Anything on the web is available 24 by 7.
So are your online accounts.
Data breaches are happening every single day. In 2017, there were a record high of 1,579 data breaches in U.S, tracked by Identity Theft Resource Center. Don’t wait any longer. It’s time to enhance your online account security and keep them as safe as possible.
Here are the steps and tips to improve your online account security.
- Use unique long password for each account
- Use a password manager
- Enable two-factor authentication for important accounts
- Use private email service with email alias support
- Protect password reset process of your accounts
- Extra Q&A: Should I change password regularly?
- Extra Q&A: Should I share my password?
- Extra Q&A: Should I use third-party authentication like facebook?
1. Use unique long password for each account
Password of a minimum of 20 characters are recommended.
6 to 8 characters short passwords no longer cut the deal. With the evolved technologies and today’s computing power, it doesn’t take long to brute-force crack a short password.
Use characters from several character types
It would take forever to brute-force crack a long password with several character types.
Use different password for different account
Avoid using same password for all accounts. This limits your exposure to one account if a less secured website was compromised.
And of course, don’t share your password
Change your password afterwards if you must share password for temporarily access.
2. Use a password manager
One strong long password is difficult enough to remember. Let alone we need different password for each account. It’s simply impossible
to memorize all passwords.
Password manager is the answer. It keeps records of all your login credentials, encrypts them and stores them securely. In addition, password generator is a standard feature so you won’t need to create passwords yourself.
There are many different password managers available. Some of the more popular ones are:
Online subscription service:
Free open source
They are all great password managers and which one to use mostly relies on what features you need most.
Use KeePass if you want to keep your password data local and absolutely do not want to leave any trace of your encrypted password records in the cloud.
Use Dashlane, 1password or LastPass if you want to use it in multiple devices with auto sync support. They all employ zero knowledge encryption to store your encrypted password data online.
I have been using both KeePass and Dashlane. I use KeePass to store passwords for my critical/sensitive accounts and use Dashlane for other passwords to enjoy the benefit of device auto sync.
Features at a glance
Dashlane
- start at $4.99/mo, with free version available on single device
- support password, payment info and auto fill
- password generator
- auto sync with multiple devices
- dark web monitoring & alerts
- VPN for Wi-Fi
- share information securely
1password
- start at $2.99/mo with 30 days free trial. Family of 5 for $4.99/mo
- support password, payment info and auto fill
- 1GB data storage
- 1 year of history backup
- password generator
- auto sync with multiple devices
- security breaches alerts
- share information securely
lastpass
- start at $2/mo with 30 days free trial. Family of 6 for $4/mo.
- support password, payment info and auto fill
- 1GB data storage
- password generator
- auto sync with multiple devices
- share information securely
keepass
- free
- support password and auto fill
- password data stored locally
- password generator
Be cautious
Your single master password of the password manager is your only key to access of your password data. Therefore, if you forget your master password, you lose all your password data. So remember this master password by all means.
Also make multiple backups of your password data.
3. Enable two-factor authentication for important accounts
With two-factor authentication enabled, you need to present 2 different types of evident to proof that you are the legitimate user.
As a result, there would be no unauthorized access even when a bad guy steals your password. This adds an extra layer of security to protect your online account.
Types of evident
- Something you know (e.g. username/password)
- Something you have (e.g. cell phone or email account to receive a verification code)
- Something you are (e.g. fingerprints, retina scan)
For online accounts, the second piece of evident is usually a verification code sent to your cell phone via SMS text message. And some websites may use Google authenticator app to generate the verification code instead.
Which online accounts to use two-factor authentication?
Essentially, enable two-factor authentication (if offered) to any online accounts that are important to you and would cause you great trouble with unauthorized access. Below are some examples.
Accounts that hold important and/or sensitive information
- Financial or banking accounts
- Tax related accounts
Social media sites/apps that represent your online presence
Accounts that are used to proof your identity
- email accounts
- cell phone account
Consider a secondary/backup cell phone
What happened if your cell phone is broken or lost?
You would be locked out of the websites or services if your cell phone is the only option available for the two-factor authentication.
A low cost secondary cell phone service could save the day. In general, your main usage are SMS messages for verification codes. Tracfone is a nice option that offers you no contract cell phone service at good price.
