it, and couldn’t get back into my account. This was bad, because at that point, I lived inside the Google ecosystem. I had a Chromebook and an Android phone, used Chrome for all my browsing and bookmarks, kept all my files, photos, and storage in Drive, did all my work in Docs and Sheets, and had all my contacts and other accounts connected to Gmail. None of it was backed up anywhere else, and now it was all gone.
I filled in the account recovery forms over and over, and sat there silently panicking as each robotic form rejection destroyed a tiny piece of my soul. There was no way to get in touch with a human being. With one moment of carelessness, I had lost all my work, years of treasured memories, and my entire digital life.
Then I remembered that I knew some people at Google, so I sent them a grovelling message and they eventually got me unlocked, even though it had nothing to do with their department. Phew.
On both occasions I got lucky: it could have been much, much worse. Screwing up for a third time was probably tempting fate, so I decided it was time to actually sit down and do a personal security audit of my digital life.
That’s how I got hacked. This is how I got hard.
Bottomless Pits of Doom
Hardening your online security is a big fat juicy asymmetry. Looking at it through the optionality framework, the downside risk is essentially unbounded: if there’s even a small chance of losing your money, your files, your livelihood, your accounts, your identity, that has to be mitigated at all costs. It’s a Bottomless Pit of Doom.
At the same time, there are simple precautions that reduce this downside risk by ~95 per cent. These insurance-style options are not only cheap to take out, but free. The only real ‘cost’ is the time spent figuring out best practice, and then actually taking the required steps.
So why do so many otherwise smart people take the ‘do literally nothing and hope for the best’ approach? I think it’s because the threat isn’t visceral. No-one is comfortable walking alone through a strange city at 3am, because we’re wired up to be scared of muggers and rabid dogs. But it’s much harder to develop the required respect for cybersecurity until something bad happens, by which point it’s already too late.
There’s also the sheer inertia: even if you vaguely know this is important, you still have to waste a weekend researching what to do and doing an audit of all your accounts.
Having already wasted said weekend, I thought I might as well share my notes, and hopefully make it a bit easier for anyone else who wants to follow suit. Obviously I’m not a security expert. Don’t take my word for anything! But maybe it’s useful to read a security guide for dummies, written by a dummy.
(Also, I’m obscuring the details of my own setup slightly because I’m not that dumb. Come at me, discount shoes scammers.)
General Principles of Online Security
The personal security audit has six pillars:
Before we get into the specifics, a few general principles:
Paranoia is totally rational
You’d have to be the unluckiest schmuck on the planet to have your data stolen the first time you connect to a public WiFi network without protection. Probably nothing will happen the first hundred times, or even the first 1000 times.
The thing about taking a small ‘one-off’ risk is that if you keep doing it over and over, you will eventually blow up with 100 per cent certainty. As Nassim Taleb puts it, repetition makes paranoia about low-probability events perfectly rational.
Redundancy, redundancy, redundancy
You will forget your password. Your phone will get lost, and with it all your two-factor authentification codes. A company which has your details on file will be compromised.
When this happens, you need a system with built-in redundancy. You can’t rely on any one factor to save you. You need a Plan B to fall back on as a bare minimum, and preferably a Plan C too.
Perfect is the enemy of good
This guide will get you hard. But it won’t get you, like, titanium hard. I’m only covering the most obvious steps, which are but a tiny drop in a huge and ever-changing ocean of cyberwarfare.
Unless you’re some kind of criminal or high-value target, I think an 80/20 approach is fine. It might even be optimal, considering how many breaches are caused by security that’s too complicated or onerous for anyone to actually stick to.
1. Set Strong Passwords
OK, I admit it. I had basically one password, and then used variations of it on almost every website. My brilliant code looked something like this:
!spankyFacebook69
!spankyTwitter69
!spankyBank69
…etc
If someone got access to any one of my passwords, they would essentially have them all. And the hackers wouldn’t even have to guess my stupid password: they could just steal it from some company’s database, and then apply it to all my other accounts.
This is probably a good time to check whether any of your accounts have already been pwned.
My personal email address turns up four related breaches going back to 2013, one of which happened pretty recently. So my hacked Facebook page is no longer looking like such a great mystery.
In my defense, it can’t be humanly possible to remember unique passwords for 100+ different accounts, each of which requires some highly specific combination of characters, and must be changed under a waxing moon or whatever. This is the kind of bad design that leads people to do dumb shit like keeping their passwords on a post-it taped to the monitor, or uh, using slight variations of the same code for everything.
