1. SAST Online
  2. Application Security News and Articles
  3. Getting Started: Basic Personal Cybersecurity for Everyone (3 Easy Tips)
Authenticate your profile to see activity

Getting Started: Basic Personal Cybersecurity for Everyone (3 Easy Tips)

Welcome to the world of cybersecurity!

This guide was written for completely cybersecurity and privacy novices in mind. It is designed to get anyone started on improving their personal cybersecurity, which is becoming increasingly important as more of society's lives intertwine with a digital landscape.

Preface


digital padlock outline in blue on purple tech background

These are basic personal cybersecurity steps anyone can take regardless of any kind of established or developed “threat model.” For the uninitiated, threat modeling is a continuous process in cybersecurity wherein you identify assets, analyze threats, manage risk, and identify fixes.

(Threat modelling extends to the topic of digital privacy as well, albeit it takes on a slightly different meaning in a privacy context.)

Much good and popular popular advice out there encourages users to threat model. However, my argument is to taking first steps in to good personal cybersecurity (and by extension, privacy) is not to threat model, but to do the bare minimum for security.

It makes little sense to threat model but continue to use weak and/or compromised passwords, use outdated software/firmware, or not to use strong(er) MFA methods when available. Threat modelling is important after the basics are in play. After the basics are completed, users should move into threat modeling and deploying/using tools that help them accomplish their goals.

Threat modelling in both the cybersecurity and privacy sense helps users to direct their resources to better accomplish their desired goals and wants.

Develop good password management practices

Good password management overall greatly improves your security posture as a user.

Passwords are by far the most common means for securing your accounts - if a malicious actor has your password, then they could log into your accounts. This spells trouble for crucial accounts such as email accounts and bank accounts.

Ramification for failing to implement basic password best practices for various online accounts includes, but is not limited to:

  • Compromised accounts or full account takeovers
  • Compromised personal identifiable information (PII) (ex: tax returns)
  • Compromise of sensitive information (ex: social security numbers)
  • Theft/selling of personal information
  • Doxxing (publicly posting private information without consent)

Stop reusing passwords

Stop reusing passwords.

Stop reusing passwords.

Stop reusing passwords.

Reusing passwords (even those considered “strong”) does you zero security favors; in fact, by reusing passwords, users place an increased trust in the security of the website, web app, or web service’s servers and place a higher risk for unauthorized account access on themselves.

While this may not seem like a big deal to most users, it creates compounding issues when/if credentials are exposed/leaked, which is very common given the prevalence of data breaches and data leaks in the modern landscape.


password field with asterisks

With data breaches continuously on the rise, credentials - such as passwords - are increasingly falling into the hands of malicious actors.

Reusing passwords makes these malicious actors' lives easier; they frequently take leaked credentials and try them in credential stuffing campaigns, where the malicious actors attempt to break into user accounts across different websites and web services using the leaked credentials.

Reusing passwords leaves you open to these credential stuffing attacks. because credential stuffing campaigns rely on the assumption users reuse passwords across different accounts and services. Unfortunately, they are often correct.

What exactly does this mean? In short, a breach where credentials are compromised at Company A can result in your accounts at Company B and C also getting breached if you reuse the same password. So, if a user actively uses a password that is compromised, the attackers bet users will reuse these passwords (or weak variations) across different accounts.

Keep in mind the security of most web apps and web services struggle to detect these types of attacks as most of the time they are distributed and use sophisticated methods of automation. Very rarely, if at all, are these attacked carried out by hand. Attackers are constantly evolving methods to successfully carry out credential stuffing campaigns.

Stop reusing passwords. Use unique passwords. Each of your accounts should have its own password not used by any other account.

Create strong passwords

Your passwords are the keys to your digital kingdom.

Therefore, it is important to have strong (and unique) passwords. Weak passwords leave your digital kingdom open to invaders and raiders and other unpleasant entities you might not want inside your kingdom.


brown padlock on a orange circuit board

Chances are if you are reading this, you may employ weak passwords. Even passwords you think are strong, may in fact be considered "weak."

As a baseline, if any of your passwords are found on Nord's annual Top 200 most common passwords, then they are weak and at far higher risk of being cracked/guessed by malicious actors. Even if you use a derivative of passwords found on this list, such as l33t 5p3ak, your passwords are also weak.

By extension, you'd also want to ensure your password isn't on widely circulated wordlists, such as the infamous rockyou.txt which includes more 14+ million unique passwords.

Admittedly, these are harder to check because many wordlists exist - it's impossible to link/capture them all as malicious actors frequently use custom wordlists. In many cases though, these custom wordlists include passwords found on wordlists that are widely available - including common derivatives.

The bottom line is: the stronger your password, the better. Strong(er) passwords aren't necessarily complex - but rather a combination of length and complexity. General guidance for strong passwords includes, but is not limited to:

  • Minimum of 20 characters
  • Randomization if dictionary words are used
  • Combination of upper and lowercase letters, numbers, and non-common symbols (!@#$ are typically considered common symbols)


white notepad with 123456 and qwerty struck through

Whether you consider yourself an advanced user or a beginner, it’s highly recommended to use a password manager to handle creating strong, unique passwords to both create strong passwords and securely store them. With proper and frequent use, password managers help users ensure their passwords are both strong and unique.

Ideally, users would use passphrases over passwords. Passphrases are longer and when sufficiently randomized, substantially hard(er) to crack or guess.

However, many services and apps may impose character limits/requirements, which could make generating a viable passphrase difficult. Password managers typically have password generators that take user defined parameters, making it easier to accommodate logins where such restrictions are in place.

Users should avoid creating passwords that are easily guessable and/or too short. Storing passwords in password managers is...

The post Getting Started: Basic Personal Cybersecurity for Everyone (3 Easy Tips) appeared first on Security Boulevard.

10 May 2023


>>More