A brief guide to cybersecurity basics
Last Monday, I got an email from Spotify saying that somebody in Brazil had logged into my account.
I checked. Sure enough: A stranger was using my Spotify to listen to Michael Jackson. I told Spotify to “sign me out everywhere” — but I didn’t change my password.
On Wednesday, it happened again. At 2 a.m., I got another email from Spotify. This time, my sneaky Brazilian friend was listening to Prince. And they apparently liked the looks of one of my playlists (“Funk Is Its Own Reward”), because they’d been listening to that too.
I signed out everywhere again, and this time I changed my password. And I made a resolution.
You see, I’ve done a poor job of implementing modern online security measures. Yes, I have my critical financial accounts locked down with two-factor authentification, etc., but mostly I’m sloppy when it comes to cybersecurity.
For example, I re-use passwords. I still use passwords from thirty years ago for low-security situations (such as signing up for a wine club or a business loyalty program). And while I’ve begun creating strong (yet easy to remember) passwords for more important accounts, these passwords all follow a pattern and they’re not randomized. Worst of all, I maintain a 20-year-old plain text document in which I store all of my sensitive personal information.
This is dumb. Dumb dumb dumb dumb dumb.
I know it’s dumb, but I’ve never bothered to make changes — until now. Now, for a variety of reasons, I feel like it’s time for me to make my digital life a little more secure. I spent several hours over the weekend locking things down. Here’s how.
A Brief Guide to Cybersecurity
Co-incidentally, the very same day that my Spotify account was being used to stream Prince’s greatest hits in Brazil, a Reddit user named /u/ACheetoBandito posted a guide to cybersecurity in /r/fatFIRE. How convenient!
“Cybersecurity is a critical component of financial security, but rarely discussed in personal finance circles,” /u/ACheetoBandito wrote. “Note that cybersecurity practitioners disagree over best practices for personal cybersecurity. This is my perspective, as I have some expertise in the area.”
I won’t reproduce the entire post here — you should definitely go read it, if this subject is important to you — but I will list the bullet-point summary along with some of my own thoughts. Our orange-fingered friend recommends that anyone concerned about cybersecurity take the following steps:
- Get at least two hardware-based security keys. My pal Robert Farrington (from The College Investor) uses the YubiKey. Google offers its Titan Security Key. (I ordered the YubiKey 5c nano because of its minimal form factor.)
- Set up a secret private email account. Your private email address should not be linked in any way to your public email, and the address should be given to no one. (I already have many public email accounts, but I didn’t have a private address. I do now.)
- Turn on Advanced Protection for both your public and private gmail accounts. Advanced Protection is a free security add-on from Google. Link this to the security keys you acquired in step one. (I haven’t set this up because my security keys won’t arrive until this afternoon.)
- Set up a password manager. Which password manager you choose is up to you. The key is to pick one that you’ll use. It’s best if this app supports your new security keys for authentification. (I’ll cover a few options in the next section of this article.)
- Generate new passwords for all accounts. Manually create memorable passwords for your email addresses, your computers (and mobile devices), and for the password manager itself. All other passwords should be strong passwords generated randomly by the password manager.
- Associate critical accounts with your new private email address. This will include financial accounts, such as your banks, brokerages, and credit cards. But it could include other accounts too. (I’ll use my private email address for core services related to this website, for instance.)
- Turn on added security measures for all accounts. Available features will vary from provider to provider, but generally speaking you should be able to activate two-factor authentification (with the security keys, whenever possible) and login alerts.
- Turn on text/email alerts for financial accounts. You may also want to turn on alerts for changes to your credit score and/or credit report.
- Activate security measures on your mobile devices. Your phone should be locked by a strong authorization measure. And each of your individual financial apps should be locked down with a password and any other possible security measures.
/u/ACheetoBandito recommends some additional, optional security measures. (And that entire Reddit discussion thread is filled with great security tips.)
You might want to freeze your credit (although, if you do, remember that you’ll occasionally need to un-freeze your credit to make financial transactions). Some folks will want to encrypt their phones and hard drives. And if you’re very concerned about security, purchase a cheap Chromebook and use this as the only device on which you perform financial transactions. (Believe it or not, I’m taking this last optional step. It makes sense to me — and it may be a chance for me to move beyond Quicken.)
