Most of us have to use computers on a daily basis. Some of us understand more of these machines, some of us less. The less we understand, the easier targets we are for different kinds of attacks that could reveal important personal information. A few simple steps and habits can help making you more secure, even if you don’t know a lot about computers.
Every now and then – probably pretty often – you will be asked to update something. Your operating system (such as Windows), your antivirus software, Java or whatever it is. You might be tempted to wait or ignore it, since you don’t see the point and everything is working fine as it is. Don’t. The most important point in keeping your software up to date isn’t to get nifty new features you won’t be using anyway. It’s security. The older your software is, the more time people have had to find security flaws and the more likely it is that there’s some sort of vulnerability someone is actively trying to exploit.
In fact, if you’ve got the choice, always make sure that your software updates automatically. You probably don’t know enough to decide whether an update is necessary from a security perspective anyway (I sure don’t), so since you’ve already decided to trust the developers and installed the program on your computer, it will probably serve you better to keep trusting they know when they’ve found something that needed to be fixed.
HTTP stands for ”hypertext transfer protocol” and is the way information gets sent around on the web. HTTPS stands for ”hypertext transfer protocol secure” and is a way of keeping said information private. You could see it as the difference between a postcard, which anyone can read on the way to its destination, and a sealed envelope, assuming envelopes were a bit more difficult to open for the wrong person. Everyone can see where the envelope is going, but not what the letter says. Ordinary HTTP traffic is open for anyone to read, if they have access to the traffic and know what they’re doing. This means that you never want to send any private information or log in if the site is not using HTTPS.
Here’s the difference in my browser (Firefox), with LinkedIn over HTTPS and the Wall Street Journal over HTTP. Note the padlock symbol, which is used in most browsers to identify a secure connection.
If you have an email address, chances are you are getting a steady flood of emails you have never asked for. Some may promise to give you a huge pile of money if you would just help them out by sending some small amount first, or send a copy of your passport or some other insignificant detail. Others try to get sensitive information by masquerading as some trustworthy site and make you give them your username and password information or credit card details, so-called phishing. If you get an unexpected email telling you that your important account was blocked, or could you please log in here, or please click here to verify something, it’s probably not legitimate. If you have doubts, however, it might be worth checking out the URL (the web address). For example, this is a recent example of someone trying to gain access to my Paypal account.
When I hover over a link (without clicking! Never follow the links in spam or phishing attempts. They might lead to sites that could infect your computer), my email client will show the address in the bottom left corner. It’s important to know that the link as it appears in the email is just a piece of text and can say anything. In this case it’s ”Very Your Account” but it could easily have been ”www.paypal.com” or something similar, without actually leading you to paypal.com.
A phishing attempt will often try to confuse their targets by introducing elements in the link that looks like it could belong to the right address (here it starts with ”pypl”), but you should always look out for the domain name part: the thing that comes just before .com (or .co.uk or .net or .se et cetera) as well as make sure that the top-level domain (.com) is the right one. In fact, if the link is so complicated that you can’t figure out what the domain name is, that in itself is a good sign it’s a phishing attempt. For example, in this case, the correct link would simply have said http://paypal.com.
Your passwords should be two things: a) strong and b) unique, in the sense that you shouldn’t reuse them.
Examples of passwords you should avoid are ”123456,” ”qwerty,” the name of someone close to you, important dates in your life and words you could find in a dictionary. They are too easy to guess, or to find out by e.g. automatically testing every known word. On the other hand, don’t go for a random string of characters you won’t be able to memorize. A few random words will do fine, especially if you use both upper and lower case letters, special characters and numbers. ”BookUniversal4Sleds!up0n” is easier to remember than ”HfsPa!0ka1fdAwf?” but is still a strong password. It’s long, impossible to guess and contains characters of varying sorts.
It’s important that you don’t use the same password everywhere. If you do, all it takes is that one of the sites you use haven’t stored your information securely enough on their end and suddenly someone might have both your email address and your password, which can then be used to log in on other sites. Take extra care with passwords that are important to you, e.g. social media accounts that would be very painful to lose access to. Remember that the password to your email account is one of the most important passwords you have, even if you don’t use email much. If you have forgotten your password to some other site, you can usually reset it using your email. That means that if someone gains access to your email account, they can probably generate new passwords for most of your online life.
Be very careful with security questions. Don’t pick one someone else could find the answer to with a little bit of research, such as your mother’s maiden name or the name of your first teacher. Change your most important passwords every now and then. If you can’t remember them, there is a type of program called ”password manager” for that specific purpose. Using a password manager (e.g. Apple’s Keychain) is usually safer than letting your browser store them. Passwords stored in your browser are usually too easy to find, either by someone just walking by your computer or someone who has gained access to it remotely.
And for the love of everything that is good and pure in this world, never ever accept online banking security where you can access your money with just a username and a password. There are better, if more cumbersome, methods, and if there’s one area where it’s worth a bit of hassle to be safer, it’s when your savings are involved.