A brief guide to cybersecurity basics

A brief guide to cybersecurity basics

Last Monday, I got an email from Spotify saying that somebody in Brazil had logged into my account.

Security warning from Spotify

I checked. Sure enough: A stranger was using my Spotify to listen to Michael Jackson. I told Spotify to “sign me out everywhere” — but I didn't change my password.

On Wednesday, it happened again. At 2 a.m., I got another email from Spotify. This time, my sneaky Brazilian friend was listening to Prince. And they apparently liked the looks of one of my playlists (“Funk Is Its Own Reward”), because they'd been listening to that too.

My hacked Spotify account

I signed out everywhere again, and this time I changed my password. And I made a resolution.

You see, I've done a poor job of implementing modern online security measures. Yes, I have my critical financial accounts locked down with two-factor authentification, etc., but mostly I'm sloppy when it comes to cybersecurity.

For example, I re-use passwords. I still use passwords from thirty years ago for low-security situations (such as signing up for a wine club or a business loyalty program). And while I've begun creating strong (yet easy to remember) passwords for more important accounts, these passwords all follow a pattern and they're not randomized. Worst of all, I maintain a 20-year-old plain text document in which I store all of my sensitive personal information.

This is dumb. Dumb dumb dumb dumb dumb.

I know it's dumb, but I've never bothered to make changes — until now. Now, for a variety of reasons, I feel like it's time for me to make my digital life a little more secure. I spent several hours over the weekend locking things down. Here's how.

A brief guide to cybersecurity basics

A Brief Guide to Cybersecurity

Co-incidentally, the very same day that my Spotify account was being used to stream Prince's greatest hits in Brazil, a Reddit user named /u/ACheetoBandito posted a guide to cybersecurity in /r/fatFIRE. How convenient!

“Cybersecurity is a critical component of financial security, but rarely discussed in personal finance circles,” /u/ACheetoBandito wrote. “Note that cybersecurity practitioners disagree over best practices for personal cybersecurity. This is my perspective, as I have some expertise in the area.”

I won't reproduce the entire post here — you should definitely go read it, if this subject is important to you — but I will list the bullet-point summary along with some of my own thoughts. Our orange-fingered friend recommends that anyone concerned about cybersecurity take the following steps:

  1. Get at least two hardware-based security keys. My pal Robert Farrington (from The College Investor) uses the YubiKey. Google offers its Titan Security Key. (I ordered the YubiKey 5c nano because of its minimal form factor.)
  2. Set up a secret private email account. Your private email address should not be linked in any way to your public email, and the address should be given to no one. (I already have many public email accounts, but I didn't have a private address. I do now.)
  3. Turn on Advanced Protection for both your public and private gmail accounts. Advanced Protection is a free security add-on from Google. Link this to the security keys you acquired in step one. (I haven't set this up because my security keys won't arrive until this afternoon.)
  4. Set up a password manager. Which password manager you choose is up to you. The key is to pick one that you'll use. It's best if this app supports your new security keys for authentification. (I'll cover a few options in the next section of this article.)
  5. Generate new passwords for all accounts. Manually create memorable passwords for your email addresses, your computers (and mobile devices), and for the password manager itself. All other passwords should be strong passwords generated randomly by the password manager.
  6. Associate critical accounts with your new private email address. This will include financial accounts, such as your banks, brokerages, and credit cards. But it could include other accounts too. (I'll use my private email address for core services related to this website, for instance.)
  7. Turn on added security measures for all accounts. Available features will vary from provider to provider, but generally speaking you should be able to activate two-factor authentification (with the security keys, whenever possible) and login alerts.
  8. Turn on text/email alerts for financial accounts. You may also want to turn on alerts for changes to your credit score and/or credit report.
  9. Activate security measures on your mobile devices. Your phone should be locked by a strong authorization measure. And each of your individual financial apps should be locked down with a password and any other possible security measures.

/u/ACheetoBandito recommends some additional, optional security measures. (And that entire Reddit discussion thread is filled with great security tips.)

