Part 1 discussed the steps needed to protect your system from hardware and environmental disasters. Now it’s time to discuss how to protect yourself – and your identity – from those who want to steal from you or do you harm. As researchers, we spend a lot of time online. And while the opportunities that online collaboration and social networks offer to help us connect with other family historians and discover more research cousins are delightful, they also attract others who aren’t so friendly. Here we’ll look at security precautions you must take to protect yourself and your data.
One of the biggest security issues we face is managing passwords. Not only do we need to use complex passwords that are hard to “crack”, but we also need to use a different password for every site requiring a login. Why? Because if hackers should break into one platform – like your blog – and steal user information, they will then try and use that information to access accounts on other platforms. So, if your blog password is the same as the password for your online banking account, you could be in big trouble. So, how do you create dozens of unique and complex passwords – and still keep track of them all?
An effective password should be 8 or more characters long and contain a combination of upper- and lowercase letters, numbers and special characters. Never include any personal information as part of your password. The easiest way to do this is to combine all of these combinations into a pass-phrase you can remember. Start off with something like the title of your favorite book, movie or song – say “Trying to Reason with Hurricane Season” (by Jimmy Buffett). Now select the initial characters from each word – TTRWHS – and see if something can’t be replaced with a number or special character. I’ll replace the “T” for the word “to” with a “2″ and make the “R” and “W” lowercase characters resulting in T2rwHS. Next, I need to add a number or two to the mix. I first saw Jimmy Buffett perform in 1972 so I’ll add 72 to my password – T2rwHS72. That’s a pretty good root password, but now I’m going to add a suffix that changes for each site I set up with a login. My suffix begins with a special character (I’m using a dash here) and then contain 3 or 4 lowercase characters describing the site. For example, for a Google password I might use T2rwHS72-goo and for Ancestry I might use T2rwHS72-anc.
If this is too much for you, I suggest investing in a password manager application. These apps can store complex and unique passwords to all your sites and you only need to remember one password – the one used to access the app. Your passwords are stored in an encrypted file making it almost impossible for bad guys to see your data.
The Firefox browser has a built-in password manager that is quite effective – especially if you assign a master password for access to the list. If you don’t, anyone can see your password list by clicking the “show passwords” button. If you’re only working on one desktop, this could be a very good option.
RoboForm works with Windows, Mac, iOS and Android systems to provide both password management and automatic forms fill-in functions across all your devices. Desktop versions cost $30 or you can choose the RoboForm Everywhere license to cover all your computers and devices for $9.95 a year.
1Password also supports Mac, Windows, iOS and Android systems. It provides password management, account management (library cards, credit cards, etc.), software license management and forms fill-in. The encrypted database can be automatically synched across all your systems and devices. Once installed on your desktop, it will install extensions in your web browsers so you can both save new login information and retrieve existing login with one click. At $50 for a desktop license, 1Password is not cheap, but it will quickly prove it’s worth every penny. And, there’s a 30-day guarantee to prove it.
Phishing and Smishing
Unfortunately, a lot of the information used to attack personal digital systems is provided to the criminal by the victim. Email is the most likely method used to collect personal information. This is called phishing (pronounced fishing). Now the bad guys are also using SMS/text messages to try and get your personal info. It’s called smishing.
Have you ever received an email message announcing that XYZ bank has been the victim of a digital break-in and you need to change your account’s password right away – using the link or phone number included in the email message? If you don’t have an account with XYZ, you’re likely to delete the message and forget about it. But what if XYZ is your bank? First of all – do NOT follow the link or call the number included in the message. Use the address you normally use to access your bank or, better yet, call your bank using the phone number you have on file.
Another trick is to lure you into following a link to a site offering free movies, free music or some other great deal. Chances are good that while you’re checking out all the non-existent free goodies, the bad guys are downloading malware to your computer. Sometimes your antivirus app will catch it but there’s a good chance it won’t.
Never follow links or download files attached to emails from people you don’t know. Even when you do know the sender, be very cautious. Often hackers break into one person’s email account and impersonate your friend to send their nasties to everyone in his address book. When you send an attachment to someone, put a full description of what the attachment is and why you’ve sent it as part of the message.
Be extremely cautious when you receive messages (email or text) from people you don’t know or businesses you’ve never patronized. Take the time to learn how the businesses and institutions you do use will contact you about account or transaction issues. If you receive something questionable from one of them, use the phone number or email address you have for that institution rather than any links or contact information in the suspicious message.
Social networks are a great place to connect with family and friends, but they can also be very dangerous places. Even when your security settings limit who can see your status information, if one of your friends or family member has his/her password compromised, then your information is visible to the bad guys too. Here’s a list of things you should never post on Facebook or any other social network:
- Your birthdate or your home address. This is very useful to identity thieves.
- Never tag photos of your children with their full names. This could make them targets to pedophiles or stalkers and give them the information they need to convince the child they aren’t strangers.
- Announcing a new member of the family? Do not post the child’s name and birthdate.
- Do not announce changes in your personal status. Letting the world know you’re single -and possibly living alone – could make you a target.
- Do not post updates or photos while you’re on vacation. It makes your house a target for criminals.
Protecting your digital world is just as important as protecting your physical world – and requires just as much effort. Putting these tools to work will help insure that your digital world remains a safe place.