Tips from ConnectSafely.
Never give out your password to anyone.* Never give it to friends, even if they’re really good friends. A friend can – maybe even accidentally – pass your password along to others or even become an ex-friend and abuse it.
Don’t just use one password. It’s possible that someone working at a site where you use that password could pass it on or use it to break into your accounts at other sites.
Newest advice: Use a passphrase. The FBI along with other security experts are now recommending a “pass phrase” rather than simply a password. Such a phrase should be relatively long – at least 15 characters. In a memo, the Oregon branch of the FBI recommended a pass phrase such as “VoicesProtected2020WeAre,” For example, a phrase such as “VoicesProtected2020WeAre.” An even better passphrase would combine “multiple unrelated words, such as “DirectorMonthLearnTruck.” Obviously don’t use these examples but build your own based on this advice. Although this wasn’t part of this advice, it’s not a bad idea to also include numbers and special characters like $, % or #. Some sites require special characters as well as numbers and upper case letters. Never use the same password on multiple accounts but you could use the same phrase with a slight modification like adding a word or two to remind you of the site you’re logging into.
Think of something that you can remember but others couldn’t guess and using famous quotations that might be easy to guess.
Older advice that’s still good includes:
Make the password at least 15 characters long. The longer the better. Longer passwords are harder for thieves to crack.
Include numbers, capital letters and symbols. Consider using a $ instead of an S or a 1 instead of an L, or including an & or % – but note that $1ngle is NOT a good password. Password thieves are onto this. But Mf$J1ravng (short for “My friend Sam Jones is really a very nice guy) is an excellent password.
Don’t post it in plain sight. This might seem obvious but studies have found that a lot of people post their password on their monitor with a sticky note. Bad idea. If you must write it down, hide the note somewhere where no one can find it.
Consider using a password manager. Programs or web services like RoboForm (Windows only) or Lastpass (Windows and Mac) let you create a different very strong password for each of your sites. But you only have to remember the one password to access the program or secure site that stores your passwords for you. Make sure that you have a very strong password for your password manager because, if it’s breached, it can be used to access all of your accounts.
Use multi-factor authentication. Many services offer an option to verify your identity if someone logs on to your account from an unrecognized device. The typical method is to send a text or other type of message to a mobile device registered to you with a code you need to type in to verity it’s really you. In most cases, you will not be required to use this code when logging on from a known device such as your own computer, tablet or phone.
Don’t fall for “phishing” attacks. Be very careful before clicking on a link (even if it appears to be from a legitimate site) asking you to log in, change your password or provide any other personal information. It might be legit or it might be a “phishing” scam where the information you enter goes to a hacker. When in doubt, log on manually by typing what you know to be the site’s URL into your browser window.
Make sure your devices are secure. The best password in the world might not do you any good if someone is looking over your shoulder while you type or if you forget to log out on a cybercafe computer. Malicious software, including “keyboard loggers” that record all of your keystrokes, has been used to steal passwords and other information. To increase security, make sure you’re using up-to-date anti-malware software and that your operating system is up-to-date.
Use a “password” or fingerprint or facial recognition for your phone too. Most phones can be locked so that the only way to use them is to type in a code, typically a string of numbers or maybe a pattern you draw on the screen. Some new phones allow you to register fingerprints, which are quite secure. Sometimes when people with bad intentions find unlocked phones, they use them to steal the owners’ information, make a lot of calls, or send texts that look like they’re coming from the owner. Someone posing as you could send texts that make it look like you’re bullying or harassing someone in your address book with inappropriate images or words.
* Some parents ask their kids to share their passwords with them. This might be OK with young children, but you might want to respect your teen’s privacy and not ask. Also, if you do ask your children for their passwords, make sure they understand that this is a rare exception to the “do not share password” rule.
More security advice
Although there can never be a 100% guarantee of safety and security online or offline, there are things you and your kids can do that can greatly reduce the chances of something going wrong:
- Be careful where you click. Fake or malicious websites and apps (or legitimate ones that have been hacked by criminals) can jeopardize your device and the data on it. These sites can install malicious software onto your device if you visit them or perhaps click on the sites’ links. Malicious apps can also steal your information. Often they look legitimate, offer something that is too good to be true or contain some type of “forbidden” content such as sexually explicit material, gambling or free movies or music. Rogue apps can look like and have similar names as legitimate ones they imitate. Then there’s “clickjacking” – bogus links on social media pages that have been hacked. They appear to link to something tantalizing but instead redirect you to a site that contains spam advertising, plants malware on your device or posts bad links on your own profile.
- Don’t get caught by phishers. Phishing is when you get an email or a social media message that looks like it’s coming from a legitimate place such as a bank or a social networking site. If you click on a link in the message, you’re taken to a website that looks legitimate but could be run by criminals trying to trick you to sign in with your username and password so they can capture that information. Your best bet is not to click on the link but rather type the Web address (such as mybank.com) into your browser window and go the site that way.
- Keep software & apps up-to-date. Regardless of whether you’re using a computer or a mobile device, it’s really important to keep your mobile and PC operating systems and your apps and software current, because it’s not uncommon for companies to discover security flaws and vulnerabilities that they fix with updates. This is especially important for operating systems and web browsers that can be more vulnerable to attack if not up-to-date (check to see if they update automatically). And if you update an app or program, check the privacy settings again to make sure they haven’t gone back to the default settings.
- Use security software. It’s a good idea to have security software installed to protect your device. There are both paid and free programs for Windows and Macintosh computers and security apps for smartphones and tablets. Make sure you’re dealing with a reputable security company.
- Watch out for scams. Big news stories about famous people or natural disasters and other major events raise curiosity and web traffic, which brings out the scam artists. When disasters happen, good-hearted people young and old can be vulnerable to fake appeals for aid. If you get a charity appeal, type the cause or organization into a search box and you’ll often find an official site along with numerous others that seem to be related. The official sites usually turn up at the top of search results. They’re fine, as are sites from legitimate news organizations covering the event, but approach other sites with caution, and do a little Web research about disaster relief and other charities.
- Be careful before downloading. Be very careful when installing apps and if you’re asked to download a plug-in, document or application, such as to watch a video. Sometimes these downloads contain malicious code. Most videos don’t require software that’s not already on your device. If you think you need a plug-in or an app, do a little research to make sure it’s legitimate..
- Remember, if it’s too good to be true, it probably is. Be wary of attractive offers such as the chance to watch or download a movie for free, free music from untrusted sources, or free “keys” to unlock codes for software that usually isn’t free. While some artists do offer free tracks on their official sites and movie companies free trailers, be suspicious of free offers, especially if they’re not on the official site of the content owner. There is a lot of free shareware or open source software, but download it from a known reputable site such as Download.com or SoundForge.com that scans for malicious programs.
- Shop on secure sites. You’ve probably noticed that every web address has “http” at the beginning. If there’s an “https,” the “s” stands for “secure,” which means the site provides an extra layer of security. For example, those “https” sites encrypt or scramble your password, credit card numbers and other information so they can’t be used if intercepted.
- Use secure Wi-Fi. Be sure that your home network uses encryption and a password to prevent others from accessing it and be careful when using Wi-Fi at coffee shops, airports and other public places. Only sign into known networks (like those operated by the establishment) and, because public networks are often less secure than private ones, avoid banking or shopping or doing anything highly confidential when using public Wi-Fi.