You might want to freeze your credit (although, if you do, remember that you'll occasionally need to un-freeze your credit to make financial transactions). Some folks will want to encrypt their phones and hard drives. And if you're very concerned about security, purchase a cheap Chromebook and use this as the only device on which you perform financial transactions. (Believe it or not, I'm taking this last optional step. It makes sense to me — and it may be a chance for me to move beyond Quicken.)

Exploring the Best Password Managers

Okay, great! I've ordered a new $150 Chromebook and two hardware-based security keys. I've set up a brand-new, top-secret email address, which I'll connect to any account that needs added security. But I still haven't tackled the weakest point in the process: my text document filled with passwords.

Part of the problem is complacency. My system is simple and I like it. But another part of the problem is analysis paralysis. There are a lot of password managers out there, and I have no idea how to differentiate between them, to figure out which one is right for me and my needs.

Asking about the best password managers

For help, I asked my Facebook friends to list the best password managers. I downloaded and installed each of their suggestions, then I jotted down some initial impressions.

  • LastPass: 16 votes (2 from tech nerds) — LastPass was by far the most popular password manager among my Facebook friends. People love it. I installed it and poked around, and it seems…okay. The interface is a little clunky and the feature set seems adequate (but not robust). The app uses the easy-to-understand “vault” metaphor, which I like. LastPass is free (with premium options available for added cost).
  • 1Password: 7 votes (4 from tech nerds) — This app has similar features to Bitwarden or LastPass. The interface is nice enough, and it seems to provide security alerts. 1Password costs $36/year.
  • Bitwarden: 4 votes (2 from tech nerds) — Bitwarden has a simple, easy-to-understand interface. It uses the same “vault” metaphor that products like LastPass and 1Password use. It's a strong contender to become the tool I use. Bitwarden is free. For $10 per year, you can add premium security features.
  • KeePass: 2 votes — KeePass is a free Open Source password manager. There are KeePass installs available for all major computer and mobile operating systems. If you're a Linux nut (or an Open Source advocate), this might be a good choice. I don't like its limited functionality and its terrible interface. KeePass is free.
  • Dashlane: 2 votes — Of all the password managers I looked at, Dashlane has the nicest interface and the most features. Like many of these tools, it uses the “vault” metaphor, but it allows you to store more things in this vault than other tools do. (You can store ID info — driver license, passport — for instance. There's also a spot to store receipts.) Dashlane has a free basic option but most folks will want the $60/year premium option. (There's also a $120/year option that includes credit monitoring and ID theft insurance.)
  • Blur: 1 vote — Blur is different than most password managers. It quite literally tries to blur your online identity. It prevents web browsers from tracking you, masks email addresses and credit cards and phone numbers, and (or course) manages passwords. I want some features that Blur doesn't have — and don't want some of the features it does have. Blur costs a minimum of $39/year but that price can become much higher.
  • Apple Keychain: 1 vote — Keychain has been Apple's built-in password manager since 1999. As such, it's freely available on Apple devices. Most Mac and iOS folks use Keychain without even realizing it. It's not really robust enough to do anything other than store passwords, so I didn't give it serious consideration. Keychain is free and comes installed on Apple products.

Let me be clear: I made only a cursory examination of these password managers. I didn't dive deep. If I tried to compare every feature of every password manager, I'd never choose. I'd get locked into analysis paralysis again. So, I gave each a quick once-over and made a decision based on gut and intuition.

Of these tools, two stood out: Bitwarden and Dashlane. Both sport nice interfaces and plenty of features. Both tools offer free versions, but I'd want to upgrade to a paid premium plan in order to gain access to two-factor authentification (using my new hardware security keys) and security monitoring. This is where Bitwarden has a big advantage. It's only $10 per year. To get the same features, Dashlane is $60/year.

But here's the thing.

I started actually using both of these tools at the same time, entering my website passwords one by one. I stopped after entering ten sites into each. It was clear that I vastly preferred using Dashlane to Bitwarden. It just works in a way that makes sense to me. (Your experience might be different.) So, for a little while at least, I'm going to use Dashlane as my password manager.

