1. Keep your password safe
It sounds obvious, but your password should be unique and kept secret. It is also wise to change your password every 2 to 3 months. This makes sure that if anyone does know what your password is, they won’t for long.
If you ever suspect that someone else may know your password, you should change it immediately. Never tell anyone what your password is and be suspicious of anyone ever asking for your password via phone or email. You should avoid ever sending your password via an unsecure method such as email, as this could be an attempt to ‘Phish’.
If you receive an email out of the blue claiming to be from your bank or the ATO, it is likely to be something known as ‘phishing’ – someone who is pretending to be your bank so they can use your details to access your accounts. If this happens to you decline to provide it to them, ask which department they are with and advise you will call them back. Go to that organisation’s website and find their contact number (do not trust any contact information the caller gives you) then call the organisation back and explain what has happened. If the call was legitimate they will be able to connect you to the correct department. If not, they may wish to know more about what happened to pass on to their security team.
2. Don’t use personal information
Never create a password using your personal information such as names, significant dates like anniversaries and birthdays, streets you’ve lived on, or favorite films. All your personal details can be guessed by anyone who has enough knowledge about you, or has access to this information, for example through social media or Facebook.
3. Use a strong password
Don’t just substitute letters in your password for numbers, special characters or capital letters. This adds very little to your password strength. Try adding these characters or numbers to your password instead. Also, never use a dictionary word, as this is one way someone might gain access to your account using a method known as a dictionary attack.
Longer passwords by their nature have more entropy, thus making them a stronger password. Entropy is a lack of order or predictability – in essence randomness. A short sentence built from randomly selected words can be a smarter choice for a password rather than random letters and numbers. Instead of trying to remember random characters, you could remember 5 or 6 words that form a short sentence. By doing this, you will have a much longer password – with more entropy – and a lesser chance of a dictionary attack.
IA dictionary attack is where dictionary words (generally 8 or more characters in length) are tried as a password. Using a sole dictionary word offers little security to your account. Using a passphrase of multiple words separated by different characters (even spaces) can offer a suitable password in many situations. Generally the use of 4 or more words in a passphrase is recommended.
4. Use different passwords
Avoid using the same password for multiple things! It may seem convenient to use the same password for everything, however you’re leaving yourself at risk. For example, let’s say you sign up to a website using the same password you use for your email and your internet banking. If the new website you sign up to gets hacked, or your information is not secured properly, anyone who gains knowledge of your password will now not only have access to your account on that website but also your email and internet banking. Once they are into your email, they will likely find and gain access to more of your services by using the same password. As the saying goes, the chain is only as strong as its weakest link – the same can be said for security. Tools such as 1Password can help.
It can be very hard to remember a different password for everything you use. ‘1Password’ allows you to store all of your passwords securely and enter them into login forms via a browser plugin. This means that you can have a different password for everything and not have to remember them all. You just need to remember your master password. In effect, you only need to know 1 password to log into everything however you are no longer at risk of 1 website being hacked and someone then having access to all of your accounts right across the Internet.
5. Use multi-factor authentication where possible
Security questions are potential security holes. When you set up an account, you may be asked to provide answers to certain security questions, which can be used later to reset your password. Avoid using easy questions such as “what is your mother’s maiden name?” or “what was the name of the street you grew up on?” as the answers to these sorts of questions can be very easy to find via social media. Instead opt for obscure questions which people are not likely to be able to find or guess the answer to. Write your own questions, or avoiding these systems altogether is a better option.
Some websites will allow you to record your mobile number on your account and in the event you need to reset your password they will send you an SMS with a unique code you need to enter into their website to confirm the reset. This operates in a similar way to multi-factor authentication (using tools like Google Authenticator) and is a much more secure method than using security questions alone.
Google Authenticator involves the use of a password as well as another method of authentication. With Google Authenticator you can install an app on your smart phone, which will generate a short-lived unique number. When you log into your account you will use your password as normal, as well as a number given to you by the app on your phone. This ensures that even if someone knows your password, they cannot log into your account without this unique code. As these codes change every 30 seconds or so, they cannot be remembered by anyone and are highly unlikely to be guessed.
6. Take security seriously
Security is not only about your protection, but also that of others. If your account allows access to other people’s data, your password is not just a barrier to your information, but that of other people. This is particularly important for anyone who has access to a WordPress or Drupal admin panel. If someone can gain access to the backend of your Content Management System (CMS), they can gain access to all of your website’s data, including information about any users who may have signed up to your website. Under privacy laws, you have a duty to provide adequate protect to any personal information you possess.
Keep your social media secure and private
We all like to share photos and life events with our friends. It is recommended that you adjust your privacy settings in all your social media accounts, like Facebook, to allow only your friends to see your posts by default. This limits people’s ability to gather information about you. If you need to, you can mark individual posts as public so the whole world can see.