Today is World Password Day, a global initiative that aims to raise awareness about making your passwords less shit. As Gizmodo Australia readers, you all know not to use Password1234 and you’re across the kind of stuff you probably shouldn’t post on Facebook (if you even have one), so telling you to practice good cyber hygiene is a little redundant here.
Instead, in the spirit of this whole World Password Day, we’d like to re-share our Complete Guide to Not Getting Hacked. This article was originally published in August, but honestly, not a thing has changed.
As safe as you might feel sitting at your laptop, happily typing and posting and scrolling, we all know the truth: the internet is actually a giant hellscape full of spies, criminals, ransomware, and all kinds of other dangerous shit.
Indeed, if last year taught us anything, it’s that the web is a very scary place and nobody is safe.
Thus, if you want to try to keep your online life private, secure and safe (or, at least, safer than it currently is), we’d like to cautiously present you with some very basic, potentially helpful suggestions.
Without further ado:
Update, Update, Update
One of the easiest ways to get hacked is to forget to update your applications. When companies send you an update, they’re not just trying to annoy you. Updates often have important security patches designed to thwart the exploitation of vulnerabilities in their software. (All software has vulnerabilities, they just haven’t all been discovered yet.) When you update your phone’s OS, your browser, or an application you’re generally keeping the hounds at bay by making sure your online life is properly fortified. So update! Do it! Do it RIGHT NOW!
Enact 2FA and Use a Security Key
You’ve probably heard it before but we’ll say it again: two-factor authentication is a really good idea. In essence, 2FA is just a way to ensure that the person logging into your online accounts is you. Many online accounts will give you the option to enact 2FA (check out Twitter’s how-to, for example). Generally speaking, you will be asked to provide another piece of identifying personal information — like a texted code to your phone or a biometric identifier — to ensure you are who you say you are.
However, I would argue the best way to set up 2FA is by investing in a security key. Security keys are small, portable pieces of hardware that can be synced with your online accounts, ensuring that the only way to get into those accounts is to be in possession of the physical key. After syncing, logins will prompt you to insert your key into whatever computer or device you’re using. If you don’t have the key, you can’t get in. Luckily, most devices are small and portable and can be hung around your keychain, ensuring that it’s never far from you and it’s difficult to lose. (Slap an Airtag on the keychain if you really want to be careful.)
There are a number of different brands to choose from, and keys generally waver around the same price range ($40 to $90): Yubico, Thetis, SoloKeys, Google Titan, and more. You can check out a full run-down here.
Choose Passwords That Don’t Suck
Ah yes, the password. Keeper of secrets. Master of privacy. While a serviceable security mechanism, a bad password is a sure way to get your information stolen.
Make your password long, complicated, and random. Don’t use your pet’s name. Don’t use your birthday. People make the mistake of thinking a password should be an intimate, personal secret when, in reality, criminals and spies are very competent at ferreting out those personal details and using them against you.
So make a long, depersonalised, incoherent password, that looks like something a computer barfed up. Use numbers and letters and maybe bits of jargon. It’s better if you don’t use whole English words. For instance, instead of using the word “pamphlet” in your PW, you might write “pAMPh$3let.” The more random, the better.
Encryption is the best way to ensure that whatever you are doing online remains private. In short, encryption ensures that if your data ever does get swiped or intercepted, the person stealing it won’t be able to make heads or tails of it. That’s because encryption transforms information into incoherent cryptographic symbols that, when done correctly, can only be decrypted by trusted parties.
But what to encrypt? Well, whatever you can.
To start, encrypted email services are always a good idea. You may have to shell out a small amount of money to subscribe, but, in general, it’s worth it. You’ll need to do some of your own research, but there are a number of options: ProtonMail, Tutanota, and Private-Mail are all popular options and good places to start.
Meanwhile, an encrypted chat function is also a good idea. If you want to text someone, just use Signal. For the most part, it’s hard to find anything to complain about when it comes to Signal. The end-to-end encrypted messaging service has been shown to be super effective at keeping communications private and secure, and they retain virtually no information about you once you make an account — making it a privacy must.
Finally, you can even encrypt the data on your desktop or laptop, so that if someone does try to steal your data, it’ll pretty much be useless to them. You will need to look up how to do this on your individual device, for example, Apple offers FileVault, which allows you to easily encode the data on your startup disc — making it impossible to view without your login approval.
Should You Use a VPN? Probably Maybe Yes
To get a VPN or not get a VPN? That is the question.
To review, virtual private networks are considered to be a very basic privacy mechanism — though they don’t always work as intended. VPNs route your internet traffic through the servers of a private company, hiding certain pieces of identifying information from the websites you visit, like your location and your IP address. They also mask your web activity from your internet service provider.
Considering the fact that ISPs and websites have been known to sell your personal data to the highest bidder, this isn’t a bad idea. However, the caveat is that you must then trust the VPN company with your data — which isn’t always a sure bet. In fact, while VPN companies are not supposed to log your data and activity, numerous companies have been found doing so. Others have actually been found selling users’ information — a pretty grotesque violation of the very point of their business.
