A while back I got home from a trip and my wife said “Hey, I think maybe a friend of mine got hacked?” I asked why she thought that and she said the friend had reached out on Instagram, and asked her to participate in a new clothing store of some kind. The friend then asked for her phone number to share a link, which my wife sent her, then she said “Hey, before you click on the link could you send me the code that they send to your phone so I can make sure it’s working?” So my wife did.

My spirits dropped. I said “Hey, you need to hop on instagram right now and change your password. And you have two factor authentication enabled, right?”

But it was too late. The attackers locked her out of her account. We spent the next several hours trying to get the account back, while the attackers spent that time spamming all of my wife’s friends with bogus clothing requests. After we got the account back she spent the next of the night reaching out to people who had replied to warn them about what was going on. It wasn’t a super fun evening.

Getting hacked sucks.

It was pretty embarrassing for my wife, but I felt REALLY embarrassed. Cybersecurity is what I do! How had I let my wife down so thoroughly by not teaching her the important stuff that I claim everyone should know??

So that’s what this post is meant to be. I am sitting down and writing the post I wish I’d written for my wife, before she got hacked. That means this post will tell everyone, no matter how technical (or not) the most important things they need to do to protect themselves. I’m quite sure it’ll be long, but you don’t have to do it all today. Pick one section, do that one, then come back for the next. And if you do that for a few days, you will be WAY better off than you are today. I promise.

Step 1: Use a Password Manager

A password manager does two really important things:

1. Easily stores passwords to autofill on websites or apps
2. Suggests unique, random passwords for every login

I mean, those are two very simple things, but they’re incredibly important. Most password managers can do more than that — they can store credit cards, and secure notes, and share passwords securely, and lots of other stuff. But the main thing you MUST use are those two. You need unique passwords for every login, and they need to be strong passwords — ideally long and random.

You need unique passwords because most hackers have lists of passwords associated with emails. If you use the same password on your work email, and on a basketball forum you’re a member of, the basketball forum could be easily hacked and then your work email is too. Password reuse makes hackers jobs REALLY easy. Don’t make it easy.

So step one, sign up for a password manager. Apple, Microsoft and Google all have them, but there are great third parties too like Keeper, 1Password or Bitwarden. I recommend a third party because they typically work better across platforms — Apple’s may work great with apple stuff, but not as well on a chromebook or windows machine. A third party is forced to work great across everything.

The ones I listed also have extremely secure architecture. See, a password manager is an obvious target for hackers, so the best ones make it so that the passwords are secret even from the company itself — even if a hacker got access to a server with everyone’s passwords, they wouldn’t be able to decrypt them because they’d need every individual person’s password.

Once you have your password manager set up, import any existing logins and add anything that isn’t stored in a browser already. You’ll only use it if it has everything and you have it everywhere, so make sure your passwords are in it, and you have the mobile app and browser plugins everywhere you need them.

Finally, and this step will take a while but is well worth it, you’re going to need to reset any password you care about to the stronger password you make in the password manager. If you do this, you can be sure the password hasn’t already been compromised and that those accounts are halfway to well protected (step two will make them fully protected). It’ll take a while, but trust me, it’s important.

There is at least one password that you need to remember, though. The password to your password manager! To make a password for that I recommend the strategy outlined in this famous XKCD comic:

Basically, go to a random word generator, generate four random words, then create a little story to remember them.

So, have you done it? You set up a password manager, created a good, random, memorable password for that manager, imported all your passwords and changed the important ones?

Excellent! Let’s move on.

Step 2: Set up (Good) MFA EVERYWHERE

Every site on the internet basically runs like an old school speakeasy. You show up to the back alley. They slide that metal peephole open and say “Who are you?” You give them a name and they say “What’s the password?” If you’ve got the right password, you’re in.

The password is an “authentication factor” — it’s a way of proving you are who you say you are. There are other factors that exist in real life. Maybe there’s a special coin or card you’re supposed to present. Maybe there’s a secret handshake. Somewhere really secure might use all of the above.

That’s the idea behind Multi-Factor-Authentication (MFA). Instead of just using a username and password a website will ask for something else that only you should have.

The most common form of MFA is a code sent to a cell phone via text. The goal here is to make sure that the person who says they’re you also has your cell phone in their hand — imagine a bouncer at a speaker saying “If you’re Josh, show me Josh’s cell phone!”

