Cybersecurity Awareness Month: Time for a cybersafety check

cybersecurity-2544

October is Cybersecurity Awareness Month and a good time to batten down your online accounts.


Angela Lang/CNET

Cybersecurity Awareness Month! One of October’s many made-up observances — there’s also Bat Appreciation Month and International Walk to School Month — the occasion is a needed, if somewhat artificial, reminder to make sure you’re being cybersmart.

Being cybersmart means setting solid and unique passwords for all your online accounts, enabling two-factor authentication whenever possible and doing your best to keep as much of your private information, well, private.

If Cybersecurity Awareness Month prompts you to revisit your cybersafety, the holiday is worth celebrating. The sophistication and rate of automated password cracking, data breaches and phishing schemes continue to increase, says Guemmy Kim, Google’s director of account security and safety.

“The reality is passwords alone are no longer effective at keeping users safe,” she said in an email interview. Two-factor authentication is a must, she added. 

Another important reason for checking your cybersafety: Many of your accounts are linked together, a fact hammered home by the massive outage that shut down Facebook, Instagram and WhatsApp for a big chunk of Monday. Some people use Facebook to log in to other apps and sites. If Facebook goes down, those can be tough to get into. There are data privacy implications to linking accounts, too.

That means you need to lock down those accounts, and figure out what other information is tied to them. And, ideally, set up new app and site logins that aren’t tied to a social media network.

In celebration of Cybersecurity Awareness Month, here are some easy ways to keep your online accounts safe.

Use strong passwords 

Passwords need to be long, random and unique. About 15 characters will protect you from most password-cracking software. To make them easier to remember, you can use a passphrase of three unrelated words strung together, such as “GrandmafootballCheeseburger” or “lamppostParisHotsauce.” 

Avoid personal details that can easily be guessed. Your dog’s name, the model of your first car or the university you graduated from may be important to you, but they’re bad password material. Don’t recycle your passwords and use them on multiple accounts — no matter how good you think they are. That way, you limit the fallout if one of your passwords is compromised.

If all that seems daunting, sign up for a password manager. It’ll keep all your logins organized and secure. Using the password generator and manager built into your browser is OK, too. Though most browsers will require you to sign in to get the full list of saved passwords, individual ones will autofill, depending on the browser. 

Some of the in-browser options have been clunky in the past, but they’ve gotten better. For example, you can now use Google’s Chrome browser to autofill passwords into apps on an iPhone. Chrome’s password auto generation feature will soon work on iOS apps. Google says it’ll be similar to how Autofill with Google currently works on Android devices.

Always use 2FA when available

If your password does get compromised, a second layer of protection will go a long way toward protecting your account. Two-factor authentication, also called 2FA, multifactor authentication and two-step verification, requires that someone trying to access your account enter a second form of identification before getting in.

2FA works in a host of different ways. It could be a code generated by an app, a biometric like a fingerprint or Face ID, or a physical security key that you insert into your device. Yes, 2FA slows down the log-in process. But if 2FA is available, turning it on is a must.

Google said earlier this year that it would start auto-enrolling user accounts in 2FA. On Tuesday it said it expects to add 150 million Google users to the 2FA ranks by the end of the year. An additional 2 million YouTube users will be required to turn 2FA on within the same timeframe.

To make things easier, the company has also built security keys into its Android devices. With this building in of keys, a user doesn’t have to think about two-factor authentication as much and is therefore more likely to use it, Kim says.

“Ultimately, we want to get our users to a place where authentication is seamless,” she said.

One word of warning: If you can, avoid 2FA systems that text a code to your smartphone. Why? SIM swapping, in which cybercriminals steal your phone number by calling your wireless provider and having it switch your number to a new phone and SIM card. It does happen, and if criminals take over your phone number, they’ll get that text message, too.

Avoid using social media as a universal login

Signing in with the Facebook, LinkedIn or Google account you’re already logged in to on your phone or computer can be incredibly easy. 

That convenience, however, comes at a cost. As we saw earlier this week, if your sign-in service goes down, like Facebook did, you may have to find a different way into your connected non-Facebook accounts.

In terms of security, it isn’t a big leap to say that the Facebooks and Googles of the world probably have better security than that little game or app you’re trying to access, but there have been hacks. The more accounts you tie to your Facebook or Google account, the more eggs you’re putting in the proverbial basket.

The main sacrifice, however, comes in the form of privacy. Using the giant companies’ services to log in to apps gives the big guys access to even more of your data, because they can see what’s collected by the apps. The apps, in turn, can learn more about you by requesting access to things like your Facebook profile, friends list or contact information. 

While Facebook and other companies do give you some control over what data the apps can collect, it’s up to you to keep an eye on those requests and decline them when you don’t think they’re justified. 

source: cnet.com