The good news is that password managers exist. All you need is one master password to unlock your central vault, and you can write down all your passwords in one place. This is basically the same as the ‘taped post-it note’ strategy, except it’s actually secure. Neat!
The killer feature is that you can also replace all the useless !spankyFacebook69 passwords with randomly generated ones like this, and load them from your vault with one click:
Some browsers offer password managers, although it’s better to use dedicated services like LastPass, BitWarden, 1Password and Dashlane. They’re all free or cheap: here’s the Wirecutter review.
Nowadays, the only thing I have to remember is my master password, which gives me access to 98 per cent of my stuff, along with a couple of other unique passwords for ultra-secure accounts which only exist in my head (see principle one: paranoia).
The master password is the weakest point in the system, which means it has to be rock-solid. One approach is to use passphrases made out of random words strung together, like spankchickenchairfriend. The concern is that these can be deciphered by ‘dictionary attacks’ based on common words, whereas incomprehensible strings of gibberish are harder to brute-force.
There was a big debate in the security community about this a while back, which led to this definitive post. As AviD pointed out, there are two components to a password: not only how difficult it is to guess, but how difficult it is to remember. Failing to account for human frailties leads to bad outcomes, which is why we must follow AviD’s Rule of Usability:
Security at the expense of usability comes at the expense of security.
(principle no. three: perfect is the enemy of good.)
Personally, I want to have the best of both worlds. With some simple mnemonic tricks, you can get a high-entropy password which is still easy to remember.
Take the first letter of each word in a quote or song lyric that you can easily remember. Let’s assume for the sake of this exercise that my favourite song is Taylor Swift’s Bad Blood:
‘Cause baby now we got bad blood / You know it used to be mad love
This gives us cbnwgbbykiutbml, which is already a decent start. We can make it harder by adding an extra riff: either changing some of the letters into 1337-speak, or varying the cases, or inserting a number. I’m going to Spongebobise the text, add half of my old cellphone number at the start by holding the shift key down while typing the numbers, and add the other half at the end just for good measure:
)@[email protected])$CbNwGbByKiUtBmL$(&(
That looks suitably gibberish-like. Now let’s test it:
This is overkill. I probably wouldn’t bother changing the cases, because it’s too annoying to type, and might use a shorter number, or only append it to one end. The point is that a password like this is ridiculously hard to brute-force, while simultaneously being ridiculously easy to remember. It’s literally the first line of my favourite song and my first ever phone number, and yet it would take seven squillion years to crack.
2. Use Two-Factor Authentication (2FA)
Once you’ve got a strong password, there’s almost no chance it will be cracked before the sun implodes, but we’re not out of the woods yet.
Scenario 1: Someone steals your computer, or otherwise gains remote access to it. Assuming your password manager is unlocked, they can now log into pretty much all of your accounts without needing the master key.
Scenario 2: One of the many companies with whom you have an account gets hacked. They have not demonstrated big brain behaviour in storing your details on the backend, and the hackers can just take your password as plain text.
In either case, I’m not worried at all, because I have 2FA set up on any account that matters a damn. If someone tries to log in from a new location, IP address, or device, they’ll be prompted to enter a code sent to my phone. Unless they have also stolen my phone, and my phone’s access code, they’re not going to get anywhere: I can easily reject the unauthorised login attempt and update my password.
Of all the different types of 2FA, one unusually bad option is to get SMS messages sent to your phone. These are vulnerable to ‘SIM spoofing’ attacks, in which hackers get your mobile provider to switch your number to their own device. Plus it’s a pain in the ass to update all the accounts if you change your phone number.
A better option is to use something like the Google Authenticator app, which keeps all your secret 2FA codes easily accessible in one place, and refreshes them every few seconds.
If you have a hard password and proper 2FA you’re basically golden. At this point, your own worst enemy is likely to be yourself.
3. Contingency Planning
A friend and I were exploring a huge bazaar in Colombia called El Hueco (‘the hole’). We got separated for a split second, and immediately lost each other in the crowds. She didn’t have my address memorised, she didn’t speak Spanish, and it was not a good place to be after dark. None of this would have mattered, except for the fact that her phone was in my pocket and we had no way of contacting each other (why does women’s clothing never have functional pockets?). She eventually managed to find a computer in a hotel lobby, and logged into Facebook to message me, but all of her accounts were blocked by 2FA.
This was a stressful experience.
When something frustrating happens, it’s tempting to call off the whole enterprise and go back to having crappy security. Especially if you ever make it so rigid that you accidentally lock yourself out of some account forever, like I almost did with Google. No redundancy, no backups, no mercy.
