Securing your Online Identity

TL;DR: after a recent hack I now use a password manager, 2-Factor authentication and a separate email for banks and trusted e-commerce.

An old @aol.com email account of ours was compromised by spammers which sparked a month-long process of securing our online accounts. These are my thoughts.

Use a password manager

If someone guesses your password or reset questions, they're in. Also, there have been attacks on sites like LivingSocial, Evernote, and LinkedIn that let attackers access scrambled passwords. They can unscramble them by guessing possible passwords and applying the scrambler (called a cryptographic hash) until it matches1 and then they try that password in other sites.

So make your passwords unguessable and unique, at least for important sites like email and banks. A password manager lets you just memorize one long master password and stores the rest. There's a remote chance the manager could be compromised, but weigh that against having easy to break passwords or keeping them all in your head.

There are web password managers like LastPass and PassPack, but I prefer a free and open source offline one called KeePass, and I use DropBox to sync my password database across computers. I'd suggest remembering at least your email and work passwords as well in case you can't get to the password manager. I also make my password reset questions random and store those in it.

Use 2-Factor Authentication

Even if you're passwords are random and you're careful, it's possible a hacker could somehow capture a password. Two factor authentication would stop such an attacker because they would need that "second factor" to get in, which is usually a code from a smart phone app or text message. Most services that do this let you remember your device / browser so it won't keep asking for the login codes.

Google, Apple, Twitter, Microsoft's Outlook.com, and Facebook offer 2-factor authentication and the list keeps growing. I'd recommend it for your email address and for the rest, balance your fear of getting hacked with possible inconvenience.

Use separate email address for highly secure sites

If your email is compromised, an attacker can access to sites that allow you to reset your password by email. Also, if there's sensitive data in your archived online emails, the attacker would have that too.

So I use a separate email address just for my banks and trusted e-commerce sites. That way an attacker can't use my regular email (were it hacked) as a verification step to reset passwords or get any financial info like my account's last 4 digits or transaction notices.

I would recommend a separate email address for sites you really want to keep secure especially if an emailed link is part of the password reset process for that site. I enable 2-factor authentication for my separate email and I make it so I need to enter the 2-factor code each time I log in.

Be vigilant

Probably the most common way to capture your login info is via "phishing," that is tricking you to click on a link that looks like the real site to entice you to enter your password; The Syrian Electronic Army used this to hack the Onion.

So you should avoid clicking on suspicious links and check that the URL in the browser matches the real site's URL before you enter you username and password.

Ultimately, if someone really wants to hack you and has sufficient resources, they'll probably find a way. But the more you protect yourself, the less likely you'll be to unwittingly send inappropriate ads to your friends.