You receive an email about a $399 Norton Antivirus charge with a prominent number to call if you want to dispute the charge. That is the classic phishing email designed to have you disclose credit card or banking information to a fraudster. Your first cyber habit is NEVER click on any links included in suspicious emails or texts.
However, when you do receive an email that you are expecting, for example you forgot your password and you just clicked on the “Password Reset” button that sends an email with a link to reset your password, you can click on the link but then verify that you are on the valid web site. Here is how you do that – You get an email from Wells Fargo about resetting your password. After clicking on the link, for Safari on a Mac, locate the padlock icon:
Then click on the padlock icon, a pop-up will appear that confirms what web site you are actually looking at.
With Chrome, you get a security indicator icon () in the address bar that when clicked on, displays some security information. Make sure you have a “Connection is secure” status
When you click on the “Connection is secure” menu, you should see information about your website. In this case, Wells Fargo.
On Windows, you get a similar UI.
Lastly, if you are not sure about an email or an SMS/text, don’t click on the link – go to your web browser and log in to your account. If there is truly something of concern you will find out then.
Habit #1: NEVER click on a link you receive from a suspicious email or text.
Habit #2: If you do receive an expected email, after clicking on the link, make sure you are on the valid web site.
Stop Trying to Remember Passwords
Does this sound like you? You want to buy something from a website and you have to create yet another account that requires its own password. You commit one of these big no-nos
- Use a simple password, like any English word (or even other language words can easily be cracked).
- Reuse a password
- Rotate a number if your list of memorized password. E.g. hello1, hello2, hello3, …
- Write down the password on a piece of paper, or in an unlocked Note on your phone.
Stop all this nonsense. Forget about all the tricks people told you years ago on how to create “strong and memorable” passwords. Cyber attacks on passwords have become way too sophisticated for these ancients tactics.
Start using a password manager today. A good password manager will:
- Store all your passwords safely using strong encryption in a secure vault
- Automatically generate strong and unique passwords for every website
- Automatically fill-in your userid and password when prompted for them on a website
- Synchronize all your passwords on all your devices
- Be available across multiple platforms (Apple, Google, Microsoft, Linux, …)
- Support Two-Factor Authentication
- Leverage biometric authentication (fingerprint or facial recognition)
Both Apple and Google offer built-in password managers in their respective browsers (Safari and Chrome).
If you mostly use Apple devices (iPhone, iPad and Macs) and prefer the Safari browser, then using the Apple Password manager makes a lot of sense.
If you prefer Chrome on any platform (Apple, Google or Microsoft) then using the Chrome built-in Google Password Manager makes a lot of sense.
Both Apple and Google password managers will flag any password that is reused or has been seen in a data leak.
For example, this is what the Google Password Manager might say about your passwords:
On Apple MacOS:
Lastly, if you happen to use computers running different operating systems (Apple, Windows, Android, Linux, …) you probably want to invest in a standalone password manager. Consider Bitwarden, 1Password, Dashlane, … Third party password managers require their own master password (the one password required to unlock access to your saved passwords) that is separate from your Apple or Google passwords. And of course, you have one more password to remember unfortunately.
When using a password manager, you only have to remember ONE online password (Apple, Google or Microsoft) or TWO if using a 3rd party password manager. That’s a pretty fair deal.
Habit #3: Use a password manager
Two-Factor Authentication
The idea behind Two-Factor Authentication (2FA) is that in order to log in to a website you will need your password AND something else (the second factor).
The most common additional factor used is an SMS One Time Password (OTP) sent to your mobile by SMS/text that is only valid for a brief period of time. It is not foolproof, since hijacking the cellular network is possible and even simpler hacking methods are possible.
My preferred second factor authentication that strikes the best balance between security and convenience is using an Authenticator Code Generator. Apple provides a built-in authenticator code generator as part of its Password Manager. It only takes a few seconds to set up for any given website and once setup, works on all Apple devices using the same Apple ID.
Google and Microsoft provide mobile apps that can also be used to generate authenticator codes.
Some financial firms (like eTrade, Fidelity, Schwab, Vanguard) support Symantec’s VIP authenticator app (separate from the Apple/Google ones). You typically have to enroll your authenticator by calling your financial institution.
My preferred second factor authentication methods for websites are (in preferred order):
- Authenticator Code Generator
- SMS/text
- Hardware key
Lastly, both Apple and Google support multi-device authentication when accessing your Apple or Google accounts. For example, if you try to log in to your Google account on a new device, you can authorize access by using a Google app on your mobile phone (e.g. YouTube or Gmail). Similarly, Apple can send an authentication code to another Apple device (like an iPad or a macbook) that you can then use as a second factor authentication.
Habit #4: Enable 2FA on all your accounts, especially your financial accounts
Adopt Passkeys
I just made the case for using a password manager. But the industry is already moving towards a world where we will not need a password at all for logging in to an account. Thanks to the passkey.
The passkey, unlike a password, is not something you know or can remember. It’s something you have, that is in your possession. There are a few types of passkeys, but the most interesting one is the “synced” passkey. They are called “synced” because when you first create a passkey, all the related “secret stuff” to the passkey get stored either in the Apple iCloud keychain, Android’s Password Manager or Windows Credential Manager That means when you use a different device logged in to the same Apple, Google or Windows account, you will instantly be able to sign-in into a website using that passkey.
Passkeys are very new, so not many websites support them yet. But notably, the following popular web sites support passkeys:
- google.com
- microsoft.com
- shopify.com
- amazon.com
For example, here is how Amazon allows me to sign-in to my account by simply clicking “Continue”. I don’t have to type in a password. It’s pretty magical.
You may be wondering how secure a passkey is. It is very secure because the only way to use your passkey on an Apple device is if someone has either your Apple ID password and access to 2FA (Apple mandates 2FA on your Apple account in order to use passkeys). Similarly for Android or Windows machines.
Habit #5: Always choose to create a passkey when offered
Leave a Reply