4. Use private email service with email alias support
Private email service can further improve your online account security.
You may not be aware but your email account may probably be one of the most important online account you have.
Almost all online accounts require your email address, and many of them use your email address as the login ID.
Benefits of private email service
Private email service means that you have your own domain and a email hosting service to host your emails.
Total ownership of your email addresses
You create and name your email addresses however you like, using your own domain name. You own it. And you have complete control of your email addresses.
Free email address, on the other hand, could be suspended or disabled by the service provider for reasons like suspicious activities or violation of Terms of Service. The reality is: you don’t own it.
Better privacy and information security
Emails were stored at provider’s servers. More often than not, free email service providers may scan or access for advertising or other purposes.
And you emails, even you have deleted them, could still be retained by the provider in some form (e.g. in their data backup).
And these email messages are also susceptible to government view.
Private email service providers, however, in general take privacy much more seriously and do not track/scan your emails.
Keep your email account in secret
You can setup your main email account with address that has no reference to your name or any personal information. Keep it secret and do not use it to register any online accounts. You only use this email address to receive and read emails.
Then you create an email alias to the main email account and use this email alias to send emails and register online accounts.
With this setup, your email account is still safe if there is a security/data breaches on a website that exposed your email address (which is the email alias and won’t have access to your actual email account).
Protect your online accounts using multiple email aliases
Categorize and group your online accounts and then use a different email alias for each group.
Shall there be a data breach incident, this would limit your exposure only to the online accounts within the same group that use the same email alias. (But remember, their passwords are different)
Change your email alias as often as you like
Many of the free websites would sell your account info like name and email address to 3rd parties.
Unfortunately, that usually ends in the wrong hands and results in more and more spam and/or phishing emails over time.
Hey, no worries! Create a new email alias and replace it.
What do you need to use private email?
A domain name and an email hosting service.
Step 1: If you don’t own a domain name yet, you would need to register a domain name through a domain name registrar website. There are many and the one I use is namecheap, which offers great services with decent prices.
Step 2: Pick a private email hosting service. There are also many to choose from. I will show you couple websites that I am using their services.
- namecheap also offer private email service with great prices. As for time of writing, the cheapest plan is $9.88/yr for one mailbox with only 1 alias.
If you want multiple alias, you need the next tier business plan at $28.88/yr for one mailbox with up to 10 aliases.
- siteground, technically offers web hosting plan, but all their web hosting plans include unlimited number of mailboxes and unlimited number of aliases.
The cheapest plan is the StartUp plan for $3.95/mo and you can lock in with this low price for up to 3 years if you pay all upfront. Also, while you may not need the web hosting part, you sure can use the 20GB storage space as your cloud storage.
Great value if you can take advantage of the unlimited number of mailboxes for your family and friends.
Step 3: follow instructions provided by your private email provider to finish any setup and you are good to go.
5. Protect password reset process of your accounts
Most websites use security questions or your email address to verify and reset your password.
Protect your email account
As you can see, if some bad guy gained access to your email account, the bad guy can use password reset process to try gaining access to many of your online accounts that use the same email address.
Take ALL the measures in this post to protect your email account!
Use creative answers for your security questions
Don’t use the exact answers but use some creative descriptions as the answers of these security questions. Then record them like passwords using password manager.
It’s not difficult for a bad guy to obtain/guess the correct answer from social media or through social engineering. Therefore, you should avoid using the real answer to protect your online accounts being reset and taken over.
6. Q&A: Should I change password regularly?
I would say it’s not necessary if you are using strong unique passwords for each of your online accounts.
But definitely change it if the website has a data security breach.
7. Q&A: Should I share my password?
Still not recommended even though some password managers offer secure sharing feature.
It always reduces the security protection when passwords are shared.
But in case it is not avoidable, change password first, share it and change it again when it’s done.
8. Q&A: Should I use third-party authentication like facebook?
Using third party authentication is like a single sign on. You only need to remember 1 password and you can have access to many websites that support it. It’s convenient.
But remember, if it is convenient to you, it is also convenient to the bad guy if your login credentials are exposed.
With the use of password manager, you do not need to memorize all the different passwords anyway. So why not create separate accounts for each website to minimize your exposure.