Exploring the Best Password Managers
Okay, great! I’ve ordered a new $150 Chromebook and two hardware-based security keys. I’ve set up a brand-new, top-secret email address, which I’ll connect to any account that needs added security. But I still haven’t tackled the weakest point in the process: my text document filled with passwords.
Part of the problem is complacency. My system is simple and I like it. But another part of the problem is analysis paralysis. There are a lot of password managers out there, and I have no idea how to differentiate between them, to figure out which one is right for me and my needs.
For help, I asked my Facebook friends to list the best password managers. I downloaded and installed each of their suggestions, then I jotted down some initial impressions.
- LastPass: 16 votes (2 from tech nerds) — LastPass was by far the most popular password manager among my Facebook friends. People love it. I installed it and poked around, and it seems…okay. The interface is a little clunky and the feature set seems adequate (but not robust). The app uses the easy-to-understand “vault” metaphor, which I like. LastPass is free (with premium options available for added cost).
- 1Password: 7 votes (4 from tech nerds) — This app has similar features to Bitwarden or LastPass. The interface is nice enough, and it seems to provide security alerts. 1Password costs $36/year.
- Bitwarden: 4 votes (2 from tech nerds) — Bitwarden has a simple, easy-to-understand interface. It uses the same “vault” metaphor that products like LastPass and 1Password use. It’s a strong contender to become the tool I use. Bitwarden is free. For $10 per year, you can add premium security features.
- KeePass: 2 votes — KeePass is a free Open Source password manager. There are KeePass installs available for all major computer and mobile operating systems. If you’re a Linux nut (or an Open Source advocate), this might be a good choice. I don’t like its limited functionality and its terrible interface. KeePass is free.
- Dashlane: 2 votes — Of all the password managers I looked at, Dashlane has the nicest interface and the most features. Like many of these tools, it uses the “vault” metaphor, but it allows you to store more things in this vault than other tools do. (You can store ID info — driver license, passport — for instance. There’s also a spot to store receipts.) Dashlane has a free basic option but most folks will want the $60/year premium option. (There’s also a $120/year option that includes credit monitoring and ID theft insurance.)
- Blur: 1 vote — Blur is different than most password managers. It quite literally tries to blur your online identity. It prevents web browsers from tracking you, masks email addresses and credit cards and phone numbers, and (or course) manages passwords. I want some features that Blur doesn’t have — and don’t want some of the features it does have. Blur costs a minimum of $39/year but that price can become much higher.
- Apple Keychain: 1 vote — Keychain has been Apple’s built-in password manager since 1999. As such, it’s freely available on Apple devices. Most Mac and iOS folks use Keychain without even realizing it. It’s not really robust enough to do anything other than store passwords, so I didn’t give it serious consideration. Keychain is free and comes installed on Apple products.
Let me be clear: I made only a cursory examination of these password managers. I didn’t dive deep. If I tried to compare every feature of every password manager, I’d never choose. I’d get locked into analysis paralysis again. So, I gave each a quick once-over and made a decision based on gut and intuition.
Of these tools, two stood out: Bitwarden and Dashlane. Both sport nice interfaces and plenty of features. Both tools offer free versions, but I’d want to upgrade to a paid premium plan in order to gain access to two-factor authentification (using my new hardware security keys) and security monitoring. This is where Bitwarden has a big advantage. It’s only $10 per year. To get the same features, Dashlane is $60/year.
But here’s the thing.
I started actually using both of these tools at the same time, entering my website passwords one by one. I stopped after entering ten sites into each. It was clear that I vastly preferred using Dashlane to Bitwarden. It just works in a way that makes sense to me. (Your experience might be different.) So, for a little while at least, I’m going to use Dashlane as my password manager.
The Problem with Passwords
My primary motive for using a password manager is to get my sensitive information out of a plain text document and into something more secure. But I have a secondary motive: I want to improve the strength of my passwords.
When I started using the internet — back in the 1980s, before the advent of the World Wide Web — I didn’t spare a thought for password strength. The first password I created (in 1989) was simply the name of my friend who let me use his computer to access the local Bulletin Board Systems. I used that password for years on everything from email accounts to bank sites. I still consider it my “low security” password for things that aren’t critical.
I have maybe eight or ten passwords like this: short, simple passwords that I’ve used in dozens of locations. For the past five years, I’ve tried to move to unique passwords for each site, passwords that follow a pattern. While these are an improvement, they’re still not great. Like I say, they follow a pattern. And while they contain letters, numbers, and symbols, they’re all relatively short.