Dashlane interface

The Problem with Passwords

My primary motive for using a password manager is to get my sensitive information out of a plain text document and into something more secure. But I have a secondary motive: I want to improve the strength of my passwords.

When I started using the internet — back in the 1980s, before the advent of the World Wide Web — I didn't spare a thought for password strength. The first password I created (in 1989) was simply the name of my friend who let me use his computer to access the local Bulletin Board Systems. I used that password for years on everything from email accounts to bank sites. I still consider it my “low security” password for things that aren't critical.

I have maybe eight or ten passwords like this: short, simple passwords that I've used in dozens of locations. For the past five years, I've tried to move to unique passwords for each site, passwords that follow a pattern. While these are an improvement, they're still not great. Like I say, they follow a pattern. And while they contain letters, numbers, and symbols, they're all relatively short.

As you might expect, my sloppy password protocol has created something of a security nightmare. Here's a screenshot from the Google Password Checkup tool for one of my accounts.

Google Password Checkup

I get similar results for all of my Google accounts. Yikes.

Plus, there's the problem of account sharing.

Kim and I share a Netflix account. And an Amazon account. And a Hulu account. And an iTunes account. In fact, we probably share twenty or thirty accounts. She and I use the same easy-to-remember password for all of these sign-ins. While none of these accounts are super sensitive, what we're doing is still a poor idea.

So, I want to begin moving toward more secure passwords — even for the accounts I share with Kim.

The good news is that most password managers — including Dashlane — will auto-generate randomized passwords for you. Or I could try something similar to the idea suggested in this XKCD comic:

XKCD on password strength

The trouble, of course, is that each place has different requirements for passwords. Some require numbers. Some require symbols. Some say no symbols. And so on. I don't know of any sites that would let me use four random common words for a password!

For now, I'm going to take a three-pronged approach:

  • I'll manually create long (but memorable) passwords for my most critical accounts. This is the XKCD method.
  • For the accounts I share with Kim — Netflix, etcetera — I'll create new, memorable passwords that follow a pattern.
  • For everything else, I'll let my password manager generate random passwords.

This seems like a good balance between usability and security. Every password will be different. Only the ones I share with Kim will be short; all others will be long. And most of my new passwords will be random gibberish.

Final Thoughts on Cybersecurity

In this short video from Tech Insider, a former National Security Agency security expert shares his top five tips for protecting yourself online.

You'll note that these are similar to the Reddit cybersecurity guide I posted earlier in this article. Here are the steps he says to take to keep yourself safe:

  • Enable two-factor authentification whenever possible.
  • Don't use the same password everywhere.
  • Keep your operating system (and software) up to date.
  • Be careful with what you post to social media.
  • Do not share personal information unless you're certain you're dealing with a trusted company or person.

I won't pretend that the steps I'm taking will protect me completely. But my new system is certainly an upgrade from what I've been doing for the past 20+ years — which was, as I've mentioned, dumb dumb dumb.

And I have to confess: I like the idea of restricting my online financial life to one computer — the new $150 Chromebook. I'm not sure if this is actually doable, but I'm going to give it a go. If this works, then I may see if I can find a money-management tool that I like for the machine. Maybe then I can finally leave Quicken 2007 for Mac behind!

What have I missed? What steps have you taken to protect your online accounts? Which do you feel is the best password manager? How do you create memorable, secure passwords? How do you handle shared accounts? Help other GRS readers — and me! — develop better online security practices.

