In 2019, almost 40% of humans are using a smartphone. That is nearly 3.3 billion users, many of them use several apps/websites on a daily basis. All this generates a humongous amount of data every second – add to this, most of the citizen services offered by the state are also done online which puts more data than ever at the hands of every government department.
Unfortunately, companies around the world that collect/collate these data are being careless beyond belief. In the last few years, the number of data breaches keeps growing, think Target, Mariott, Yahoo, Equifax and many many more. I am not even adding the number of times Facebook had something to report about this. Even the mighty Google had problems with Google Plus service. You will expect companies would’ve become better at protecting our PII (Personally Identifiable Information) data. Instead, they routinely get away with nothing more than a slap on the hand.
Though Europe offers some ray of hope with laws like GDPR, the problem is too big for them alone to solve it. All these leaves, end users to be defenceless. They only have themselves to protect them. A few basic hygiene practices will go a long way in this regard, most often it is common sense. These include:
- Never use the same password in more than one app or website. Use a password manager, there are many free ones like KeePass and paid ones like LastPass, once you set up they are easy to use. [I have written here on how to use KeePass on all your devices]
- Be careful on the email you open, the websites you visit and the apps you install – if you don’t need an app, don’t install it – if anything is tempting, then it is not true. [The IRS tax notice or Indian Income Tax order scams are so common nowadays, so are the lottery winning messages]
- Wherever possible and compulsorily for the main services like Gmail, Facebook, and banking sites enable two-factor authentication.
- Backup to offline media (or) store important data/pictures in more than one service if possible.
Along with the above, users have to be vigilant. They need to watch out if their accounts have been hacked. To do that you have paid services like Experian or Lifelock and others that search all corners of the Internet and the Darknet to monitor to see if any of your IDs or PII or Credit Card details have been compromised – I was happy to get a free subscription to Experian for one year from Mariott after their systems were hacked. A free alternative, which is not as comprehensive, is being offered by my fellow Microsoft Regional Director Troy Hunt through his extremely popular free service have I been pwned?
Still, the number of users even aware of these services are tiny. Hence, I was happy to see Mozilla offering Firefox monitor, a free breach monitoring service with online safety education materials. Along with this, Mozilla has also released a “free” password management app called Firefox Lockwise. Welcome moves, thank you, Mozilla!
Using Firefox monitor is easy. Signup for a Firefox account, then add to the list all the email IDs you use. For the two email IDs, I use I got the following reports.
My Hotmail ID was found in 12 breaches, though I had changed my passwords earlier, to be safe, I changed them all again. To be clear, these 12 breaches never occurred in the systems of Hotmail/Microsoft, it means the Hotmail email I gave as username to these services were compromised.
My Yahoo! did better as I had rarely used it in the last five years
Be vigilant. Be safe. Enjoy the Internet!
Update 7th June 2019:
- Outrageous! 264GB of customer data exposed by Fortune 500 company Tech Data.
Keep it in a disconnected SSD in a password protected file.
No application can be trusted. Even FB , Google cannot assure safety of your data. I am not willing to trust these little known organisation and latter receive an apology email from its CEO that our systems have been hacked/Compromised. Have few more methods with me but sorry they are patented :)
Password managers are also risky. In the connected world it is not safe to entrust credentials to a private organisation which created the application.
We really don’t know how they store and whether they have it encrypted properly. Infact it is easier for the hacker to get it all from one source. (Like you give the keys of the house to the security guard and he turns into a dacoit).
Whether the data (passwords) is stored elsewhere on their servers is another question.
Best way is to keep it in encoded in a device which is not connected always to the internet.
Stuff cash under your mattress? Bury gold under your garden soil? Invest in land? or Keep the money in the bank as deposits? – which one you prefer, it is a personal choice. Likewise is the issue of how you want to store/memorise secrets.
On any given day, I feel a password manager is better than not having one, and, backing that file is still safer than having only one copy. In today’s all connected world, even losing the password to your Gmail ID can create so much nuisance and waste so much of your time – you need to change your email ID with the Income Tax, Bank, Aadhaar to numerous other services you have signed up. We need to balance between paranoia, safety and practicality.
As a fact, the only computer that will ever be safe is one that is not networked with anything else. But then if that computer is stolen, or submerged under a flood what will you do?
If you don’t trust hosted services like 1password or lastpass, then go with an open source app like KeePass which stores it in an encrypted file. You may then decide how it has to be backed up regularly, but it is imperative there are copies of it.