As you might expect, my sloppy password protocol has created something of a security nightmare. Here’s a screenshot from the Google Password Checkup tool for one of my accounts.
I get similar results for all of my Google accounts. Yikes.
Plus, there’s the problem of account sharing.
Kim and I share a Netflix account. And an Amazon account. And a Hulu account. And an iTunes account. In fact, we probably share twenty or thirty accounts. She and I use the same easy-to-remember password for all of these sign-ins. While none of these accounts are super sensitive, what we’re doing is still a poor idea.
So, I want to begin moving toward more secure passwords — even for the accounts I share with Kim.
The good news is that most password managers — including Dashlane — will auto-generate randomized passwords for you. Or I could try something similar to the idea suggested in this XKCD comic:
The trouble, of course, is that each place has different requirements for passwords. Some require numbers. Some require symbols. Some say no symbols. And so on. I don’t know of any sites that would let me use four random common words for a password!
For now, I’m going to take a three-pronged approach:
- I’ll manually create long (but memorable) passwords for my most critical accounts. This is the XKCD method.
- For the accounts I share with Kim — Netflix, etcetera — I’ll create new, memorable passwords that follow a pattern.
- For everything else, I’ll let my password manager generate random passwords.
This seems like a good balance between usability and security. Every password will be different. Only the ones I share with Kim will be short; all others will be long. And most of my new passwords will be random gibberish.
Final Thoughts on Cybersecurity
In this short video from Tech Insider, a former National Security Agency security expert shares his top five tips for protecting yourself online.
You’ll note that these are similar to the Reddit cybersecurity guide I posted earlier in this article. Here are the steps he says to take to keep yourself safe:
- Enable two-factor authentification whenever possible.
- Don’t use the same password everywhere.
- Keep your operating system (and software) up to date.
- Be careful with what you post to social media.
- Do not share personal information unless you’re certain you’re dealing with a trusted company or person.
I won’t pretend that the steps I’m taking will protect me completely. But my new system is certainly an upgrade from what I’ve been doing for the past 20+ years — which was, as I’ve mentioned, dumb dumb dumb.
And I have to confess: I like the idea of restricting my online financial life to one computer — the new $150 Chromebook. I’m not sure if this is actually doable, but I’m going to give it a go. If this works, then I may see if I can find a money-management tool that I like for the machine. Maybe then I can finally leave Quicken 2007 for Mac behind!
What have I missed? What steps have you taken to protect your online accounts? Which do you feel is the best password manager? How do you create memorable, secure passwords? How do you handle shared accounts? Help other GRS readers — and me! — develop better online security practices.
Become A Money Boss And Join 15,000 Others
Subscribe to the GRS Insider (FREE) and we’ll give you a copy of the Money Boss Manifesto (also FREE)
There are 30 comments to "A brief guide to cybersecurity basics".
This is a great summary, and it’s clear that you’ve approached this in a thoughtful and methodical way.
One thing to note is that both Dashlane and Bitwarden include functionality to share *specific* passwords with others. My wife and I use this functionality to share relevant accounts with each other, and also find it useful for accessing accounts when the other person is not available (for example, to renew a library book). However, since our Bitwarden accounts are separate, we can maintain privacy when we want it, and in the very unfortunate event that one of us is locked out of our Bitwarden accounts, we can access most of our important sites from the other person’s device instead. If you can convince Kim to give it a try, it might be a good option for you.
An important consideration for my wife, who was concerned about losing her security keys, was that she can also use an app her phone (e.g. Authy). It’s slightly less secure, in that it stores encrypted backups of the TOTP tokens in the cloud, but it also means that she’s not locked out of her accounts even if she loses her device. It’s also signficiantly more secure than SMS-based 2FA, which has plenty of problems itself:
https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin
Overall, great article!
I want to add that this process — upgrading online security — can be tedious. I worked on it all weekend, and I’m working on it this morning. It takes a lot of time to go account by account to upgrade passwords and security procedures. If I didn’t think this was so important, it’d be easy to simply give up and say, “Meh, I’ll worry about it later. It’s not a big deal.” But it is a big deal, and I know it.
So, I’m prioritizing my most important accounts first. Anything related to my finances or my websites has already had upgraded security put into place. Now I’m going through my commonly used accounts that, for whatever reason, have access to my credit card info. Eventually I’ll get to less important accounts, like my MLB TV login and my Github account.
This process takes time but it’s important.