There’s two main problems with this. The first is that people can be tricked into handing over the codes (as happened to my wife).

The second is that, for text codes, someone doesn’t need your phone, they just need your phone number. And there’s ways to get ahold of your phone number.

The most common way is called a “SIM Swap.” This is when an attacker calls your mobile provider, convinces them that they’re you, and asks them to assign your number to a new phone that they control. Or, in an even simpler version, they just pay a customer service rep $10-20K to change a phone number to a new phone.

That amount gives us some indicator of the type of people targeted in SIM swaps. If you have two grand in your checking account they’re not going to spend $10,000 on a SIM swap to get at that. They’d lose money.

But if you have, say, a credit card with a $20k limit, or have access to accounts at work worth tens of thousands or even millions — well then that $10-20k investment makes more sense.

If you’re not one of those people, you’re still at risk of someone social engineering that code out of you. That’s why a better option is an app on your phone, something like “Google Authenticator” or “Microsoft Authenticator” for personal use or Okta or Duo at work.

When you set up MFA with one of these apps what typically happens is the website will show a QR code. You’ll scan that code and it’ll create an entry in your authenticator app that shows rotating six digit codes (typically you get a new code every 30 seconds or so).

I’m not going to go into the technical details, but basically, that QR code gives your phone the information it needs to create a new code every 30 seconds that matches a code on the websites server (just for your account).

These apps are great because they’re very hard to hack remotely, which means that the attackers have two options. They can trick you into sending them the code (but there’s a thirty second limit so they have to get REALLY crafty to do it), or they need to steal your actual, physical phone. That’s not an option for most hackers who do their work remotely.

That’s why I recommend good MFA. The app is way more secure than text codes, even though both technically count as MFA.

SO! Here’s the second step. Download a good MFA app like Google Authenticator or Microsoft Authenticator. Then go to every account you can and turn on MFA, using the app on your phone.

If you do Step One and Step Two completely you will be much, MUCH more secure than you were before, but there’s a few things to consider.

Step 2a: Some important additional details

Okay, there’s a couple things you need to think about as you set this stuff up. This is more technical, but you NEED to know it, so stick with me.

Backup MFA can be a weak link

A lot of time when you set up App based MFA they’ll also allow you to set up a backup MFA option — something like a phone number or email address where they can send a code.

If you do this, they can then get around your app based MFA using the phone code — the exact thing you were trying to avoid. So I don’t recommend setting up that kind of backup. It makes it too easy to circumvent the MFA app. In fact, if they set that up by default I prefer to disable it.

Instead, when you set up an MFA app it should give you the option of downloading or printing “backup codes.” Typically this is ten or twelve six digit codes that will always work, though they’ll only work once (they don’t rotate like your normal code). This is a great backup in case you lost your phone, you just need to make sure they’re stored securely. This could be as a secure note inside your password manager, or it could mean that you print them out, or it could mean that you literally grab a notebook and write them down and then hide the notebook somewhere inside your house.

I don’t recommend the notebook method for regular passwords, but just for these backup codes, it’s not a terrible idea.

Your email is the crown jewel

An attacker can do SO MUCH with email access, but we’re not going to get into everything. Instead, I just want to highlight that they can typically get past both of the above steps if they get your email. They can reset passwords for all your accounts with email, and they can even sometimes get past MFA with email.

This is why your email MUST have a secure, unique, strong password, and it MUST have MFA protection.

Email providers know this, so they typically include some kind of security section. This may be in the email settings, or it may be associated with your account in general. For example, if you go to gmail, then click on your picture in the top right and click “Manage Account” you’ll see a section labeled “Security” where they have a security checkup that gives recommendations for making sure your account stays secure. Do that stuff!

OK! So you’ve done everything in step 1 and 2. What’s next?

Step 3: Keep your stuff up-to-date!

In cybersecurity there’s a thing called a “zero-day attack.” A zero-day is a flaw in a piece of software that doesn’t have a fix. Finding zero-days is a whole industry in itself — it takes a lot of expertise and a good zero-day can sell for a lot of money because it is so effective. There’s basically no way to protect against it.

Most attacks do NOT use zero-days.

That’s right, most breaches aren’t caused by zero-days, they’re caused by a vulnerability in software that DOES have a fix — it just wasn’t installed in time, and the attackers use it to get a foothold.

And the defense against that is to just keep your stuff up-to-date. That’s it! That would prevent a huge portion of potential attacks.

