By now, I’m sure most of you have heard about the big celebrity iCloud breach and resulting photos flooding the internet. I’m not going to be talking about that, the implications it has, or why one shouldn’t go looking for those photos. I’m writing today to address security, and what you, as an end user, can do to increase your account security and decrease chances of a breach. As of this writing, Apple is still very mum on the subject and it hasn’t been confirmed that iCloud itself was breached. Enough about that. How can you protect yourself? Let me preface this by saying I’m no security expert, but these are some things I do, and you probably should too.
Don’t use the same password for all of your services
Easy enough. Think about this. If someone gets your email address and password for one service, they now have access to other services tied to that email address simply because you used the same password everywhere. I know what you’re thinking: it’s too hard to remember all of these passwords! There’s a few solutions for that. I use Lastpass. Lastpass is online, I know, but hear me out. Lastpass stores everything on their servers in an encrypted form. Any interaction with the service is encrypted, and as you add passwords to it, they get encrypted on your local machine before being sent to them. This post from the Lastpass blog explains how it works better than I can. Lastpass can generate new passwords for you, and includes browser extensions that allow you to automatically fill in login information, as well as save a new site and generate new passwords for sites you’re signing up for. You only need to remember one password, and for added security, you should enable two-factor authentication.
Use two-factor authentication when possible
What is two-factor authentication? In a nutshell, it’s the use of a password, plus another authentication method to log into a service. Usually the second authentication method is a physical authentication token or an app on your smartphone that generates a random number that you type into the service you’re logging into. The thinking behind this is that even if someone gets your password, they will not have access to the second piece of the login, which is that token or your phone, which (should be) physically on you. I’m currently working on making sure I’m using two-factor authentication on any service that offers it. For those of you that wonder “what happens if I lose my token?”, the services will provide you with a list of emergency passcodes just in case of such things. These should be printed out and stored securely.
Change your passwords
This one is also easy enough. I change my passwords usually once every three months or so, even with two-factor authentication. Lastpass makes that pretty easy for me to do, I just have it generate a new password and off I go. Whatever your method, make sure you change your passwords every so often.