More about...Money Basics

Become A Money Boss And Join 15,000 Others

Subscribe to the GRS Insider (FREE) and we’ll give you a copy of the Money Boss Manifesto (also FREE)

Yes! Sign up and get your free gift
Become A Money Boss And Join 15,000 Others
guest
32 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Hans
Hans
4 months ago

This is a great summary, and it’s clear that you’ve approached this in a thoughtful and methodical way. One thing to note is that both Dashlane and Bitwarden include functionality to share *specific* passwords with others. My wife and I use this functionality to share relevant accounts with each other, and also find it useful for accessing accounts when the other person is not available (for example, to renew a library book). However, since our Bitwarden accounts are separate, we can maintain privacy when we want it, and in the very unfortunate event that one of us is locked out… Read more »

patricia
patricia
4 months ago

I absolutely LOVE Keepass…I never understand anyone thinks it has a “terrible” interface, either. Firstly, Keepass lives on your c: drive, and I like that a LOT better than having my pw manager out in cyberspace (because the main reason I have a password manager is to protect myself against cyberspace hackers in the first place)…maybe it takes 30 minutes to figure out how to set up Keepass, but it is totally worth it.

Patricia
Patricia
4 months ago
Reply to  J.D. Roth

Totally understand, JD…I have used Keepass for so many years that it is ez-peasy for me. Also, I would like to mention that I use masked credit card numbers for all online or over-the-phone purchases. Several CC companies have this service available, and it is really nice. For example, if I want to set up auto-pay for my electric bill, I can generate a masked CC number, set a max. amount for the card and an expiration date for the card (anywhere from 1-12 months)…The first level perk is (obviously) that your actual CC number is not out there in… Read more »

RichardP
RichardP
4 months ago
Reply to  patricia

I love KeePass also. I particularly like that it doesn’t have to be installed. I can run it from a USB drive so I always carry a copy of my passwords when I travel.

Jason
Jason
4 months ago

Great article, happy to see this talked about in some detail in FI land. By pure luck I jumped on the dashland bandwagon when it was new and grandfathered into the free-for-life plan, but would pay $60/month for it. Pretty good integration into desktop and phone browsers and apps. And like you mentioned great for IDs, but also for CC numbers and other random notes (PINs etc). There is also a feature that once you enter in the basics for your accounts, it can update your passwords for you. Doesn’t work everywhere but it’s a great move for an annual… Read more »

James Khoury
James Khoury
4 months ago

I pay for 1Password for families and when I need to share a password with my wife I just make sure its in the vault I share with her. Take my opinion with a grain of salt because I haven’t evaluated any other password managers and this was the one suggested to me by a couple of senior developers I used to work with.

The cost in Australia works out to be around $95 aud per year and I get 5 members. I don’t know how I could live without a password manager anymore.

James Khoury
James Khoury
4 months ago
Reply to  James Khoury

Also I wanted to encourage you to check out https://haveibeenpwned.com/ by Security expert Troy hunt. You can sign up to be notified whenever your email is known to be included in a breach.

RichardP
RichardP
4 months ago

Just a comment about that XKCD comic. From a mathematical standpoint, his example does sound secure. However, I read an analysis by a security expert. From a hacker standpoint, his example is a terrible password. A ‘brute force’ dictionary attack using common words is a standard procedure for hackers. Any password using correctly spelled words with normal capitalization is weak.

Ryan Collins
Ryan Collins
4 months ago
Reply to  RichardP

A 12 character password using 70 characters (A-Z,a-z,0-9,[email protected]#$%^&*) has 1.3841287e+22 possible combinations.

A 5 word passphrase from all possible Scrabble words (3-7 characters each), 53,848 has 4.5273898e+23 combinations.

So this password:
ue^#[email protected]

is less secure than this one (I used the Bitwarden passphrase generator, which has more words than what was in the scrabble list):
enviable-busload-riverboat-kangaroo-underarm

The shortest password using a passphrase would be 19 characters long, so someone would need to brute force 27^19, 1.5700429e+27 combinations.

Hackers won’t be able to brute force passphrases for a very long time.