In either case, the answer is to come up with contingency plans. Let’s say I’m having a really bad, no-good, day: someone steals my phone on the train, and I forget my master password. I’m locked out of my password manager, and therefore almost all of my accounts. I try to send a hint to my Gmail address, but it asks me for a 2FA code to log in…generated by the phone I don’t have.
No fear. Having learned my lesson, I now have multiple 2FA methods set up with Google, including single-use backup codes on a piece of paper in a secure location. If I need to recover my account entirely, I’ve registered two recovery phone numbers, as well as a sister account which, crucially, is not tied to my password manager (principle no. 2: redundancy, redundancy, redundancy.)
I highly recommend not dismissing those annoying prompts that companies send asking you to verify your phone number or provide extra information to recover your account. I also recommend signing up for the emergency 2FA codes which most accounts offer, then printing them off and giving them to a trusted friend or family member, or locking them in a safe.
So now we have strong passwords, 2FA, and contingency plans. But none of this matters if someone can access your physical device.
4. Secure Your Devices
Last summer I worked out of an unassuming library in San Francisco, which just so happened to be the site where the Dread Pirate Roberts was finally arrested. The way they got him in the end was very low-tech: two FBI agents pretended to be quarreling lovers, then a third snatched his open laptop away while he was distracted, before he could close it or encrypt its contents.
I don’t run an illegal darknet marketplace from my computer, or even have anything particularly embarrassing on it. But I do stay logged in to some of my accounts for convenience, which means anyone who gets into my device can effectively read all my emails in the cloud, access all my documents, look at all my photos, etc.
Some obvious precautions: use a strong, unique password for your devices, set the screen so it locks if left unattended, and make sure you’re signed up to remotely track/disable/wipe your devices with Find My Device or similar.
A determined thief could still bypass your device password by other means, so you should also consider encrypting your data with FileVault (Mac) or BitLocker (Windows). There might be a small performance hit, especially on older machines, but it’s almost certainly worthwhile.
Reduce your surface area to attack by deleting any unused apps, make sure software is set to update automatically, and review all the current permissions: you should only give access to apps you trust.
As far as virus protection goes, Chrome OS is the closest thing to completely virus-proof, and Mac OS has historically been relatively secure because it’s a closed system (this is still true, although less so). I don’t know what Windows users should do, sorry.
5. Backup Everything
It’s nice having pretty much my entire life neatly filed away in the cloud. Paper is for cavemen. As far as I know, highly reputable storage services like Drive have never lost data outside of user error, but a) paranoia is totally rational, and b) they can arbitrarily ban your account any time they want.
For any type of cloud-based service, the obvious redundancy is to sync a folder with all your data to the hard disk on your computer: if something screwy happens online, you have another copy.
Scheduling automatic backups is always better than relying on such feeble things as memory and willpower. For example: this entire website is automatically backed up by my host, Siteground. If I break something or the site gets hacked, I can go back and restore from my pick of different versions.
You might also save a copy of your data to a rugged indestructible external hard-drive, and then store it in a different location to your main computer. This is not ideal for work-in-progress, but it works fine for data you don’t access or update often. Plus, you know, redundancy and all. Better to lose six months of recent files than to lose the whole lot.
6. Avoid Prying Eyes
It’s best to go ahead and assume that everything you put in cloud storage can always be accessed by the government and various other spooks: all your photos, all your emails, your pirated media, your secret diary entries, etc. If you’re important enough to be worth spying on, I guess you need to think about encryption. This is beyond me, so all I will do is flag the issue: almost every company will certainly hand over your dossier when law enforcement comes knocking.
The second main vulnerability is your web browser and search engine. Google hoovers up vast swathes of your data, and Incognito Mode is a bad joke: website operators and advertisers still have all sorts of creepy ways to triangulate who you are. Firefox has much higher privacy standards, especially when used with an anonymous search engine like DuckDuckGo.
I deleted my data and blocked Google from tracking me in certain ways, but I’m too wedded to the ecosystem to escape it all together. I still use Chrome as my main browser, and the Firefox + DDG combo if I want to search for something I’d rather not add to my file.
The third main vulnerability is your Internet Service Provider (ISP). This time, it makes no difference what browser or search engine you use: your ISP is watching every move you make. On websites that don’t use HTTPS (the padlock icon) it can see your passwords, address, credit card details, and exactly what you’re buying—especially horrifying in countries where ISPs are allowed to sell your info to advertisers and other third parties.
Installing the HTTPS Everywhere extension is a good start, but your ISP can still see the general flow of your traffic, and make all sorts of inferences. The only way to avoid its prying eyes altogether is to use a Virtual private network (VPN) to ‘tunnel’ through the Internet and pop up from a different IP address.
