10 Security tips for the average user

Hi there. I hope you’ve had a good holiday and New Year’s celebration! For this blog, I thought I’d do something a little different, and go over 10 Security tips for the average user.

For many technical people, the festive season is the perfect time for family and friends to quiz them on technology related questions and advice, and I was no exception! Off the back of this, I felt I should write something a bit more structured than my usual ramblings. Oh, and this is mostly around Apple Computers, iPhones and iPads, but should have some relevance no matter what you use.

Lets get to it…

1. Update all the things!

Always run the updates for your computer, phone, table, software, Apps, CCTV, Internet routers, wireless, games consoles, robot cleaners, fridges, microwaves, etc etc etc.

These updates don’t just contain new features (new Emoji?!) and fixes to annoying issues, they’ll also contain fixes to issues to do with the security of your device, helping to reduce the likelihood that you’ll be ‘done over’. Additionally, once these updates are out, attackers can work on reversing the fix to see what the fuss was about, meaning that they can start targeting people who haven’t run the update.

Yes, I know that these updates can change how things look, how they behave, perhaps even break something you use all the time. For that I have a few suggestions:

Wait a week or two after an update comes out before installing it, perhaps even reach out to your family-/friend group’s Techie to ask.

and…

1. *BONUS* Backup all the things!

Backup everything that you can. Lots of technology items include some sort of backup solution. Please use it. It can save those irreplaceable pictures of your 21st Birthday, or the kid’s first birthday.

If you’re using an Apple Computer (OS X / macOS), consider using Time Machine.

If you’re using an Apple iPhone or iPads (iOS), consider using iCloud or iTunes backups.

2. Turn on encryption

Turn on whatever encryption system your technology device has (if it has one). This will make it much harder to get into your gadget if you forget the password, but also means that should that gadget go missing, your saved bank account details and Candy Crush score will be safe.

If you’re using an Apple Computer (OS X / macOS), consider using FileVault.

If you’re using an Apple iPhone or iPads (iOS), simply set and use a passcode!

3. Use a password on your device

Please please please please set a password on your device. If you’ve bought a CCTV system, please make sure to change the password from whatever the default is (I bet it’s admin/admin or root/1234?).

Why? Well, firstly, it’ll help to stop anyone who can get access to your item from being able to access your any private information (much like point 2 above), including access to your CCTV recordings (“hmmm, looks like the Smiths have left the house for the day, time for some uninterrupted burglary…”),

Do you ever leave your front door unlocked when you leave?

Do you ever leave your car unlocked when you park it?

It’s the same reasoning.

3. *BONUS* Got a new Apple iPhone / iPad? Take it to 11!

If you’re lucky enough to have a newer Apple iPhone with a fingerprint sensor (TouchID), or the flash new iPhone X with the Face Reader (FaceID), consider using a longer passcode than the standard 4-/6-digits, perhaps even a more complex password. You’ll be using it considerably less (since you can unlock your device with your finger / face), and it makes it harder for the children to make those crazy purchases.

4. Using different passwords

For every gadget, website, email account, service etc, you should use a different password. There’s been a bunch of reports over the last few years where ‘hackers’ have stolen a password store from one company (say Yahoo), then used it to gain access to every other place that the same person has an account (Facebook, Tesco, Online banking, the list goes on…). If you use different passwords for each thing, should one company have it’s store stolen, the damage is limited.

To use the real-life analogy, you don’t have the exact same key for every door, window and lock in your house, car and work offices, right? Same reason : )

“But wow, that could be 10s or even 100s of passwords. How do I remember all those?”

5. …and consider using a password manager

The best suggestion I can make is to consider using a password manager. This is a piece of software that can securely (and optionally sync) all you passwords for the various websites and gadgets you use. These will be locked behind one password (so make it good!) but that should then be all you need to remember.

Personally, I like and use 1Password, but there are other solutions out there such as LastPass.

One thing to be aware of, these password managers can sometimes be a bit complex for the average user. If so, why not consider an offline version! Just be aware that this should be locked away when not in use, and shouldn’t generally be carried around with you. If you lost it, it’d be like loosing all your keys, with the address and details on where to use them, all in a neatly wrapped present!

Password managers also include good password generators, so try to use those to make new passwords for your accounts. If you can’t or don’t want to use a password manager, Apple has a ‘good password guide‘ of recommendations. Simply put, the longer the better.

