Friday, August 26, 2011

Fundamental Online Security

Working at a payment processing company, I've come to appreciate the importance of online security much more than before. While many aspects of security are somewhat niche, I often think about how a few of the practices I now take for granted are actually fundamental enough that absolutely everyone should be using them. I'm talking about the kind of practices that we should be ashamed if we don't help ensure that our family and friends understand and are applying rigorously. When I boil it down to that, there's really just one thing that I hope absolutely everyone will do: use a unique password for your email.

Secure your email! (do it now; we'll wait)

Often folks who are less internet savvy overlook the importance of protecting their email account, and they tend to reuse the same passwords for every account they create on the internet. It's much more obvious that we should use a unique and complex passwords for logging into our bank accounts, for example, and we tend to think it's not as crucial that we do the same for our email. What we overlook is that anyone with access to our email can often trivially gain access to most of our other accounts by simply requesting a password reset.

If you use your email password for any other account, you're almost certainly putting too much trust in someone else's security. While well-known sites are likely to have better security in place, it's not always the case. Millions of accounts were compromised only a few months ago via Sony's PlayStation Network, and the email addresses and associated passwords have already gotten into way too many hands. It's safest to trust no one.

It's worth noting that some sites, particularly banks, have extra steps in place to make it somewhat more challenging for a stranger with access to your email account to reset your password. However, there are far more sites we've given personal information, including saved payment information. Imagine someone with access to your email account gaining access to an online merchant via password reset and using your saved payment information to make purchases.

So long as web sites use the ability to access to your email account as proof of your identity, protecting access to your email account is fundamentally important. Please tell your friends.

Anything else?

Beyond using a unique and complex password for your email account, further security suggestions require a bit more effort. While I think they're all good advice, it's really going to be up to you how much you're going to be willing to do to improve your personal online security. There are two things I recommend.

Switch to Gmail. I hate this one on principal, as I think people should be able to use whatever email service they like best. However, Gmail offers a couple of really nice security features.

In particular:
  • You can set up two-factor authentication, such that you have to enter a six digit code from an authenticator app on your phone. Meaning, in general, no one can access your email without both your password and your phone/authenticator.
  • Gmail also allows you to set up application specific passwords, so for example, if you use a special IM client, you can provide it a one time use password, with the ability to revoke access from that application at any time without having to change your primary email password.
  • As a bonus feature, Gmail allows you to add custom strings to your email address that can help track and filter messages based on where they came from. For example, when providing my email address to a new website, I can use my_username+customstring@gmail.com. I usually make the custom string the domain name of the website so I can easily tell who I gave the address to. Messages sent to this address will ignore the + and everything after up to the @. If a website shares my email address with spammers, I will easily know who leaked my address, and Gmail makes it easy to then filter any incoming mail with my custom address straight to my spam folder.
Second, use a password generator and create unique passwords for every account. This sounds like much more of a pain than it actually is. There are applications that provide support for this, some with browser plugins, and quite frankly, they're life changing. I recommend both 1Password and Keepassx. Basically whenever you're creating a new account, you allow 1Password/Keepassx to generate the password and save your account information in its internal database. You can comfortably generate very complex passwords and not have to worry about memorizing them.