Pardon me, but your passwords are leaking. Like, all over the internet.
The companies that store our information are selling it, losing it, and just plain giving it away. From security breaches at Target to Equifax, millions of passwords, social security numbers, and credit cards are now on the web. Account takeovers in 2017 resulted in $5.1 billion stolen from 1.3 Million U.S. consumers.
Seriously, you can look yourself up on sites like Spokeo to see your data on public record and Have I Been Pwned to check if your email address has been compromised (if you have an old Yahoo e-mail from high school, I can almost guarantee it has).
Before throwing away your computer in Ron Swanson-like rage, know that there are actionable steps to take to lock down your accounts. Now that I share my net worth online, it was time for me to do a full security sweep, and I recorded each step to share with you.
Disclosure – this post contains affiliate links. If you buy a product through these links, I receive a small percentage at no extra cost to you.
If you don’t care much for the details and just want to know what to do, here is the quick and dirty summary:
- Download a password manager, then change your most critical passwords, such as your bank, credit card sites, and your emails.
- Make up or randomize answers to common security questions.
- Freeze your credit at all three credit bureaus:
- Enable 2-Factor Authentication on every site that supports it.
- Install a VPN.
- Remove your data from public aggregator sites
Step 1: Password Manager
I held out on using a password manager for a long time, shying from the idea of putting all my password eggs in one basket.
Instead, I remembered them, organizing them into a few password “buckets.” There was a unique password for my Facebook and bank accounts. Then, I had variations on a theme for each email account. Finally, there was a common password for all those little inconsequential accounts that don’t have stored information about me.
It worked fine for me, and I haven’t suffered a hack besides my ages old middle school e-mail. I gladly let the hackers have it, hoping that it would never be associated with me again. Middle school was an embarrassing time where one might (hypothetically, of course) make emails containing words like ‘roflcopter’ or ‘sparklez’. It was most likely compromised by the Neopets hack, a hazy era of my life where I didn’t shop online or have access to a credit card.
Even though nothing important to me has been compromised, the fact of the matter is that my brain can’t store hundreds of passwords with the ideal complexity. As much as I hate to admit it, my brain’s password basket is flimsy and easy to knock over.
A password manager can generate secure passwords that meet all of the ever-changing requirements of the sites you visit and then store them in order to auto-fill the next time you log in.
Password managers like LastPass, 1Password, and Dashlane have withstood the test of time. What finally convinced me to use a password manager was understanding that even if hacked, your data is completely encrypted and unreadable.
If someone at LastPass was kidnapped and held for ransom for your bank password, there would be no way, even with their insider knowledge, to access your data. The only way to read the information is by using your master password. Good for me, bad for the hostages.
A Single Master Password
Mr. Mechanic once forgot his LastPass password and lost access to his account, which was a wake-up call to make a secure but memorable master password.
One way to pick a memorable password is to pick up a book and circle four or five random words to use as your password. The webcomic XKCD expands on this strategy. For an example, I grabbed Randall Monroe’s book What if? and cobbled together this password: “dubbed shoebox large transfer.” A thief is more likely to steal your electronics than that book (unless they are a huge nerd) and even less likely to know that the circled words mean anything (unless they are actually in a Dan Brown novel).
Ultimately, the tradeoff of setting up LastPass and installing it across devices is worth having strong, unique passwords safeguarding every account you set up.
Step 2: Randomize Answers to Security Questions
We’ve had to answer security questions before, but the questions don’t provide as much security as we once hoped. Your mother’s maiden name is available through public record. The name of the first company you worked for is available on LinkedIn. Your Facebook reveals your high school mascot. Each detail is something we would readily write up in a Facebook survey Kathy tagged you in called “10 Facts About Me You Never Knew!” or just while oversharing with our dentist.
Here are two methods to circumvent this flaw:
- Make up a memorable but nonsensical answer to use from now on.
- Generate randomized answers and save them in LastPass
For example, your mother’s maiden name might be Smith, but from now on use something that would be more difficult for a fraudster to guess, like Smithsonian. When asked about your favorite book, you can store your random answer of “fYW69!H)tb]Fb3Fj”, in the secure notes section of LastPass.
Step 3: Freeze Your Credit!
Identity theft is a nightmare, and the ramifications of someone opening new lines of credit in your name and dragging you into debt are severe. One quick and easy way to safeguard against identity theft is actually quite simple, and takes only 15 minutes: freeze your credit.
You used to have to pay to freeze your credit and again when you wanted to allow creditors access to it. Even when you had to pay, it was 100% worth the extra security.
Thanks to the 2017 Equifax breach when 143 million people had their social security numbers, addresses, driver’s license numbers and other information exposed, credit freezes are now free. As online attacks are primarily financially motivated, it is critical to lock down your credit so nobody can pretend to be you to finance their new Ferrari.
You can temporarily lift the freeze if you want to sign up for a new credit card or take out a loan, and it will not negatively affect your score at all. Anybody trying to sign up for a new line of credit in your name will be unable to without the PIN you are provided upon freezing. (Be sure to store your PIN somewhere you won’t lose it!)
