A lot of people get hacked or phished, and being completely secure is somewhere between difficult and impossible, especially if someone trying hard to hack you in particular. But there are several simple things you can do that decrease your risk a lot:
Use a password manager that fills in fields automatically.
Configure 2FA with security keys.
Read “sign in with provider” (oAuth) screens carefully.
Encrypt your laptop.
Be cautious with inbound communication.
Why these things? You can make computers do stuff random other people normally can’t: transfer your money, post to social media as you, read your private documents, control your employer’s systems, etc. If an attacker can trick the right systems into thinking the are you, they can take your money, exploit your secrets, or use you to get to others.
A strategy of putting in a lot of mental effort to always make the right security decision in the moment doesn’t work well for humans: we make mistakes, especially when we’re doing routine things or are distracted, tired, hungry, etc. Instead:
Use tools so you can’t mess up even if you’re not paying attention.
Understand the remaining cases where you do need to take special care.
Password managers, laptop encryption, and security keys are examples of the former, while being careful with 2FA codes, oAuth screens, and inbound communication are examples of the latter.
In the most common attacks someone gets a copy of what the computer checks to make sure you are you (your “credentials”). For example, if your email is protected only with a password then if they can get your password they can log into your email.
The most common way for someone to learn your password is using the same one on multiple sites. Say you use “hunter2” everywhere and you create an account on “Joe’s Shoes and Wallpaper” to buy sneakers. They later get hacked, their passwords get cracked, and now the attacker knows you used “hunter2”. They try this on your email account, learning your address from Joe’s records, and it works. This is an especially worrying scenario because you probably have a lot of other accounts that will send password resets to your email, and now the attacker can control those as well.
Remembering passwords for hundreds of sites isn’t practical, so you want something that lets you generate a random password for each site and then stores it for you: a “password manager”. But this isn’t enough on its own, because the second most common risk to passwords is fake login pages. If you click on a link and get:
You want to enter your username and password if this is
accounts.google.com
but not if it’s
accounts.google.com.evil
. Closely examining the URL to
make sure it’s the right one helps, but humans make mistakes.
Instead, you want a password manager that, in addition to remembering
your passwords, only provides them to login pages on the correct
domain.
I use Google’s password manager which is integrated into Chrome and Android; if you’re fully in the Apple ecosystem you might use Apple’s Keychain. Firefox also has one. Stand-alone password managers include Bitwarden and 1Password; if you use one of these make sure you set up browser integration so you’re not pasting passwords, protecting you against fake login pages. Use separate password managers (or separate “vaults” within a single manager) for work and personal accounts so that when you eventually leave you can separate them cleanly.
Even with an autofilling password manager there will be occasional times when it doesn’t work and you need to copy-paste: be very careful that the URL is correct when doing that, because this is exactly the problem you would run into if someone was trying to get your password.
Another layer of protection here is ensuring that a password on its own isn’t enough to give access to your account. This is called “two-factor authentication” or 2FA. The most common form of 2FA is to use a phone number in addition to a password: when you try to log in from a new device they text you a code which you can use to demonstrate you have access to the phone number. This is probably more secure than not doing it, but it isn’t very good:
An attacker could trick the phone company (or bribe an employee) into reassigning your number to them. (“simjacking”)
You could be tricked into giving the code to an attacker.
Sometimes sites call a phone number “2FA”, but then will let someone who only controls the phone number reset your password, meaning it’s really just a single factor.
These can be fixed by using the security key built into
your phone. You register your key with a site, and then future
logins it checks that you still have the same key. If you’re on
accounts.google.com.evil
your key will send something
that accounts.google.com
will reject.
But what if you lose your phone, or don’t have it with you? The big risk with 2FA is that if you lose your second factor you lose access to your account. The standard solution here is to have multiple security keys, so that even if you lose one you still have the others. You can get additional security keys as little USB things. They come in both USB-A and USB-C versions: I like the USB-A ones so I can plug them into USB hubs. I’ve used Yubico’s Security Key ($25) and Google’s Titan Key ($30). Looking now, Adafruit’s FIDO2 Key ($10) seems to be the cheapest option, though it doesn’t have NFC (fine for your computer, annoying for your phone). Having one at work and one at home in addition to the one built into your phone would be ideal, so that even if you lose one and then one breaks, you still have a third.
If you lose a device, you do have some work: for every account it was configured on you need to unregister it and then register a replacement. This means you need to keep track of which sites you’ve configured 2FA with, because you’ll need to repeat that process of unregistering the old one and registering a new one on each site. You don’t want to set it up on too many sites: just the ones where the consequences of getting hacked are large enough to justify the extra hassle. I currently use my security keys for five accounts: personal Google, work Google, GitHub, Facebook, and PyPI.
