As we share more of our information online, our risk of identity theft increases which calls for us to take more actions to secure our data and information on the internet.

If I ask you what do you think is one of the most challenging issues for cybersecurity professionals, you’d probably guess “securing networks” or “hackers” and while these are indeed big challenges, there’s a bigger one: users not following basic security practices.

According to Nordpass, the following passwords are the 5 most commonly used passwords in 2020:

1. 123456
2. 123456789
3. picture1
4. password
5. 12345678

At the time of writing this article, more than 2.5 million users are using the first password (123456) and it takes less than 1 second to crack it using a Brute force attack or a dictionary attack.

In this article, we will list some easy, simple tips and tricks to protect your information online and guide you through setting them up.

Let’s go over some basic concepts:

Social Engineering

According to Wikipedia, social engineering is the psychological manipulation of people into performing actions or divulging confidential information.

For example, you receive a phone call from someone identifying himself as a Chase employee who wants to confirm some transactions on your credit card and proceeds to ask for your SSN in order to verify you

Social engineers don’t often ask for confidential information, they might ask instead for simple clues which will help them mount an attack later on, for example they can ask what was the color of your first car or your pet’s name. Information that can be pieced together with publicly available personal information to try to reset your bank password, etc.

One of the forms of social engineering is Phishing

Phishing

According to Wikipedia: Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, credit card numbers, or other sensitive details by impersonating oneself as a trustworthy entity in a digital communication. Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.

How to identify phishing?

1. Avoid relying on the email sender’s name only. Instead, check the sender’s email address by viewing email details
   • an email received from PayPal would have @mail.paypal.com in the address, it would never be sent from @gmail.com
2. If there’s a call to action in the email, asking you to login to PayPal to confirm a transaction or reactivate your account, etc. don’t click the button in the email and go to paypal.com in your browser instead.
3. Carefully read the email
   • Phishing campaigns are sent to thousands of receivers in hopes that some of them will take the bait which leaves no time for customizations, Be careful when the email body addresses you as “Dear Customer” or “Dear User” instead of actually having your name on it.
   • Phishing emails mostly originate from countries known for running scams, watch out for spelling mistakes and poorly written grammar.
   • Phishing emails usually contain urgent sounding call to action, asking you to login “NOW” to keep your account or to call “Immediately“
4. If an unsolicited email is coming from a known sender (your bank for example) asking you to open an attachment or reply back with personal information, etc., call the bank on the phone number listed on the back of your card to confirm they actually sent the email.
5. Be generally suspicious and always verify the source of emails, texts and phone calls you receive.

Email addresses and password management

As discussed earlier, hackers use advanced password cracking tools to figure out your passwords, below are some Dos and Don’ts to secure your online accounts

1. Don’t: use the same email address for everything online, email addresses are free, create different email addresses and categorize them, for example:
   • one email address for websites with highly confidential information (banks, social security administration, Venmo, etc.)
   • another email address for your social media accounts (Facebook, Instagram, Spotify, etc.)
   • a 3^rd email address for services you don’t trust or websites that require signups
   • you can also use Microsoft Outlook aliases to create different email addresses that link to the same mailbox, there’s other services which offer the same functionality, check out SimpleLogin
2. Do: activate Multi Factor Authentication (MFA) for important website, MFA requires you to use a different type of authentication (example: a one time code sent to your phone via text message) along with your username and password
3. Do: activate login alerts for important websites, this feature allows you to receive a notification if your account is used from a new location or a new device
4. Don’t: use the same password for all your online accounts, password leaks are commonplace, in April 2021 Facebook passwords were leaked for more than 500 million accounts and were available online along with other information like birthdays, phone numbers and other personal information, if you had used the same password for Facebook and your bank, your bank password is now available freely online, Avast offers a list of recent password leaks here
5. Do: use a password manager to be able to generate strong random passwords and have them all saved
   • There are multiple services that can help you generate, store and autofill passwords across all your devices
   • LastPass is a paid premium option, they also have a free plan but it doesn’t work across devices, if you want to use LastPass across multiple devices it costs $3 / Month
   • Bitwarden is a free open-source service that does exactly the same while free, it can also be self-hosted if you want to have control and host all your data, follow this guide to setup and secure Bitwaden