According to my Twitter feed it is Cybersecurity Awareness Month. To celebrate the occasion I have decided to write down some tips that will hopefully be of use to non-technical friends and family.
1. Use a Password Manager
If you take one thing from this, it’s that you should be using a reputable password manager. If you aren’t familiar with what these are, they generate and store secure passwords for you, ensuring that all of your passwords are strong and unique. Having a different password for every service is important to protect yourself in the event an account is compromised in a data breach. Remembering and regularly updating dozens of secure passwords without a password manager is not realistic.
2. Use a long password
Password managers come with a worthwhile trade off - the master password that you use to login to the service needs to be extra secure. While it is common knowledge to most people that using special characters makes your password more secure, it is perhaps less obvious how much more effective it would be to make your password longer. Consider this chart from Hive Systems showing the time it would take to brute force your password in 2024, I’ll use a subsection here to illustrate my point:
| Characters | Lower & Uppercase | All Characters (% inc) |
|---|---|---|
| 6 | 2 Hours | 12 Hours (500%) |
| 12 | 4m Years | 164m Years (4000%) |
| 18 | 91qd Years | 19qn Years (21,000%) |
For context, the percentage increase between a 6 character password with numbers and special characters and a 12 character password without them is 292,200,000,000%.
Your password should be at least 10 characters.
3. Use a secure password or passphrase
The second important factor you should consider is that your password is secure, meaning it cannot be guessed, and would not not appear in any list of passwords. That means no personal information (names, birthdays, hometown etc), no public information (song lyrics, quotes from books, common expressions etc) and most of all no re-used passwords. If the distribution of four digit pin codes is anything to go by (27% of people use 0.2% of possible combinations) people often default to using insecure passwords out of convenience. You shouldn’t do this, take the time to come up with something secure. If you use a password that is in a list of common passwords, or previously breached passwords, the table above would look like this:
| Characters | Lower & Uppercase | All Characters |
|---|---|---|
| 6 | Instantly | Instantly |
| 12 | Instantly | Instantly |
| 18 | Instantly | Instantly |
While using a long password or passphrase makes it more likely your password will be secure, it is still important to make sure no one could easily guess it.
Here is an example of how you might develop a secure master passphrase:
Step 1 - Think of a group of three or four people you know. Put each of the people in some order.
Step 2 - Think of a unique word that you associate with each of the people individually. You get bonus points if it’s not a real word.
Step 3 - String the words together in the order you chose in Step 1.
Step 4 - Add uppercase & special characters where still readable.
Following steps like these should lead you to develop a passphrase that is secure and easy to remember. The down side is you should update it regularly to keep it secure.
You can come up with a new passphrase using the same method, or, with a little more planning, you can come up with some sort of changeable element for your passphrase. While this is less secure than changing your passphrase entirely, it is more secure than not changing it at all. How regularly you change your password is up to you.
Here are some examples of how you might come up with a system for updating it every year:
- Multiply the year by a set number like a street address. Sandwich your passphrase in the middle of the resulting number.
- Use some kind of substitution cipher, like a Caesar cipher, and shift some or all of the letters by a set number.
4. Enable 2FA via an Authenticator App
Two factor authentication codes are an important backstop should someone try to access any of your accounts - you should be using 2FA everywhere that lets you. However, 2FA is not foolproof, especially via SMS, and, in a worst case scenario, a malicious actor can intercept the 2FA code and use it to take further control of your account. The easiest way to prevent this is to use an app on your phone that randomly generates 2FA codes for you. Unfortunately, not all services allow you to use an authentication app to generate 2FA codes, but you should use it wherever possible.
5. Enable HTTPS everywhere
Contrary to what VPN marketing would lead you to believe, the vast majority of the web already uses end-to-end encryption to protect against your information being intercepted. It’s called HTTPS, and you can see if a website is using it by looking at the address bar in your browser. Most browsers will have a setting that you can enable to warn you before proceeding if a website is not using HTTPS, I suggest you enable that setting if it isn’t already enabled by default, and only proceed past the warning if you are sure the website author is trustworthy. Know that HTTPS is not a silver bullet - it only encrypts the traffic between you and the website, it does not protect you from the website itself - malicious webistes can have HTTPS too, so you shouldn’t trust a website just because it has HTTPS.
As for VPNs, they are undoubtedly useful in certain situations, but they are not so necessary for protecting you online that a normal internet user needs to have one, in my opinion. It’s a similar story with anti-virus software. Unless you have reasons to, the added protection offered by these solutions is likely overkill, and not worth the additional cost or performance impact. Your operating system’s built in protections should be enough to protect you from most threats as long as you practice all the safe browsing habits your bank emails you about.