One way to get the protection of security keys on sites without needing to register your key with them (and the extra work when you need to change keys) is to use oAuth login. This looks like “Sign in with Google”, “Sign in with Apple”, “Sign in with GitHub”, etc. I’m pretty happy using Google’s oAuth everywhere: my Google account is well protected and I think Google’s security team is very good.
One issues this does have is that if you use a single account as the root of your online identity and then get locked out of that account, you’re in a pretty bad situation. When I’ve described this approach before one reaction I’ve gotten is something like “but people do get locked out of their Google accounts, why would you risk that?” If you look over the reports people give, though, they’re predominately people who set up 2FA and then lost the thing they were using as their second factor. If you make sure to always have multiple active 2FA methods (like the three security keys I recommend above), however, I think this risk is very low.
You might sometimes see people talking about “TOTP” authentication codes. These are where you install an app on your phone (Google Authenticator, Authy, etc) and configure it when setting up 2FA. It shows a different code every minute, and the site can see the same code. Every time you log in you provide the code, and unless someone steals or hacks your phone they won’t have it. I don’t think TOTP codes make sense anymore: security keys are better (they protect you against fake login pages) and all the sites I used to use codes on now support keys.
In a few years I’m hoping all of this will be a lot simpler as the world moves to passkeys, but they’re not widely supported yet.
Instead of someone getting access to your account with a password, another big risk is through a lost laptop. On a normal laptop someone with a bit of skill can read everything on it, even if you have a password set. This means someone could act as you on any site you’re currently logged in to. Encrypting your laptop fixes this, because the data stored on your laptop is now gibberish without your password. On Mac this is FileVault, on Windows it’s BitLocker; Ubuntu turns it on by default. This would be an even bigger risk with phones, since they’re smaller and easier to lose, but modern ones are already encrypted (Android, iOS).
Even if someone can’t log in as you, or steal your laptop and already be logged in as you, they might be able to trick you into delegating control to them. For example, if you try to use Google to create a Twitter account you’ll see something like:
This is fine: this is the “oAuth login” I was talking about above, and is saying Twitter will get a few pieces of information, but it won’t be able to pull arbitrary things from my Google account.
On the other hand, if you click “sign in with Google” on another site and see:
You should be very alarmed! This is asking for permission to read your email, which as we talked about above translates into control over all the accounts which let you reset your password over email.
Small wording differences on these screens can have a very large effect, and the wording is something security folks at these companies think really hard about. For example, someone was recently tricked into letting an attacker control their GitHub account where after clicking “Sign in with GitHub” they “clicked through a bunch of pages because its the same drill every time.”
The last major place where I think extra care is needed is when someone else contacts you. If you get a phone call from your bank, are you sure it’s actually your bank? If you get an email that it says it’s from your IT department, is it actually? It’s generally very hard to tell: they can fake the number they’re calling from, or the email address they’re sending from. Or they can just send you something that looks legitimate enough that you don’t think to check. The safest thing to do here, especially if you’re unsure, is to look up the correct number/address in an external source and initiate communication yourself.
This does still leave some holes, especially around running software past when it will still get security updates, not installing security updates, and installing software and browser extensions, but someone who follows the guidelines above should have a much lower risk of getting hacked or phished than the typical person.
(This is all looking at things from the perspective of what you as an individual might choose to do to keep your accounts safe. What sorts of policies organizations should have, including options for automatic enforcement, is also an interesting and deep topic, which I’m not trying to get into here.)
Thanks to Taymon Beal for reading a draft and providing feedback.
Just a comment that having Google or another company as a single point of failure is probably a bad idea.
Note that Google can terminate your account with no recourse (it has no customer support to speak of) due to completely unrelated reasons, such as a chargeback on your credit card for a Google product or service. In this case an account @gmail.com for 2FA purposes may no longer be available. One way to mitigate this risk is to have the main email account that is separate from gmail, something like @<domain>.name, registered with a non-Google registrar, and use Google Workplace to manage it. This costs money, but at least you can retarget your name servers if Google gives you the finger, and keep your main email address, though not all the past emails there.
Wrote up a more detailed response as a separate post: How Likely is Losing a Google Account?
Another example of this that comes to mind is when fans of a YouTube streamer got their entire Google accounts banned for posting too many emojis (as votes, at the streamer’s behest) in YouTube chat.
Turns out it can also happen for sending your child’s medical pictures to a doctor (and also send the cops after you).