I absolutely LOVE Keepass…I never understand anyone thinks it has a “terrible” interface, either. Firstly, Keepass lives on your c: drive, and I like that a LOT better than having my pw manager out in cyberspace (because the main reason I have a password manager is to protect myself against cyberspace hackers in the first place)…maybe it takes 30 minutes to figure out how to set up Keepass, but it is totally worth it.
Patricia, for me a good user interface is easy to parse and requires minimal clicks/keypresses to accomplish a task. KeePass is a clumsy mess that requires constant clicking to open and close folders. I completely get why others might like it and use it, but it’s not for me.
Totally understand, JD…I have used Keepass for so many years that it is ez-peasy for me. Also, I would like to mention that I use masked credit card numbers for all online or over-the-phone purchases. Several CC companies have this service available, and it is really nice. For example, if I want to set up auto-pay for my electric bill, I can generate a masked CC number, set a max. amount for the card and an expiration date for the card (anywhere from 1-12 months)…The first level perk is (obviously) that your actual CC number is not out there in cyberspace, but additionally, the masked number that is generated is only valid for the merchant it was created it for, so even if someone hacks it, they can not use it anywhere else.
I love KeePass also. I particularly like that it doesn’t have to be installed. I can run it from a USB drive so I always carry a copy of my passwords when I travel.
Great article, happy to see this talked about in some detail in FI land.
By pure luck I jumped on the dashland bandwagon when it was new and grandfathered into the free-for-life plan, but would pay $60/month for it. Pretty good integration into desktop and phone browsers and apps. And like you mentioned great for IDs, but also for CC numbers and other random notes (PINs etc).
There is also a feature that once you enter in the basics for your accounts, it can update your passwords for you. Doesn’t work everywhere but it’s a great move for an annual lockdown and update of a bunch of accounts at one time.
Now I happily have ‘Get the Funk Outta Ma Face’ in my head. 🙂
I pay for 1Password for families and when I need to share a password with my wife I just make sure its in the vault I share with her. Take my opinion with a grain of salt because I haven’t evaluated any other password managers and this was the one suggested to me by a couple of senior developers I used to work with.
The cost in Australia works out to be around $95 aud per year and I get 5 members. I don’t know how I could live without a password manager anymore.
Also I wanted to encourage you to check out https://haveibeenpwned.com/ by Security expert Troy hunt. You can sign up to be notified whenever your email is known to be included in a breach.
Just a comment about that XKCD comic. From a mathematical standpoint, his example does sound secure. However, I read an analysis by a security expert. From a hacker standpoint, his example is a terrible password. A ‘brute force’ dictionary attack using common words is a standard procedure for hackers. Any password using correctly spelled words with normal capitalization is weak.
A 12 character password using 70 characters (A-Z,a-z,0-9,!@#$%^&*) has 1.3841287e+22 possible combinations.
A 5 word passphrase from all possible Scrabble words (3-7 characters each), 53,848 has 4.5273898e+23 combinations.
So this password:
ue^#mM!sU@8q
is less secure than this one (I used the Bitwarden passphrase generator, which has more words than what was in the scrabble list):
enviable-busload-riverboat-kangaroo-underarm
The shortest password using a passphrase would be 19 characters long, so someone would need to brute force 27^19, 1.5700429e+27 combinations.
Hackers won’t be able to brute force passphrases for a very long time.
Thanks for sharing how important it is to keep up with cyber security!
> Kim and I share a Netflix account. And an Amazon account. And a Hulu account. And an iTunes account. In fact, we probably share twenty or thirty accounts. She and I use the same easy-to-remember password for all of these sign-ins.
Most password managers (I know for sure LastPass and Bitwarden) offer the option to share passwords. Bitwarden does it in a great way by sharing to a centralized organization- we call it household and can both access it. If I update the Netflix password, my partner immediately has access to that new password. That way, you keep strong passwords and nobody has to remember it. Here’s the info for Bitwarden:
https://help.bitwarden.com/article/collections/
Keepass is awesome, but you should be using https://keepassxc.org/, not the original keepass.
So… you’re saying I should stop using my 2006 Dell laptop that still runs Windows XP?