6. Keep up to date
Vulnerabilities are normally fixed or ‘patched’ before they can be widely exploited. To protect your device, it’s important to keep it up to date so that you receive these patches regularly. The same is true for any applications that you use. Developers and manufacturers usually guarantee security updates for a certain length of time. Windows 10, which still has 67% of the total Windows OS market share at the time of writing, is due to reach the end of it’s support life one year from now - if you are using Windows 10, you should upgrade to Windows 11 before the 14th of October 2025. This may require buying a new computer. I detest e-waste, and don’t like recommending that you buy a new device to replace one that works, but continuing to use Windows 10 after October 2025 will open you up to ever increasing vulnerabilities and is not advisable. The only other solution would be to install a different operating system - if that’s something you would like to try, I’d be happy to help you try a Linux distribution.
Something else you should keep in mind as it relates to security updates is the IoT and “smart” devices like a home assistant or smart thermostat. Devices like these receive updates less frequently than your computer or phone, and in some cases they might not receive updates at all, especially if updates need to be initiated by the user. This makes these devices more susceptible to having vulnerabilities exploited, keep these devices up to date if you can, and, if you want to be safe, consider setting them up on an isolated network. I would recommend only buying smart devices from reputable and well researched manufactures - the cheap TV boxes you see marketed on Amazon would be a prime example of something you probably shouldn’t plug into your home network - and keep in mind that seemingly reputable manufacturers may be using third parties that aren’t as reputable. Reading the security policy for these devices isn’t the worst idea, either.
7. Use temporary email addresses
Your email address has almost certainly been in multiple data breaches (you can check here). There is no way of un-breaching it, however, you probably shouldn’t give it freely to any website that asks for it, unless you trust them. If you only want to try out a service or use it temporarily then consider using a throwaway email service like this one - which issues you a temporary inbox that expires after 10 or 15 mins - giving you time to setup an account, confirm your email address, and then never think about it again. You can still use the address to login to the service, but you won’t have to worry about spam or data breaches - you can always add your real email address later if you decide you want to keep using the service.
You can also create a sub-address of your real email address like email+sometext@domain(.com) if your email provider supports plus addresses. You can block the sub-address later if necessary.
8. Backup. Backup. Backup.
Making regular backups of your data is important because it gives you a point to restore from in a worst case scenario. This defends against malicious programs like ransomware, but also against your own mistakes, as you are more likely to lose data through negligence than a malicious actor. Ideally you should follow the 3-2-1 backup rule, and have at least 3 copies of important data, on 2 different media, with 1 kept in a different location, but do what is realistic. You should never have a single point of failure for your data. I like to have four at different intervals:
1 - The data on my computer.
2 - Backed up daily to my cloud storage provider.
3 - Backed up weekly to an external hard drive.
4 - Backed up every 3 months to an external hard drive kept off-site.
I would recommend creating a backup of your files, rather than (or in addition to) a full system image. This will reduce the size of your backup and the potential for restoring a malicious executable in the event you need to start fresh. You can restore your applications from the internet, but you can’t restore your files if you don’t have a backup.
9. Encrypt your data
The password on your computer only prevents other people from logging in to the operating system. Unless you encrypt the data itself anyone with physical access to your device can access it. For this reason, you should probably encrypt any data that isn’t physically secure - i.e. in your house. This includes data on laptops, off-site backups, and any sensitive data kept in the cloud.
For a laptop, and any drive that leaves your house with sensitive data, it makes sense to use full disk encryption - where all the data on the drive is encrypted and you access it using an encryption key or an additional password when you log in. Your operating system should have tools for enabling full disc encryption, though, sadly, I believe it is only available in the Pro versions of Windows (If you are comfortable doing things yourself I’ve heard good things about veracrypt). Using full disc encryption and a strong login password should give you peace of mind that your data is safe if you leave your laptop somewhere absentmindedly.
The alternative to using full disc encryption would be to encrypt only sensitive files - the easiest way to do this is by creating a password protected zip file using an archive utility that uses a strong encryption standard like AES. If you are comfortable using a command line interface, I would recommend age, which is a more fully featured encryption tool. You can also use these methods to encrypt any particularly sensitive data that you upload to cloud storage. There is a joke that “the cloud” is just someone else’s computer - this isn’t entirely accurate, but, unless you need to work on your data in the cloud, it doesn’t hurt to encrypt it. Again, those comfortable with the command line might want to look into rclone - which is how I encrypt sensitive data I store in the cloud.
I hope you found these tips useful. If you have any questions get in touch. Stay safe online!
Iain