Considering the multiple security breaches recently disclosed by LastPass, we thought we would dust off and repost a prior blog regarding online security.
While some people are calling for users to ditch LastPass entirely, a password manager is often much more secure than other methods of storing sensitive data. In addition, if your account is protected by 2-factor authentication and password best practices, your data is much less likely to be compromised.
In talking to computer users in the past two weeks, I have discovered that most people still do not use any password manager, which is one secure location for all your login information for all the sites you access. If you use a password manager, you only need to remember one password (which should be 15+ characters, including letters, numbers, and special characters). Below are some additional best practices.
- Use a password manager. If you already use one, change your master password annually (and change it now if you use LastPass).
- DO NOT use the same password for multiple sites – when a website is hacked (and many are, every year) and bad guys access user and password information, they sell it on the dark web. Then other bad guys use that information to try to log in to many other sites in your name.
- Set up 2-factor authentication using facial recognition (if available) and/or an authenticator app such as Authy or Duo. SMS (text) as an authentication method is not as secure and can also be intercepted by the bad guys.
- During the LastPass breach, hackers did get URLs (website addresses) that were stored in customers’ online vaults (but not password data). This means you must be very diligent about what emails you respond to. The single-most-important message in the blog below is DO NOT CLICK LINKS IN EMAILSor give any personal information to anyone who calls you. Go directly to the website in question to log in to your account, or call the phone number associated with the vendor in question.
- Bad guys are constantly attacking many password managers and financial institutions. Good security practices can protect you even if your institution is successfully breached.
Here is our original post from 2021, with minor edits:
From stopping fraudulent transactions to preventing identity theft, securing online accounts is a hot topic in financial planning discussions in today’s cyber-connected world. There are some things you can do to protect yourself. Just like locking your doors and installing a security alarm and security cameras can protect your physical assets, similar approaches can protect your online accounts.
Here are some basic cybersecurity tips:
1 ) Use a password manager.
- Edit the settings/security features to make the security tighter (restrict logins to US IP addresses only and set up an authenticator app for your 2-factor authentication, for example). Password managers reduce errors due to phishing, as they auto-fill password information in valid web site addresses . If you went to an invalid address as a result of a scam, LastPass would not autofill. You should never have to manually enter a password other than your master password.
- Make sure your master password is a longer phrase, including special characters , and memorize it.
- Do not keep your passwords in Word, Excel, Google Docs, etc.! A hacker can easily gain access to ALL your passwords if he or she gets access to your computer.
- Password managers encrypt their data to further protect you from hacks.
- Most password managers will auto-generate a long, complicated password and auto-fill it for you, eliminating login errors due to typos and strengthening your security on all your online accounts.
- You should still change your passwords for your most vulnerable sites regularly.
- Don’t include information in your passwords that is easy for a hacker to obtain or guess, like dates of birth for you or your family members, addresses, phone numbers, etc. You are better off using random words and numbers to compose a phrase or letting your password manager auto-generate a password that is long and complicated.
2) Edit the settings/security section of every piece of software you use.
- Just about every program has a settings/security section, where you can turn on additional layers of security. The default setting is often the least secure, because with increased security comes some additional work for the user. The first thing I do when installing new software is tighten up the default security.
- Turn on 2-factor authentication, also known as multifactor authentication: This is a base level of protection these days. Always opt for the authenticator app approach, not the SMS text message approach. This protects against hackers intercepting your texts.
- Add as many layers of security as the software allows.
3) Prevent phone number porting.
- A would-be thief can hack into your email account and port your cell phone to their device while you are sleeping, thereby gaining control of your 2-factor authentication.
- Protect your email password – use long passwords, NEVER reuse a password that is also used for another site you visit , and turn on “prevent multi device access” if available.
- If someone is able to hack the email account associated with your cell phone account (most commonly due to a weak password, duplicate password, or inadequately stored password), then he or she has access to your text message 2-factor authentication. To protect against this, most carriers allow “account locks” to be put on your number, preventing your account from being ported to a new device unless you complete additional steps.
4) Do not click links in emails.
5) Do not click links in emails.
6) And do not click links in emails.
- One of the most common ways hackers can access user accounts is through “phishing” – sending an email pretending to be a trusted vendor and tricking you into “logging in” to review something. They will often make it seem like an emergency. When this happens, WAIT, THINK, and ASK others if the request seems reasonable.
- Go to the website using the URL in your password manager – not a link in an email message – to review your bill, log in to your account, etc.
- Question any emergency email request, even if it is supposedly from someone you know. Email addresses are hacked and spoofed all the time! WAIT, THINK, and ASK before responding. Call your contact and ask them if they sent a message!
- Hackers are getting much more sophisticated in cloning websites to steal your login information. Do not let them in!
7) Do not email documents.
- ESPECIALLY do not email documents with personally identifiable information like your Social Security number or date of birth. Train yourself to send documents by a more secure method. Almost every business offers a way to securely upload files these days. Use it.
8) Don’t answer your phone if the caller is not in your contacts.
- Most cell phones have an “add to contacts” feature. As trusted people call you (doctors, vendors, friends), add them to your contacts.
- Many scammers will call and scare you into thinking there is some emergency.
- Some even leave scary voice mail messages.
- WAIT, THINK, and ASK before responding.
- You may want to avoid using software that is constantly trying to sell you extra, unneeded features.
10) Make sure you are always updating your phone and computer.
- Updates are released to combat online threats all the time. Not installing the update can leave you vulnerable.
- NEVER use an old, non-updated computer to access the internet. This is like leaving your doors open when you leave your house.
11) Do not post personal information on social media. ESPECIALLY:
- Do not reply to those posts asking for places you have visited, favorite anything, or personally identifiable information. This can all be used to guess your passwords.
- Do not accept friend requests from people immediately. Some people’s social media profiles are copied, allowing for second friend requests to be sent and giving the hacker access to friends’ profiles. Or worse, your friend’s social media account may be hacked, meaning you are now communicating with a hacker.
- WAIT, THINK, and ASK!
Overall, your security does not have to be perfect; it just needs to be strong enough to prompt hackers to move on. When would-be thieves run into tight security, they are likely to move on to other, easier targets.
This is not to be considered investment, tax, or financial advice. Please review your personal situation with your tax and/or financial advisor. Jennifer Climo, CFP®, CPA, MSFP is an advisor at Milestone Financial Planning, LLC, a fee-only financial planning firm in Bedford, NH. Milestone works with clients on a long-term, ongoing basis. Our fees are based on the assets that we manage and may include an annual financial planning subscription fee. Clients receive financial planning, tax planning, retirement planning, and investment management services, and have unlimited access to our advisors. We receive no commissions or referral fees. We put our clients’ interests first. If you need assistance with your investments or financial planning, please reach out to one of our fee-only advisors.