It’s that time of year again! Time to put the past behind us and look forward to a brand new year, full of possibilities and hope! I mean, it can’t get much worse, right? Okay, I take that back… no reason to tempt fate. Here are some privacy and cybersecurity tips you should seriously consider adding to your 2023 to-do list.
New Year’s Resolutions: Overview
I’ve tried to mix things up and avoid repeating the same goals every year. I’ve also tried to tailor the suggestions around current events and problems that I feel are particularly timely. If none of these float your boat, see the list at the end of this article. You don’t need to do all of these things right away – you can work through them over the year.
Use a Password Manager (But Not LastPass)
The latest LastPass breach has left a lot of their customers pretty worried. I strive to avoid click bait headlines and hyperbole, but this is pretty bad. I’ve recommended LastPass for many years and I know that any company can be hacked. However, this breach has exposed some really bad decisions made by LastPass that have exposed their users to serious risk. For these reasons, I recommend that use BitWarden or 1Password.
However, this breach should not dissuade you from using a password manager! No service is 100% secure, but that doesn’t mean we don’t take common sense measures to make it harder for the bad guys to succeed. For example, no home is immune to theft by a determined and resourceful burglar, but that doesn’t mean that you don’t put locks on your doors.
You shouldn’t know any of your online account passwords. They should be crazy, random, long, unique strings of characters that were generated by and stored in your password manager. The only password you need to remember is your master password – the one that locks your password manager vault. See this article for more information, including pointers to articles on creating strong passwords. Also, be on the lookout for the new passwordless or passkeys authentication system, which is has significant advantages over standard passwords. Password managers like BitWarden and 1Password will support this, as well.
Note also that you should not be using your web browser to remember your passwords – they are not secure enough. If you’re switching from your browser’s password vault or another password manager, it’s thankfully easy to do. See these instructions: BitWarden, 1Password.
Use Two-Factor Authentication
Passwords are your primary line of defense when it comes to locking your accounts. But as any security expert will tell you, you need defense in depth – belt and suspenders. If one fails for some reason, you have a backup. Two-factor authentication (2FA) adds a second barrier to accessing your accounts. Basically, 2FA (sometimes called MFA, multi-factor authentication) requires that the person accessing the account enter a special PIN code, which changes with time. This PIN can be delivered via SMS, from an authenticator app on you phone, or from a little hardware key similar to a thumb drive (in order from least secure to most).
I personally find that an authenticator app is the best trade-off of convenience and security for most people. The most popular app is Google Authenticator, but I personally prefer Authy. I would also avoid using the authenticator app that’s made by your password manager company – you should keep those two functions separate. When you’re setting up 2FA, many sites will specifically mention Google Authenticator, but you don’t have to use that app. (Google Authenticator is sort of the “Kleenex” of authenticator apps.) As you enable 2FA on your accounts, be sure to back up your 2FA “seed” codes.
Use Email Aliases
In the old days, we could choose our usernames when signing up for accounts, as long as they were unique within that site. That’s why we ended up with dumb IDs like “therealjohnsmith57” on sites with lots of users. But somewhere along the line, online accounts started requiring valid email addresses to be used as usernames. This neatly solved two problems: coming up with a unique ID and giving the website a way to contact you if something went wrong or you needed to recover your account. However, it also meant that you would likely receive a lot of spam.
But it’s actually worse than that. First of all, your email address isn’t just unique for that website – it’s globally unique. That makes it a really powerful mechanism for tracking you across sites and therefore an asset that could be monetized. To make matters worse, people often reuse passwords across multiple websites. Cyber criminals know this. When they compromise a website, they will take your credentials and try them on several other sites, too. This is called credential stuffing.
You can make it harder to correlate your data and accounts across sites by using multiple usernames – that is, using different email addresses for each site. You don’t actually have to have multiple email accounts to do this. You can set up email aliases instead. These are unique addresses that all forward to the same inbox. When done properly, you can reply to emails sent to the alias without exposing the real address, too. Several companies offer this service: Apple has Private Relay, Fastmail has Masked Email, Proton has partnered with SimpleLogin, and the list goes on. You can also buy a domain name and setup a catch-all account.
Set Up Emergency Access
If you became incapacitated or died suddenly, would your spouse or next of kin be able to access your accounts? Would they even know what accounts you had? These circumstances are not fun to think about, which is probably why so many people put off preparing for them. So maybe think about it in reverse: could you access the accounts of your spouse, parents, or kids in an emergency?
Another advantage to using a password manager is that it’s a one-stop shop for a list of all your important accounts along with the credentials necessary to access them. Both 1Password and BitWarden have emergency access features for this situation.
Don’t forget that for every account for which you’ve set up two-factor authentication, you’ll need a way for your loved ones to either access your authentication device or recover your 2FA seed codes – especially for your password manager! There are other things to consider, too. Check out this article for help and more tips.
Switch to Privacy-Respecting Services
If we want more privacy, we need to support companies that are doing the right things. Not only does this allow these companies to thrive and improve their products, but it creates market pressure for their competitors to do the same. Many of these companies offer free or trial versions of their services, but I would encourage you to pay for them when you can. When you find products you like, share this with friends and family and social media.
One of my big goals for 2022 was to de-Google my life. I published a series of articles on this, covering search, Chrome, Android, Gmail, Gcal, Contacts, Meet/Hangouts, YouTube, Maps, Docs and more. Did I completely ditch Google? No. I have a lot of family and friends on Google that I would have had to drag with me, and that’s just not practical. But I did significantly reduce my Google footprint – and you can, too.
There are several other services you might want to look at switching, including mobile payment services, VPNs, cloud storage, email, and messaging. Many of these are also referenced in my annual Best & Worst Gift Guide.
It’s all well and good to improve your own security and privacy, but I’d like to strongly encourage you to take it one step further and help others do it, too. The very fact that you are now voluntarily reading an article about privacy and cybersecurity probably puts you in a very small segment of the population. You are willing to learn how to improve your security and protect your data, and you have the wherewithal to do those things. That is a rare superpower. Use it for good.
It’s not just about altruism or karma, though. Your security and privacy overlaps the security and privacy of others. How much could I find out about you by going through the address book or social media posts of the people you know? If you got an email or text message from someone you know and trust, might you not be more likely to open an infected attachment or click on a link to a rogue website? If a friend connects their hacked laptop to your home WiFi, this could expose every smart device in your home to attack. We’re all in this together. Helping others doesn’t just protect them, it helps everyone they’re connected with, too.
If you’d like to formalize this as a gift (or just get a nice list of ideas for tasks you could perform), I created a set of downloadable coupons you can give away. You might want to read and share the related article, as well.
Other Ideas & Resources
If you want more ideas, start by reviewing my past New Year’s Resolutions articles: 2022, 2021, 2020, 2019. You might also check out my Data Privacy Checklist, which I update once a year around Data Privacy Week (which is coming up soon). Here are a few more:
- Back up your data
- Delete unused apps from your phone and computer
- Learn how to share sensitive files securely and privately
- Put your IoT devices on your guest network
- Try out my weekly podcast!
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!