The problem with using a VPN constantly is that it drags on speed, and often creates issues with logging into accounts (the strange IP address triggers a security review). Personally, I leave it off except when I want to unblock content which is geo-restricted, or I’m using a public or non-secure WiFi connection.
Some VPNs log more or less data, with the general consensus being that those based in Five/Nine/Fourteen Eyes countries are probably more likely to dob you in to the feds. There are other trade-offs here between price, performance, location, and protocols. After looking over this spreadsheet, I ultimately settled on Mullvad. They take their obligations ridiculously seriously: they never know who you are; you can send them literal cash in an envelope, pay with crypto, and they log next to nothing. I also liked that they don’t have affiliates, or do any other shady marketing.
Of all the items on this list, this is the only service I’m paying for: none of the free VPNs seemed good enough to me, and I didn’t want to pinch pennies on something this important. Mullvad has one flat monthly rate of €5, which is hardly going to break the bank.
Personal Security Audit Checklist
There are always going to be trade-offs between usability and privacy/security, but for me, this gives the maximum of results with the minimum of effort.
Here’s a checklist:
- Get a password manager
- Create a strong master password you won’t forget
- Generate strong, unique passwords for all of your existing accounts
- Set up 2FA for all your important accounts
- Set up physical 2FA backup codes and store them securely
- Run through contingency plans to make sure there’s no chance of being permanently locked out of an account
- Delete unused apps and set others to update automatically
- Set strong passwords on your physical devices
- Consider encrypting your hard disk
- Schedule automatic backups for your computer and cloud accounts
- Install the HTTPS Everywhere browser extension
- Consider using Firefox + DuckDuckGo instead of Chrome + Google
- Sign up for a VPN and use it whenever you’re on a public or untrusted WiFi network
That’s it. Again, I’m no expert, but I thought I might as well share my notes and give you a decent starting point. If you have any further suggestions or corrections, add them in the comments. And if you want to buy some discount Vans shoes, I can totally hook you up.
Not Sure What the Future Holds? Get Your Copy of Optionality Now.
Thanks for looking into VPNs. I always thought the big ones seemed suspicious just because of the number of people they pay to recommend them.
If you want to feel inadequate about your security again, read The Art of Invisibility by Kevin Mitnick. (It made me think “seems like too much work, I guess I’ll just be traceable forever,” but it was interesting to learn how far you need to go to be truly invisible online.)
Yeah totally. Probably a decent general principle to be wary of any brand you hear spammed on blogs and podcasts etc.
Nooooo! haha. I’m pretty comfortable with the 80/20 effort. If I could start over, I would probably do some things differently, but having worked in a career which required me to be a semi-public figure, it’s too late for me to get anywhere close to invisibility anyway.
Hey Rich, new reader here, LOVING what I’ve read so far…. just incase you were truely interested in the history of pockets https://99percentinvisible.org/episode/pockets-articles-of-interest-3/
Hey Gina. Glad to hear it! I am mystified by the pocket situation—have just downloaded the episode, thanks.
Oh yay enjoy! This ep should clear up the mystery of pocket discrimination for you…
Another suggestion from the mailbag:
That’s a great article. Earlier this year my kiwisaver provider got hacked. They got my name, date of birth, email address, phone number, driver’s license and IRD number. I had to spend 3 days changing all my passwords, putting credit freezes in place (the worst process ever) and getting a new driver’s license, new email address etc. It was extremely stressful and at the end of the day my data is still out there in the hands of God knows who.
That sounds like an ordeal Monica, sorry that happened to you. I think I know the provider you’re talking about…if I remember correctly, their response didn’t exactly fill me with confidence. Fingers crossed it’s a once-in-a-lifetime event!
Yes when I went to AA to get my license they knew exactly what had happened. They got something like 20,000 people, maybe more. It’s worrying that companies keep data in the same place so hackers can get all of it. There should be some way of storing photo ID and IRD numbers separately
> do all the above
> go to https://www.google.com/maps/timeline
> weep
Yep. I freaked out when I saw the full extent of it and blocked everything. But I missed some features enough (e.g. setting ‘Home’ in Google Maps) that I grudgingly had to turn location tracking back on again. Google wins this round.
Haven’t read yet but thank you because I fell for a phishing attempt a year ago and despite having changed most of my passwords there were some I missed because they weren’t in my password manager, and it’s all terrible. Bleh.
Oh no Claire, that sucks! Hope you manage to get everything back under your control. Every now and then I find another account which is unprotected, and thanks the gods nobody got to it before I did.