First, get your free yearly credit report to check if there is any suspicious activity. Then, lock it down.
Step 4: Two-Factor Authentication
Signing in with your username and password is one-factor authentication (1FA). Add in another layer of security — a fingerprint, a text, or an email — and you have two-factor authentication (2FA).
Recently, someone accessed Mr. Mechanic’s e-mail account and set up a filter to send all e-mails from Amazon straight to the trash– before ordering a bunch of gift cards online and a GoPro to our house. He only found out through the Amazon App when he got a “Your package is being delivered” text, otherwise, we would not have known until either the package or the $300 bill arrived.
If he had used 2FA, the hackers would not have been able to get into his account. As it was, a couple of calls solved the issue, but I don’t like to imagine what would have happened if it were his PayPal or bank account instead.
It took me embarrassingly long to get around to setting up 2FA on my accounts. It felt like a tedious extra step to log-in. In my security overhaul, I checked this list, and added 2FA to every site I used that supports the extra protection.
The PIN gets sent to my phone immediately and I key it in– simple. It might be one more step for you, but that means it is one more layer of security to keep you safe.
Note on SIM Hacking
There was a fascinating episode on the podcast Reply All called The Snapchat Thief, wherein hackers bypassed 2FA by contacting phone carriers to swap numbers to a new phone. This meant that recovery emails were sent straight to them.
There are three methods to stop this kind of hijack:
- using a 2FA soft code generator like Google Authenticator or Authy
- using a hardware method like a yubikey
- routing 2FA through a Google Voice phone number.
For convenience, I recommend getting the free Google Authenticator app and using it on any sites that support it. Here is a guide with examples of how to set up 2FA for WordPress, Outlook, Evernote, Dropbox, and LastPass. If you are very serious about locking down access and don’t mind needing a physical key to get into your accounts, buy a Yubikey.
In addition, when registering contact info for password recovery, you can use a Google Voice number, which is hijack proof. You can port your own number to Google Voice for $20, or generate a new Google Voice number for free. Generating a number took a matter of minutes, and I got to choose a Denver area code! Google will route texts and calls to your Google number straight to your phone, and it can’t be ported away in a SIM-hijack.
Both options will increase the security of your Google account, Apple device, Twitter, Instagram, and other social profiles.
Step 5: Use a VPN
When you connect to public WiFi, you run the risk of a cybercriminal intercepting your unencrypted data. Personal VPNs secure your web traffic and protect you from these types of attacks.
It is hard to find reliable, free VPN services. The process requires servers and bandwidth to function, so they need to profit somehow. Most free options do this by selling your browser history, inserting ads into pages you view, or piggybacking traffic onto your personal bandwidth. Avoiding these invasions often requires paying for the service. Your best bet is to find providers that offer free tiers of VPN services along with premium paid options.
The best free option I could find is Windscribe, which provides 10GB of data monthly with unlimited connections. Our data usage runs around 30GB a month, largely due to video streaming at home. We don’t mind the world knowing that we are still only on Season 3 of Game of Thrones (no spoilers please!), but as for our logins and financial transactions, we make sure the VPN is on.
Ecrypt.me is a highly regarded VPN that goes for $9.99 per month or $99.99 for the year. It has a streamlined interface and works for multiple platforms.
Note on HTTPS
One of the major risks of accessing public hotspots is that unencrypted data can be intercepted. One nice add-on to have is HTTPS Everywhere, which defaults to HTTPS on sites that support it.
Step 6: Clean up your Data
After you have finished the big hitters (using a password manager, freezing your credit, setting up 2FA, and installing a VPN), you can follow one more step to keep your data from being easily searchable.
Several aggregator sites collect data on you, but they will remove it if you ask. I went through the steps at the end of this workbook to remove my data. What I found on these sites was interesting. I saw my employment history attributed to someone else with the same name.
There was a satellite map that pinpointed my exact address, and another showed the last 5 addresses where I lived (which are coincidentally security questions I answered to prove my identity to the credit bureaus when I froze my credit).
It should not have been surprising, but it was a bit of a shock to see that anybody could look up where I live knowing only my name.
Head to these sites and opt-out:
Mylife (which creepily also has a ‘reputation score’)
Bonus: You know those credit card offers you get in the mail? Through doing research for this post, I found out that Consumer Credit Reporting Companies are allowed to include your name on those offer lists. I pick out good credit cards myself, so all those letters are a waste of time and paper. I found out that you can opt out electronically from receiving offers for 5 years.
Financial security comes in many forms, from the knowledge that you can pay your next bill to the literal lockdown of your financial accounts. Prepare for inevitable attacks by following the checklist and securing your financial future. Practice security as you would practice for skydiving– it is worth the hours on the ground prepping for a bad situation. When it comes to parachutes and passwords, a lot is at stake. Do the due diligence to ensure your safety and security.
Have you ever been hacked? Do you have other recommendations for keeping your finances secure? Am I the only one with an embarrassing middle-school e-mail address?
Leave a comment below!