There are other caveats. One is that VPNs can and have been hacked. A recent episode involving Pulse VPN — a product widely used by federal agencies and contractors — shows how dangerous this can be. If a hacker gets inside a VPN’s system, they basically own your data and web activity.
Anyway, the bottom line is that VPNs can be a bit of a crap chute. You need to inspect them carefully and decide whether you trust them with your data or not. For a full run-down, you can check out a blog from last year that we did on this subject. If going through all that is too much for you, we concluded the best VPN for most people is Mullvad.
Try a Password Manager
A strong password is a good security mechanism but it means nothing if somebody steals it or you forget it. Thus, a lot of people use password managers — programs specifically designed to catalogue and protect the precious codes.
Most browsers — like Chrome — come equipped with built-in password managers. The question is: do you really want to give your codes to a company that is already collecting immense amounts of personal information about you? Personally, I’m not a huge fan of that idea.
The only problem here is that password managers do occasionally get hacked. For instance, the manager Passwordstate was hacked earlier this year, temporarily exposing users’ credentials for 28 hours — not very good! While these incidents are rare, they may still give some users pause.
Or Try Something More Old-Fashioned
If you feel you can’t ultimately trust anybody with your passwords, there is one mind-blowing alternative: just write them down. Like, write them down on a real, physical piece of paper. Yes, I know, that sounds totally crazy but, in reality, it’s a lot less onerous and annoying than you might think. It’s actually the one way to ensure that hackers won’t filch all of your precious codes and it’s a helluva lot cheaper than a monthly manager subscription.
Secure (or Delete Your) Social Media Accounts
If you insist on using social media, the very least you can do is tighten up the security and privacy features that such platforms actually allow you to have.
In the case of Twitter, you can enact 2FA to lessen the chances that somebody hacks into your account and starts shitposting on your behalf. Meanwhile, when it comes to Facebook and Instagram, you can seriously lock down the kinds of photos that are visible to outside observers, enact 2FA, and greatly customise the privacy settings for who sees what, when, and how. It will take some careful research, but being thoughtful and intentional about how you protect your online information is the least you can do when you’re giving up so much of it.
But better yet, just delete your accounts. How much is your life really being improved by watching the internecine battles between your ideologically opposed friends and relatives? How important is it to see what kind of brunch your co-worker digested the other day? Why is a death-dealing argument with a Twitter bot preferable to an actual conversation with a human? Delete the perverse, anxiety-inducing shit and go for a walk. You can’t get doxxed if you don’t have an account.
Avoid This Shit
— Unknown websites with weird names
— Unsolicited emails
— Attachments in unsolicited emails
— Pop-ups on porn sites
— The dark web
— Basically, don’t click anything. Or, at least, if you have to click on something, make sure it’s from a known, trusted source.
If you want to start getting really serious about your security, you might try checking out a totally different operating system that prioritised privacy and security. For that, there’s Qubes.
Qubes is an OS that has been recommended by numerous privacy and security advocates. Essentially, it allows you to customise and compartmentalise different areas of activity on your desktop computer using virtual machines — programs that execute the processes of your device in a separate, virtual software platform. This compartmentalisation makes it so that if one section, or “qube,” gets, say, infected by malware, the infection will stay contained to that partitioned section and won’t infect the rest of your data. It’s all pretty complicated, but it’s worth exploring if you’re curious.
You will have to figure out how to load Qubes into your computer. You can read a full list of the hardware that is compatible with it.
Go Off the Paranoia-Soaked Deep End and Lose Your Mind
Look, the truth is this — you can do all this stuff and still have your privacy and data completely wrecked. Hackers can still get in. Whatever Western government you’re living under can probably still target you with eye-of-Sauron-level surveillance. The social media company holding your data can misconfigure its databases and leave your email address and phone number exposed. In reality, it’s a wash.
However, if you really want to be totally safe and make sure your personal information is protected, I’ve thought about it and there are a couple of additional steps you can take. Here they are:
— Drink heavily and ruminate on the madness of the modern world.
— After a nightcap or three, go to the nearest window and throw your stupid computer out of it while screaming “I’M MAD AS HELL” like Peter Finch in Network.
— Escalate things and murder your phone. Desolder the fucker, smash it to pieces with a ball-peen hammer — then burn the parts in a ritualistic conflagration in the backyard. Later, siphon the phone’s ashes into a little glass vial and hang it around your neck to remind you of your triumph over evil.
— Cancel your lease, sell your earthly possessions and just drive. Where? It doesn’t matter. You just have to get out of there.
— Live in a tent in an unincorporated territory and read books and river bathe. Learn to enjoy the simple things — like the sound of crickets at night, the majestic sight of a buck as it traipses across the prairie, and your own body odor.
— Pray that someday, in some as yet unseen American future, your congressional leaders will grow real, actual testicles and introduce laws to regulate the dystopian corporate monsters that have swallowed the world and eradicated human privacy.
— Weep for humanity.
Go forth and practice good internetting, folks.
This article has been updated since it was first published.