Hannah
Hannah
4 months ago

Thanks for sharing how important it is to keep up with cyber security! > Kim and I share a Netflix account. And an Amazon account. And a Hulu account. And an iTunes account. In fact, we probably share twenty or thirty accounts. She and I use the same easy-to-remember password for all of these sign-ins. Most password managers (I know for sure LastPass and Bitwarden) offer the option to share passwords. Bitwarden does it in a great way by sharing to a centralized organization- we call it household and can both access it. If I update the Netflix password, my… Read more »

R
R
4 months ago

Keepass is awesome, but you should be using https://keepassxc.org/, not the original keepass.

patrick
patrick
4 months ago

So… you’re saying I should stop using my 2006 Dell laptop that still runs Windows XP?

beth
beth
4 months ago

Thanks for this post. The exact same thing happened to me in Spotify (only it was someone in Holland). It was the first time I had ever had an account hacked! First time I didn’t change the password, and got hacked again. Second time I changed the password, but got hacked again anyway. After the third time, I started seeing hacking into many of my online accounts (yes, guilty of reusing passwords) – Netflix, Uber, Postmates, etc. I will give one of these more secure options a try…and probably should cancel Spotify…

Margaret
Margaret
4 months ago

Hysterically (for this topic), I’m getting security certificate errors that I had to circumnavigate to read this post and I can’t access any of your other posts through the website or via links in my RSS feed.

El Nerdo
El Nerdo
4 months ago

I came from the homepage to say “ooooh, nice new clean design,” and the articles don’t look like that yet, but the comments already do.

Nice job so far, keep it up!

El Nerdo
El Nerdo
4 months ago
Reply to  J.D. Roth

Specifically I’m liking the new accidental typography as it appears on the iPad, if it’s any help. More leading + kerning is pleasing.

JoDi
JoDi
4 months ago
Reply to  El Nerdo

Agreed! I like the addition of the Like/Dislike buttons to the comments. Hopefully, once the new design is implemented there will be DATES on the comments as well! 🙂

El Nerdo
El Nerdo
4 months ago
Reply to  J.D. Roth

I think if the best policy when republishing/modifying is to also mention the date of original publication. Otherwise it looks like lies. And comments especially should keep their original date. Respondinf to a bunch of people only to realize later they aren’t here anymore also makes you feel utterly hoodwinked. Look at how Kinja does it: https://twocents.lifehacker.com/when-should-you-close-an-old-credit-card-1826428736 Date is fresh because the new writer republished another writer’s old work, and comments reflect their actual dates. No need to change the date in an “unrefreshed” unmodified post though. Also notice how Moustache allows access to old posts on a sidebar without… Read more »

Michael
Michael
4 months ago

There’s no need to have an additional email address. That would confuse most people and it’s unnecessary. The main thing is to make sure your email account has maximum security on it, strong password and hardware 2FA. Other than that your suggestions are all appropriate.

Sheila
Sheila
4 months ago
Reply to  Michael

The private email had me stumped as well. What purpose is it supposed to serve?

Nancy
Nancy
3 months ago
Reply to  J.D. Roth

If you want to set up a new gmail account that you will transition to being your very private, only for financial accounts email, do you add your phone number to that account? Do you add your previous, main email when it wants a backup contact email?

Big-D
Big-D
3 months ago
Reply to  Sheila

It is so you have an email account – that you don’t put on websites (which can get hacked), and is a backup for your primary email account. So basically, you have [email protected] and you use this to sign up for everything. You have your alternate email for gmail being [email protected] so that if someone compromises your [email protected] account, you have the password reset capabilities already in place. If you have an android phone, and trust those SMS and other MFA capabilities of getting your gmail account back – that works. Otherwise, this is a great way for people that… Read more »

Zee
Zee
4 months ago

This is where bands with numbers in their names become handy, then you can have numbers letters, capitals and special characters pretty easily. Something such as “TheJackson5Rocks!” or “Boyz2MenIsTheBestOfAllTime!” “WhoLoves2Chainz_NotMe!”

Simple, easy to remember, has all the complexity requirements, satisfies the XKCD length conundrum.

olga
olga
3 months ago

Ho, JD. In the last 2 weeks this is the last post I am able to see when type GRS in web address. I know there were other posts (I got your Friday email compile and was able to click on separate links and see them), yet when I go to the http://www., it stops here. How do I fix it?

Jessica
Jessica
3 months ago

Can you share the link of the Chromebook you purchased? I’m having analysis paralysis on picking a basic computer to use for non-work budgeting purposes!!

shares