Securing your central email account
Almost every service you use will allow you to reset your password through by sending an email to an account you gave them when you signed up for the service. This obviously means that it is critical that you protect this account as much as you can. To this end make sure that this account has two factor authentication and make sure you enable it. It is a little bit of an extra hassle to set it up, but the extra security it buys you is absolutely worth it. Currently as far as I know GMail and Facebook do support this (Your phone being your second factor in both cases). Unfortunately Yahoo, Outlook or Hotmail do not.
Furthermore, don't use work or your internet provider as your central account. It will be a pain in the ass if you ever need to get a new internet provider or move to another job if you do, because all of a sudden you need to go in and reconfigure all your accounts to another email address. Furthermore keep in mind that your employer has the right to read and use your company email address so using that for anything you want to keep for yourself is just a bad idea.
Can add as a note that if you use Google Authenticator for your Google account you only have one chance to set up a device for this (Or you have to start over from the beginning setting it up), so if you want to have it on more than one device make sure you set them all up while you still have the chance.
Handling your passwords
Creating secure passwords are getting harder and harder. Here are some tips about what to do now.
- Make sure they are at least 8 characters long, preferably longer.
- Use lower case, upper case, digits and special characters in your passwords.
- Don't use passwords that are words or combination of words.
- Don't use the same passwords for all your sites. At least use special passwords for sites that are important (For instance your central email account or accounts that deal with real money or sites where you have saved your credit card information).
- One method to make a password more security is to use password haystacks.
What I am trying to say here is that you really can't realistically remember all your passwords everywhere and I can totally recommend LastPass to help you out. For a detailed evaluation of it's security model check out this Security Now episode.
In case you don't have 2 hours to watch the video here it is in short.
- It is completely Trust No One, meaning LastPass can never retrieve your passwords even if they wanted to.
- It supports two factor authentication (Using Google Authenticator from above).
- It supports every platform that I use. The iOS support kind of sucks though. On Android you will want to use either the Dolphin or Firefox browser.
- It contains a password generated so you don't have to think up good passwords yourself.
Make sure you have a backup of everything
This can't be repeated enough. Even though data is rarely lost from online services it does happen and worse an attacker might wipe an account once they are done with it just to wipe out their tracks (As happened in the Mat Honan case mentioned above).
Backupify is a great service that allows you to back up a lot of online services. For your computers I can recommend Crashplan which is very cheap, is easy to set up but still has tons of features for the advanced user. If you make a backup onto an external drive make sure that drive is not stored somewhere in your house since a fire or a robber might be able to get to both the original and the copy if they are stored in the same place.
Don't enable remote wipe of your laptop
One of the main reasons the Mat Honan hack turned so disastrous was that he had enabled remote wiping on his laptop and when a hacker compromised his iCloud account they could also wipe his laptop. Remote wipe is a feature that makes a lot of sense on a cell phone that most of us has lost at least a few by this point in our lives. Laptops are lost a lot more rarely and unless you have critically secret stuff on it I don't think the chance of someone being able to remote wipe it simply by getting into one of your cloud accounts is worth the benefit. If it is for you though, make sure you have that backup.
Keep your password recovery questions secret
A lot of services allow you to set up security questions that allow you to reset your password. Make sure that the answers to these questions are not available online.
For example your first school is probably not a good idea if you grew up in a small town like me since there aren't that many schools to choose from. Other bad examples are your mothers maiden name or what was your first car (You sure you didn't post a picture of it somewhere?).
Also don't post your exact address online. Knowing your address is a good place for someone who want to hack your accounts to start. It might help with both security questions and social engineering. Just don't do it.
The state of security for online banking in the US is just atrocious compared to Sweden but there is at least one thing you can do to at least make it a little bit safer.
Many banks allow you to select your username and password to log into it. Make sure that both of these are secret and not related to any publicly known information about you. On Wells Fargo and Bank of America you can reset the password by knowing your ATM card number, PIN and online username. This means that if your username is for instance your name (Which is also printed on the card) and someone skims your ATM card they can also hack into your online account and potentially do a lot more damage.