So, my, um, friend was looking at a list of the weakest passwords recently. And it turns out my … friend’s password was on there.
Wow. Like what? 123456? Qwerty? Trustno1?
Your friend sounds like a real dummy.
Actually, my friend is very smart and good-looking. But here’s the thing: My friend isn’t actually doing anything particularly secret online. Does it even matter?
More than you might expect. Think back to the 2014 Sony hack, in which huge amounts of data from company employees showed up online. It was emotionally, professionally, and even financially devastating for many of them, and not because they’d actually done anything wrong. Much the same was true with the Democratic National Committee hack, where mass data dumps left the curious poring over information as benign as John Podesta’s risotto recipe. That kind of scrutiny can be bad for even the best of us. In other words, you don’t have to sign up for a dodgy pro-cheating website to be compromised by a data breach. And that doesn’t even take into account the risks of, say, your credit card information or Social Security number leaking. (I bet that if your friend uses “letmein” or “abc123” for his email, he’s also using it for his Amazon account.)
Yikes! What if I’ve already been hacked? Is it possible I wouldn’t know it?
Given that a whole host of popular sites—including Yahoo, LinkedIn, eBay, and MySpace—have been compromised, it’s not just possible, it’s actually likely. The Yahoo case is particularly bonkers, since that breach pulled in 1 billion email accounts, with the hackers apparently scraping up all sorts of personal information along the way. The New York Times put together a useful interactive to help people figure out whether they’ve been pulled into one of these massive hacks. There’s also the site haveibeenpwned.com, which tells you whether your email address shows up in publicly accessible data dumps from any breaches.
And before you ask: Yes, I have been pwned. Five times, apparently.
So what do hackers, you know, do with the information once they have it?
More often than not, it gets bundled up and sold in bulk via underground marketplaces on the internet. Once your information has been stolen, it might end up circulating widely, sold and resold, copied and pasted, in a variety of forms. Some research indicates that hackers can net millions from those misdeeds. The buyers stand to make even more by extracting credit card info, ransoming accounts, and so on. In other words, cybercrime really does pay.
Well, if everyone’s going to get hacked, maybe I should just give up, right?
I don’t like that defeatist attitude one bit. If you learn a little about cybersecurity, you might be able to get a better sense of what sites and services you should trust in the first place.
What should I be looking for?
That’s going to depend on what actually worries you, but if you’re even a little concerned about privacy, you might want to seek out services that employ end-to-end encryption, a system in which only a message’s sender and receiver have the keys to code and decode it. Plenty of messaging services already feature this technology: It’s helped drive the global popularity of WhatsApp, for example. And lately, an app called Signal has grown increasingly popular with the security community.
As that example suggests, there’s long been a symbiotic relationship between privacy advocacy and the push for stronger cybersecurity. Among other things, advocates have successfully resisted legislation that would have give the president power to shut down the internet or allowed companies to share information about their users with the National Security Agency. They’ve also been critical of attempts to create encryption backdoors, which would allow the government access to otherwise secure systems, pointing out that such initiatives ultimately make everyone less secure. More recently, the Federal Communications Commission has pushed through regulations that require companies to better protect customer data, though we still have a long way to go.
What should I be doing right now, then?
You can start by giving some thought to what you share online and how you share it. Think about what you put up on social media platforms, for example. The information that you leave there could be giving would-be hackers everything they need to weasel their way into your other accounts through social engineering. A clever attacker may not even need you to explicitly provide the details that they’re looking for: If they can figure out, say, your mother’s maiden name, your cat’s name, or your childhood best friend (which may just be a matter of monitoring your public interactions), the security questions on your bank account may not provide much protection.
Similar considerations may come into play for the rest of your web presence. You can’t definitively stop a large-scale hack from happening in the first place, but you can at least limit your exposure. And, of course, you probably should worry about sealing off your own accounts, even if you don’t expect anyone will snoop around in them.
It sounds like you’re going to want to start by getting yourself a stronger password. Given that you can’t always trust those password-strength meters—and regularly changing your password may degrade its quality—experts tend to recommend that you get a password manager. Password managers are systems that generate and store extremely complicated passwords for you. All you have to do is remember the one (preferably very complicated) password that gets you into the manager itself. While these systems may have weaknesses of their own, it’ll probably be a lot more secure than whatever you’re doing now.
Over the course of this month, we’ll go into a lot more depth about the actual steps you can take, like:
- setting up a virtual private network, which can protect you when you’re on public Wi-Fi
- using multifactor authentication, which makes it harder for someone to log into your accounts without
- cleaning up your social media presence
- using the Tor browser, which helps anonymize and encrypt your web surfing
But I want to make changes to my cybersecurity practices now.
As we’ve suggested in the past, it might be worth putting a sticker over your computer’s camera. Like many of the suggestions we’ll be offering this month, that may seem a little paranoid, but as the artist Momus put it almost 20 years ago, “Paranoia’s simply a word for seeing things as they are.”
And this is easier said than done, but as Jamie Winterton has written in Future Tense, you shouldn’t log on to public Wi-Fi networks anywhere that you wouldn’t walk barefoot. When you do, you’re exposing yourself to all sort of risks, including man-in-the-middle attacks, where a malicious party puts themselves between you and an authentic site you’re trying to visit in an attempt to collect your information.
OK, so better passwords, encrypted communications, VPNs, social media audits. Is that everything?
Not even close. We’ll be going into detail about a lot of these issues in this Futurography course, so come back in the next few weeks to learn ways to help keep your, uh, friend safe.
This article is part of the cybersecurity self-defense installment of Futurography, a series in which Future Tense introduces readers to the technologies that will define tomorrow. Each month, we’ll choose a new technology and break it down. Future Tense is a collaboration among Arizona State University, New America, and Slate.