The importance of internet security has gained prominence in recent weeks with the public release of images of well-known celebrities that were not intended to become public. (The “fappening”.)
This is an opportunity to give some thought to internet security and the use of “the cloud” (through its many incarnations, including iCloud, Google Drive, Microsoft SkyDrive, and Dropbox).
I’ll preface this by saying that I’m no expert at these things. I encourage you to read further on this and spend some time on developing your own thoughts and strategy in relation to whether and how you use the cloud.
- Using the cloud is a trade-off. It would, in my view, be a tragedy if this were to discourage a great number of people from using the cloud for backing up their photos and personal information. Why? Because, as with most things, using the cloud for backup and storage involves trade-offs. For many people, cloud storage is the only form of back up that they have. So the trade-off is that you’re addressing the risk of data loss against the risk of data theft. For most people, the risk of data loss is a bigger deal.
- On this note, one tenet that is relevant for many people is “security through obscurity”. If you have a high profile, or there is a reason people might want to access your data (eg because of your job or your level of wealth), then the risk (in terms of likelihood and potential consequences) associated with data theft increases. (You’ve probably heard the expression “all that glitters is not gold”…)
- You have to assume that if someone is sufficiently motivated, they will be able to access your information. The best you can do is to make it more difficult for them, and hope that your measures exceed their motivation and resources. In large part, internet security isn’t about outrunning the predator so much as outrunning other prey.
- In terms of practical things you can do, a key one is to use two factor authentication whenever it is available. If you don’t know what it is, learn about it. It doesn’t take long and in my experience it isn’t the hassle you’d expect.
- Consider using a reputable password manager. Like Password1 or LastPass. Trust me on this – using a password manager has improved the quality of my life immeasurably.
- Don’t save your passwords in your browser. Ie, when a site asks you to save your password for next time, do not select this box. (This is a lot easier to implement when you have a password manager.)
- If you’re going to remember passwords, use passwords that have a combination of lower and upper case characters, numbers, and symbols. A common approach is to have a sentence, and translate this into a password. Eg, remember “Jack and Dianne turn 22 next week!” can translate quite easily to “J&Dt22nw!”.
- If you’re going to remember passwords, don’t use the same password for all sites. At the very least, have a password convention rather than a common password which varies for every website. Eg “J&Dt22nw!” could be expanded to be “J&Dt22nw!Goo” for Google or “J&Dt22nw!Ama” for Amazon.
- With respect to security questions (for example, what was your primary school, what street did you grow up on, what is your mother’s maiden name), consider creating fake responses. Ie, create a dual identity, or borrow the answers of someone else you know well, such a spouse, a good friend, a parent, a sibling, or a pet.
- Consider “ringfencing”. Have an email address that you never use to send or receive emails to people, and only use to associate with signing up to important accounts. One way that I’ve heard that many people hack into an account is by trying to log into an account and trying to reset the password, which they can then do if they can access your email address. If they can’t identify the email address that the password reset request has been sent to, then the email address itself is effectively another password.
- Balancing all of these things, you also need to consider what might happen if something were to happen to you. (You don’t need to think of it as being hit by a bus – think of it, perhaps, as being tapped on the shoulder to become the next 007 and having to leave all vestiges of your old life behind.) It may be necessary for your executor or administrator or others to access your online accounts. Consider a strategy for how they might be able to put the pieces together.