If you've heard all the latest news about stolen passwords and identity theft, you probably want to feel more secure, but you don't know where to start. This post is intended to give you a quick step-by-step guide to securing and backing up your valuable data. While this is not a comprehensive tutorial, I have added explanations to help clarify some of the suggestions. I'll link to tutorials wherever possible but in the interest of a concise guide, the main intent is to tell you what you need to do and only get you started on how to do it. This is also heavily biased towards Mac users.
Let's quickly look at what we want to protect and the types of risk:
- Financial information that can be used to steal your money: bank accounts and passwords, credit card numbers, balances, passcodes, security questions.
- Personal data that can be used to steal your identity (and therefore your money): social security number, home address, birthdate, mother's maiden name, former addresses, phone number. Consider how your bank verifies your identity when you call them with a question.
- Private data that can be used to embarrass you, blackmail you or cripple your business: Personal or intimate email and chat conversations, confidential business data or transactions (like details of a negotiation), intellectual property (like a novel in the works), legal information.
- Social Media that can be used to hurt or ruin your reputation: Posting to your Facebook or Twitter account posing as you.
- Data Access that can be used to delete all your photos, email, work, music and anything important to you.
Here's how to start protecting yourself against all that nastiness. Just follow the steps below and read the explanations if you'd like more detail.
Secure Your Physical Devices
Steps to follow:
- Set a passcode on every mobile device and be smart about it:
- No easy codes like four numbers repeated: 1111, 2222, etc.
- No patterns like 2580 (look at it on your phone)
- Encrypt the hard drive of all your computers.
- Mac Users: Enable FileVault full disk encryption. Store the recovery key somewhere safe away from your computer.
- Require a password to login to your computer on startup and after waking from sleep. When FileVault is turned on, automatic login is disabled.
If your phone, tablet or computer are lost or stolen, the data is vulnerable. The drives can be removed and read easily, so start by using passcodes (mobile) and encryption (laptops and desktops) to secure the hardware. It's important to require a password to wake your computer from sleep since it can be stolen while powered on.
Lock Down All Your Email Accounts
Steps to follow:
- Change your email password to be a long string with random characters.
- Turn on 2-step verification in gmail
- If you don't use an email service that offers Two-factor authentication, consider switching or use a very strong password and SSL/TLS to encrypt your connections to email.
The first thing hackers will do is try to get access to your email so they can send Forgot Password? requests to all the sites of which you are a member. This happened to a prominent Wired editor and it was hell.
You will hear a lot about Multi-factor Authentication (MFA) aka Two-factor Authentication (TFA) aka 2-step verification. All these mean is that another code (a "factor") is required in addition to your password to log in to your email.
When MFA is enabled, after you enter your password the site will request a special code. That code is either provided by an app like google authenticator or sent via SMS to your phone. So if an attacker gets your password, they would also need your phone (unlocked) in order to use the app or to receive the SMS message to enter the second code and log in to your account.
Email is the one password that you might want to actually remember (instead of using a random string as recommended later). If you do, make it a long password with a mixture of numbers, letters and special characters. If you have MFA enabled, you'll want to be able to get into your email if you don't have your password manager available.
Set up a Password Manager and Change To Stronger Passwords
Steps to follow:
- Buy a password manager like 1password and follow the help guides. A good initial strategy is to start storing the passwords as you go about your normal routine so you can get comfortable using the app.
- Learn how to sync your passwords to your mobile device and to the cloud so they are available to you when away from your main computer.
- Once you have your main passwords recorded and synced to multiple devices, and you are used to working the new app, start changing your passwords to long, random strings.
- Use the password manager to store random answers to security questions. Don't answer with real information anymore, just random words that you can look up.
- When you change your passwords, turn on Multi-factor Authentication for sites that support it like Apple ID, Dropbox, Facebook, and of course gmail. There's a great lifehacker article with a more comprehensive list.
Let me emphasize again that human beings are exceedingly terrible at choosing passwords, even when they choose relatively strong passwords.
Any password you can think of has a 60-90% chance of being decrypted. Let a computer make one for you, they're much better at it.
Good password managers store passwords as you log into sites, help you generate strong passwords, and only decrypt the data on your computer so nothing is exposed "in the cloud".
While I strongly advise using a password manager, I will add the warning that they do introduce some extra work. This is offset by the convenience of only remembering one password and just clicking to login, but managing and syncing passwords as they change takes a bit more time. If you choose not to use a password manager, at least consider using "password tiers": one password for your email, one password for all financial sites, one password for all social media, one password for everything else. This is not a great strategy, but if someone gets your Facebook password, at least they can't login to your bank account with it.
Hat tip to the very wise @gscottolson for his advice on using password managers effectively.
Backup Your Data Locally and Remotely
Steps to follow:
- Buy a cheap, portable external USB drive of at least 1 TB.
- When you first use the drive with Time Machine, be sure to encrypt it. This will require a password every time you use it, but if you lose the drive, the data is secure.
- For remote backup, use a service like Backblaze, Mozy, Carbonite, or Crashplan.
You need to backup your data regularly. I prefer to use a local, offline backup (Time Machine) and an online backup service. Local backups are very useful because they are fast for both backup and restore. Online backup services are great because if something happened to both your computer and your backup, you can restore from the remote service. Consider an unfortunate event like a fire or burglary where all the devices in your home are destroyed or stolen. With remote backups, you can buy a new computer, login to the service and download all your data within a relatively short period of time.
Additionally, Time Machine and most remote services backup your entire drive (or at least all the important data and skip things you don't need like applications), so you don't need to think about what to back up, it's just all available to you.
Steps to follow:
- Don't send anything private over email: passwords, credit cards, SSN, etc.
- Don't post anything anywhere you don't expect to be seen publicly for a long, long time.
- Earlier I recommended using random words for security questions. I also recommend choosing a particular random word that you always use when asked for your mother's maiden name. If it's compromised, you can always change it.
- While I strongly recommend using a password manager and random text strings for passwords, if you are going to remember any of your passwords, remember your email (with MFA enabled), your password manager (obviously critical) and your backup drive password. If anything were to happen to all your devices, you could at least get into your email and start sending your own Forgot Password requests to get back into your accounts.
Don't ever assume privacy online. Don't send or post anything you want to keep private. Gmail gives you tons of space and never deletes anything by default. Public Facebook, Twitter and Instagram posts are routinely stored by other companies. You also don't know how long recipients keep their email or what they do with it.
Email is not encrypted when sent via the internet. Emails and chat messages travel through many networks that can see what you send as it travels to its destination. Don't send anything you don't want sniffed along the way.
In general, any time you are asked for information like mother's maiden name, ask if you can provide a passcode instead. If not, use a phrase that you can change later. Information like this is discoverable by various methods, but it's very difficult to figure out a random word you made up.
If you have to send a password or information to someone, send it via a separate, encrypted medium with no context. Don't email it with the subject "Here's my credit card number". Better yet, just call them.
Let me emphasize this point again: Anything you put online lives forever. Remember that when you post anything about you, your friends, or your kids. It will be searchable for decades to come.
Following the steps in this guide will greatly reduce your chances of being a target of data or identity theft. They will also ensure that should something happen to your data, you have options to recover it. I sincerely hope this guide makes your life easier and more secure. Please leave any feedback in the comments below.