Or for storing “educational content on Palestine”. Unverified story, and there’s a few more such stories and links at [1] and [2],
(I’m not including cases where it was a developer account—i.e. an account used to publish apps—that was banned.)
The core issue seems to have two sides:
Google’s automated systems are sometimes too eager about banning accounts, if you in any way happen to stand out as a (false) positive case
Google’s script-following customer support seems pretty bad at then dealing with these cases, giving no information, and worse, taking in no information provided to them, and in general the best customer support avenue seems to be Hacker News or some other news outlet.
This is the visible tip of the iceberg where the accounts do (generally) get reinstated, but we don’t know how large the invisible part of the iceberg is, and what the chances of getting your account back are if you aren’t lucky enough to be in the visible part.
I think it’s pretty likely that there’s more to the story than we’re hearing: there was a ton of scrutiny on this and Google didn’t change their decision, which makes me think the most likely reason is that the human review on the case really did come up with CSAM concerns beyond those pictures.
(Still, I don’t take pictures of people without clothing, including my kids: CSAM misclassification and escalation is a small risk of something very painful.)
Yes, but we also don’t know how many of the not reinstated cases were ones were correct.
Companies generally say things like, “out of concern for our user’s privacy we can’t release more information”, but I’d like to see something where someone making a public complaint could waive this and challenge the company to actually release their full case either publicly or to an independent ombud. Tesla does this (pretty sure, can’t find the link now) though they release things publicly even without the customer’s permission which I don’t think makes sense.
I just did some looking, and I can’t find any examples of this, just people saying this is what happened when actually something different happened (ex). Are you sure that locking people out of their email for a chargeback is a thing?
Actually, I did more looking and maybe this is a thing? https://www.reddit.com/r/tifu/comments/zndbku/tifu_by_accidentally_buying_two_google_pixels_and/
You are right, you don’t get totally locked out in this case, my bad. Still, there are stories online of people losing access to their gmail accounts. Might not be a source of risk worth considering though.
A large fraction of the stories I’ve been able to find are people who set up 2FA without a spare and then lost it (https://hn.algolia.com/?q=google+account+locked+out, linked in the post). I think this is a serious risk, but it’s also pretty easy to avoid (by always having at least two, ideally three, registered security keys)
To keep track of which of my accounts use which 2FA methods, I’ve used my password manager’s custom fields option (probably available in most standalone password managers) to mark each potentially important account with an importance value (as in, how bad is it to lose access to this account), and separately with a 2FA value to indicate which 2FA method it is using.
Regarding TOTP not protecting against fake websites: there are TOTP apps with autofill, which is at least some protection in this scenario.
My impression is that if you sign up for Google Advanced Protection Program (which is free and requires 2FA with a security key), and then lose all your security keys simultaneously, you can “Submit a request to recover your account. It takes a few days for Google to verify it’s you.” (Source). I don’t know what the verification process entails or how reliably it works, and it sounds like you need to maintain access to your recovery email, but at least there’s a chance you could get your account back?
(Obviously, “not losing all your security keys simultaneously” is a better plan!)
Nice post on an important topic! One comment. Afaik, Google Chrome’s password manager is NOT an encrypted store. I understand this is an active decision by Google as they consider your device password your “protection” and don’t want to provide a false sense of security. Problem is many people have weak device passwords and also remote access may allow hackers to gain access to the device / your Chrome, and therefore ALL passwords in your manager. This doesn’t meet my muster so I recommend against Chrome’s password manager. Here’s a Quora that appears to validate my thinking but I accept things may have changed since. I personally use BitWarden, as it’s the most trustworthy I can find, free for the most common features and the interface has improved over recent years.
Security awareness is hard to hammer into people’s heads and scams are getting more and more sophisticated. I got tired of repeating these messages for my friends and family to be safer online, and so wrote a guide for this. Fully intended as a PSA, no monetisation or benefit to me, just to share and help people be safer, so feel free to share.
https://sec.terminusfoundry.com/
Wrote it for two main audiences:
If you don’t know much about security, but want to be safer and don’t know where to start.
If you’re a techie and scared about the safety of your loved ones, and want a helpful lesson plan to guide you through making them safer.
This is evergreen and I frequently add things, so would love feedback!
The main downside of an encrypted password store is that you lose all your passwords if you forget the main password. I think for most people this is enough more likely than being hacked through your password manager that it’s not worth it.
I agree that this is a risk, but I’m not sure whether it’s the main risk. Another risk is that if somebody gets access to the encrypted store, they can use it to steal all your passwords.