It doesn’t even take that much work anymore. Most software includes auto-updaters, so as long as that’s set up, all you have to do is restart the app or the system when it asks you to. That’s it! Just take that extra two minutes at the end of the day, save your work, and restart your computer, or your phone, or your web browser. Whatever it is that is asking for attention.

So to complete step 3, go to your computers and make sure your OS updates (Windows or Mac) are set to automatically download and install. Then make sure you restart your computer. Today! And at least once a week for the rest of time.

Step 4: BACKUP!

Cheap cloud storage has become ubiquitous, and most operating systems include built in backups (via MS Onedrive or Appl iCloud), though you may have to pay for them.

PAY FOR THEM!

Storing most of your stuff in google drive or MS Onedrive or Apple iCloud is usually enough protection for an individual. Pay for it, and make sure it’s set up on your computer, and then double check that your files are uploading correctly by trying to access them from your phone or another computer.

If you run a business, though, that level of backup probably isn’t enough. You’ll want a dedicated, immutable backup solution. I’m not going to get into it here, but if I get enough questions I may make a dedicated post about it later. If you’re a business, back up!

Step 5: Don’t use public wifi (unless you take precautions)!

Public, or open, WiFi just means it’s wifi where you don’t have to input a password. This is convenient, but it can be a big security risk — anything you send over the wifi that isn’t encrypted through some other means is visible to anyone around you listening in.

My recommendation is to just use cellular data — I even prefer using the hotspot on my phone for my laptop instead of signing into public wifi.

The only exception to this is if you’re using a VPN on your device to protect your traffic. I’m not going to explain what a VPN is because, if you don’t know what a VPN is, you should just avoid public wifi. Problem solved!

Step 6: Get Paranoid!

Steps 1-5 are all technical controls, but perhaps the most important control isn’t technical. It is related to how you view everything that happens online.

To put it bluntly: don’t trust anything!

Here’s the best way to do this in our daily life. Whenever you get an email, or a message, or a post on social media, ask yourself this question — could hackers have sent me this message?

In almost every instance, the answer is yes. I mean that seriously! Look at your email right now, and go through them one by one and ask yourself “Is it possible that hackers could’ve created this to trick me?”

The answer is always yes.

So you need to start with that “default don’t trust” policy in your brain. Once you have that down, when you look at stuff you won’t be looking for reasons to distrust it, because attackers can be really good and they can make it really hard to determine that it’s a fake communication.

Instead you’ll be looking for reasons TO trust the communication. Here’s a few questions to ask yourself:

1. Do I expect this? — if you get a message and it’s a surprise THAT’S suspicious. But if you go “Oh yeah, I bought those airline tickets and I was expecting a confirmation email and here it is” then you have a reason to trust it.
2. Does it seem like normal communication? — if my boss is asking me to read an article about a new AI feature, that’s a pretty normal conversation for us. That’s a reason to trust. If he’s saying “Hey, could you buy some apple gift cards and send them to me” alarm bells should be going off in my head.
3. A corollary to number two is: are they making a request that I expect from them? If someone who has access to my phone number through some other means is asking for my phone number, I can safely assume I’m not talking to who I think I am.

Those are a few example questions, but the point is to approach online communication not from a place of trusting by default, but of distrusting by default.

If all else fails, and someone is asking you something and you’re not sure it’s legitimate, reach out to them VIA A DIFFERENT MEDIUM OF COMMUNICATION and confirm if it’s real.

So if you get a text from someone, email them or chat them or call them. If it’s something really big, maybe a quick video call is in order. There are ways to fake video calls, but typically not on-the-fly, so a video call confirming a text, or vice versa, is still a pretty good safety check.

Everyone knows that the internet can be tricky. I promise you, no one reasonable will ever get mad if you confirm some communication is legitimate. People appreciate the caution.

Final Thoughts

None of the stuff I talked about above is that incredibly complex. This is something I tell people all the time about cybersecurity — sure, there’s parts that are incredibly technical and complex, but the basics required to protect yourself? Those are simple!

But they’re not easy. It takes time to set up. It takes time to maintain them on a daily basis. But taking an hour now to set it up is SO much better than taking six or eight hours (or three weeks) to recover your gmail account, or facebook account, or your paypal. Do the work now, today, so you don’t end spending 10 times as much money and time trying to fix it in the future. I mean, that could be the motto for all of cybersecurity. An ounce of prevention is worth a pound of cure.