Thanks for this post. The exact same thing happened to me in Spotify (only it was someone in Holland). It was the first time I had ever had an account hacked! First time I didn’t change the password, and got hacked again. Second time I changed the password, but got hacked again anyway. After the third time, I started seeing hacking into many of my online accounts (yes, guilty of reusing passwords) – Netflix, Uber, Postmates, etc. I will give one of these more secure options a try…and probably should cancel Spotify…
Hysterically (for this topic), I’m getting security certificate errors that I had to circumnavigate to read this post and I can’t access any of your other posts through the website or via links in my RSS feed.
Yeah, we’re in the process of transferring servers and everything is haywire. Fingers crossed that everything gets better soon! I can’t even access the stuff I wanted to work on today.
I came from the homepage to say “ooooh, nice new clean design,” and the articles don’t look like that yet, but the comments already do.
Nice job so far, keep it up!
Well, this isn’t actually the new design. We’re just moving to a new server in preparation to implement the new design. After we’re done with the move, the programmer will begin work on it. But we are implementing a couple of new, small changes as we do this.
I’ll say this, though: The site seems to be loading much faster at our new host, at least from a subjective standpoint. Wonder if this will continue.
Specifically I’m liking the new accidental typography as it appears on the iPad, if it’s any help. More leading + kerning is pleasing.
Agreed! I like the addition of the Like/Dislike buttons to the comments. Hopefully, once the new design is implemented there will be DATES on the comments as well! 🙂
Here’s the current problem with dated comments: In our master plan, Tom and I intend to have several sources of material for the front page.
First, there’s the new stuff that I write, which will remain the core of the site. Second is new stuff from staff writers and guests. But third will be older material that’s “brought forward”. There are thousands of articles in the archives. Once we’ve edited this back catalog down to the good stuff, there will still be several hundred. I want to re-publish one or two of these older pieces every week (often freshening them with new material and/or updates). And this is where we run into trouble.
I’ve republished several articles over the past year, and each time we run into issues with people being confused by the old comments. We want to leave some of the comments there because they add value and they encourage new discussion. But at the same time, people are left puzzled as to why a seemingly brand-new article has comments from twelve years ago. For now, we’ve removed comment dates as a way to handle this. We need another solution.
I think if the best policy when republishing/modifying is to also mention the date of original publication. Otherwise it looks like lies.
And comments especially should keep their original date. Respondinf to a bunch of people only to realize later they aren’t here anymore also makes you feel utterly hoodwinked.
Look at how Kinja does it:
https://twocents.lifehacker.com/when-should-you-close-an-old-credit-card-1826428736
Date is fresh because the new writer republished another writer’s old work, and comments reflect their actual dates.
No need to change the date in an “unrefreshed” unmodified post though.
Also notice how Moustache allows access to old posts on a sidebar without a “republish” proper.
Thanks, Nerdo!
On the first couple of re-published articles, I didn’t do a good job of letting people know the stuff was brought forward. You all let me know I need to do this, and I have. And, like you, I prefer dates on comments too. I’ll check with Tom to see if there’s a technical reason we ought not do this. Maybe we’ll revert to a dated system and see whether it still causes confusion.
(Working on an update to an old article this very moment…)
There’s no need to have an additional email address. That would confuse most people and it’s unnecessary. The main thing is to make sure your email account has maximum security on it, strong password and hardware 2FA. Other than that your suggestions are all appropriate.
The private email had me stumped as well. What purpose is it supposed to serve?
One common way for hackers to get ahold of personal information is to gain access to your email account. Once they’re in there, they have nearly everything. By creating a private email account — one that you don’t use for any other purpose — you minimize the chance that they’ll find it (in the first place) and be able to get into it (in the second place).
If you want to set up a new gmail account that you will transition to being your very private, only for financial accounts email, do you add your phone number to that account? Do you add your previous, main email when it wants a backup contact email?
It is so you have an email account – that you don’t put on websites (which can get hacked), and is a backup for your primary email account. So basically, you have johndoe@gmail and you use this to sign up for everything. You have your alternate email for gmail being johndoebackup@gmail so that if someone compromises your johndoe@gmail account, you have the password reset capabilities already in place. If you have an android phone, and trust those SMS and other MFA capabilities of getting your gmail account back – that works. Otherwise, this is a great way for people that don’t buy into a one ecosystem/vendor methodology.
This is where bands with numbers in their names become handy, then you can have numbers letters, capitals and special characters pretty easily. Something such as “TheJackson5Rocks!” or “Boyz2MenIsTheBestOfAllTime!” “WhoLoves2Chainz_NotMe!”
Simple, easy to remember, has all the complexity requirements, satisfies the XKCD length conundrum.