6. Password hygiene

Treat your passwords like your toothbrush, don’t share them with anyone and change them every 6-12 months (credit: Graham Gilbert!).

You don’t want to end up on international news do you? ; )

Don’t forget, those passwords could give access to your bank details, or private messages (especially if you haven’t followed number 4 above!). although you may trust the person you’re giving your password to, how’d you know they won’t (accidentally, or intentionally) pass that on to someone else, and so on.

7. Always lock your device when you leave it

Something I learned early on, always lock your device when you walk away from it. This will help stop anyone jumping on your device when you’re away from it, perhaps professing your undying love for an old classmate via your Facebook, or more seriously, accessing your bank account or private messages again.

If you’re using an Apple Computer (OS X / macOS), you can find the setting here.

8. Increase the factors

Consider setting up additional items to your password for websites you visit. Often called “2-Factor Authentication”, “Multi-Factor Authentication” or “Text Code”, this means that whenever you sign in on a new device, or in an Internet browser, you will need to enter a password, and a second code. This second code is normally sent by text (SMS) to a phone number you set up, or via an App you’ve also setup and marked as trusted. If you use online banking with a card reader, you’re already using a 2nd factor for that login!

This means that even if someone guessed / got hold of your password, they wouldn’t be able to access to your account without also having access to your ‘trusted device’ (which you’ve already protected as part of numbers 2, 3, 4, 6 and 7 above).

For details on what websites offer this secondary factor, check out https://twofactorauth.org who also provide links to guides on setting it up.

Apple has their own 2-Factor system, you can read about here.

9. Consider signing up for alerts

Consider signing up for alerts when there’s an issue on your account.

Facebook certainly has this option, it’ll email (and optionally send you a text/SMS) if it detects a new login. Good if you get an alert without realising.

Another service I can’t recommend highly enough is Troy Hunters “Have I been Pwned?” website. Enter your email address into the main box and you’ll be told if it’s appeared in any public lists of stolen details. You can also use the “Notify me” option to be alerted if your details should appear in any future lists.

But what should you do if your password does come up, or your account is ‘hacked’?

If it’s anything to do with banking or credit cards, contact the relevant bank immediately. No Ifs. No Buts.

If it’s anything else, immediately change the password on the account to something different and long. Next step, go to any other websites or services where you have an account and change these to a different password (number 4 above).

10. Be alert and wary

Last point, be alert and wary when using email and websites. Generally speaking, this could mean:

• Check the address bar of the website before you enter any details. Is appel.biz or 100PercentAppleOfficial.com asking for your Apple account password? Don’t trust it!
• Check who sent you that ‘you need to do something’ email. Is “fujiko@europoint.co.uk” asking you to check your messages on Amazon? Don’t trust it!
• Is the email full of spelling mistakes or bad grammar? e.g. “You have deferred message“? Don’t trust it!
• Do you even have an account or any dealings with the company who is asking you to fill in your bank details? Don’t trust it!
• Have they sent you a link in the email? Check where the email is trying to send you. If it matches anything above, don’t trust it!
  • In most email programs, you can hover over the link to see where it will send you:

For iPhones and iPads you can hold on the link to see where it will send you

• When in doubt, go direct to the website the email says it is meant to be from (e.g. in the case above, that’d be amazon.co.uk) and do not click any links.

Summary

And there we go, I’ve gone through what I’d consider some generally straightforward ideas and tips for good technology security habits for the average user. Do you have any of your own suggestions? Anything you’d disagree with? Feel free to comment below and I’ll answer what I can!

Further Reading

For those that are interested in some further reading, here are some interesting links I came across whilst researching my ramblings!

• Troy Hunt (creator and operator of Have I been Pwned) has a great security website and I’m a massive fan of his work. I’ve picked out some of the below related highlights:
  • Face ID, Touch ID, No ID, PINs and Pragmatic Security
  • Password managers don’t have to be perfect, they just have to be better than not having one
  • The Trouble with Politicians Sharing Passwords
• Link to the recently updated National Institute of Standards and Technology (USA)’s guidelines on handling digital identities, including updated guidelines on passwords.
• Compulsory link to XKCD’s comic on password strength
• Pepijn Bruienne’s MacADUK talk on managing security in a Mac managed environment

The usual disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.