Hi Rich, i responded in your email – but forgot to add one thing. Firefox are introducing to limited countries for now a VPN. It is a bit pricey but .. one thing it has which no other does is other than the usual goodness apparently performance.
One of the major issues for VPN is that it can slow down your connections but the new VPN from Firefox is supposedly much faster.
Thanks Simon, hadn’t heard about that. Nice price too.
Unless hackers pay a low-level admin at Twitter to switch your account recovery email address to an address they control – allowing them to control your account and send bitcoin tweet spam…
Also, I’ve switched from Chrome to Brave for my primary browser – it’s basically Chrome under the covers, but without all the Google-tracking stuff.
Yeah that was wild. The most surprising part was how unambitious the scam was! Thanks for the pointer on Brave—so long as it supports extensions that could work nicely for me.
So far I haven’t found a Chrome extension that doesn’t work in Brave – of the dozen or so (out of thousands) that I use.
Cool, gonna give it a try.
+1 for Brave been using it for almost a year, the numerous extensions I’ve loaded for specific things have worked fine but I only tend to use a couple regularly. It uses DDG as the search engine by default though occasionally you may want to search outside of that as you still carnt beat the ‘Google bubble’ to find that certain thing your looking for.
Try private browsing with TOR to anonymise your IP and watch the VPN adds tell you your in *some country your not in* and you should use a VPN to hide your IP, smugness abounds.
Though your ISP may be blocking TOR, mine worked for a while now it just times out 🙁
BTW – Congrats on your great blog, I’ve been a long time lurker but finally *joined in* as your range of topics resonate well with with me.
Thanks Gardie—I haven’t gone down the TOR route previously because I have usually had shitty WiFi and it degrades the performance, but I might have another look into it.
Glad to have you here! Hope you continue to join in, I love learning new things from the comments section.
I’m not so sure on the “once you have 2FA you’re golden”. What most prople think is two factor is actually 2 step authentication. If someone has your phone and password (worth mentioning to disable password saving in a browser as these get synchronized to all devices and can be a back door) then the second factor is gone, ie I have something you know (password) and something you have (phone). The first thing someone with your phone will do is turn off location services, and log in to your accounts and remove 2FA and ALL other security codes and backups, they then have complete access to you Google, Microsoft, Dropbox etc as they log in and disable your plan B codes etc. You have to be quick to change passwords to render the first factor unknowable to them. OR you can get a yubikey and set up real 2FA. I do not understand that people are very happy to carry around house keys and car keys but not a USB/NFC key to log in to computers and accounts. I have yubikeys on Google accounts to secure financial codes via email. This is the way of the future so worth investigating…if NZ banks would enable internet banking to be secured by FIDO keys they would actually be far more secure than they are, why they have not been told to cease and desist with sms codes is inexcusable. Although I will say BNZ has a physical device for 2FA but really get with the program and support industry best practice like yubikey. Otherwise a great blog post that everyone needs to be reminded of regularly and don’t trust the organisations you deal with to keep you secure, even banks, you need to do this yourself. Cheers
Hi Dave,
Great point, thanks for the pushback. I’m not super worried because someone would need to not only steal my phone but also unlock it somehow—I have it set so it’s always locked after a few seconds of inactivity. But I’ll certainly look into yubikey as a top priority when I do my next security audit, especially if the passcode/biometrics on my phone aren’t as secure as I currently assume they are.
Richard, thanks for the reply.
Agreed re phone unlock, however that is easier than one might expect, a close look at the glass of a switched off phone will have the tell tale signs of commonly executed taps like a pin pattern. A quick theif may be able to keep the phone alive, or they have watched you unlock it, and 30% of android users don’t lock their phone! There is an even easier way in NZ due to our telcos not taking security seriously and that is SIM swapping, I don’t need your phone, I need your SIM, put it in a phone I have control over and, yes I need your password, but if I have that I now have SMS codes to empty your bank accounts, all with the blessing of you as you received the code right!!!! Moral of story put a SIM PIN on and DONT make it the same as your phone PIN
or your ATM PIN, that last one contravenes most bank T&Cs where they state card PINs need to be different to any other PIN you may have conjured up. Any way you look at it phones are a dumb security factor, if they were really that good houses and cars wouldn’t have keys now would they?
Yubikey is great and mostly the registration process is ok. I have found that Google are the only company that trusts us to be responsible with keys. Somewhat annoying and bizarre are Microsoft and Dropbox that still require a phone as a backup, completely pointless as I said before if I can get in without a key then the first thing I do is remove all your 2FA, and viola your account is now my account!!
Keep safe, cheers