Be Wise as Serpents (Online)

In addition to my passion for Christian apologetics, I’m also a computer “geek” and information security professional. I have been working in IT security for over 15 years. It that time, I have seen many of the threats of the Internet negatively affect friends, family, and online acquaintances. Not a month goes by that I don’t hear about a situation where someone’s email, Facebook account, or (worse) online banking account was compromised. The fact is there really are bad guys trying to steal your money!

In Matthew 10, as Jesus is sending his twelve disciples out on their first “solo” mission trip, he tells them, “Behold, I am sending you out as sheep in the midst of wolves, so be wise as serpents and innocent as doves” (Matthew 10:16, ESV).   The context of this passage is Christ’s warning about the persecution that his disciples will face, but I think the general advice of being as “wise as serpents” in other situations is quite sound (after all, we’re talking about Jesus!).

What I want to write about is how we can be “wise as serpents” when it comes to one aspect of our online activities: How to protect our passwords!

Let’s face it, for most of us today, our various online accounts (email, Facebook, Twitter, online financial systems, etc.) are a significant part of our lives. We use these tools to communicate with friends, family, co-workers, our bank, our employer, our church, etc. If someone were to gain access to one or more of these accounts, it could be catastrophic for us. I want to offer a few tips and some “wisdom” on protecting your online identity and the various accounts you use in your daily life.

Use Two-Factor Authentication

The term “two-factor authentication” is a five-dollar security phrase for having multiple “parts” or “factors” to how you log in to something.   A user ID and password are something you know. There are actually two other factors that can be used for authentication: something you are (like a fingerprint or other biometric) or something you have (like a cellphone).

The reason two-factor authentication is much (much) better is because it makes it much (much) harder for a bad guy to break into your email, Facebook, etc., than if you use a simple user ID and password.

I use Gmail as my primary email account (I actually have something like 7 or 8 different email addresses….crazy I know). I have enabled Google’s two-factor authentication solution (called Google Authenticator). This is some software that runs on my iPhone and has a six-character code that changes every 60 seconds. When I log into Gmail the first time on a new computer, I have to enter my Gmail address, my password, and the Google Authenticator code that is displayed (which will change again in less than 60 seconds). I can click a box that tells Google to “trust” my home computer, and I won’t get prompted for the Google Authenticator code with subsequent logins.

Here’s the point: On the off chance that a bad guy were to get my (really long, complicated) Gmail password, he would also have to have my iPhone with the Google Authenticator app to log in to my Gmail. That’s pretty much impossible for a remote attacker.

Many email providers, social media sites (Facebook, Twitter), blog sites, and other online sites offer some sort of two-factor authentication. Many are as simple as sending you a text message when you log in from a different computer, and most allow you to “trust” your primary computer.

Bottom line: Use two-factor authentication whenever you can.

Use Different Passwords---Everywhere!

There have been dozens of examples of bad guys breaking into a web site and stealing user IDs and passwords, and then using those to try and break into (often successfully) into other sites, such as banking sites. Our email addresses are frequently used as our “user ID” on many different sites. If you use the same password (or a common derivative of a password, like apple1, apple2, etc.) on different sites, you are putting your online accounts at greater risk for compromise.

Bottom line: Use very different passwords for different websites.

Now, I know you’re saying, “Yeah, but I have dozens of sites I used. Do you expect me to have to remember all those passwords?”

Answer: Nope... see next tip.

Use a Password Manager

A Password Manager tool (such as LastPass, 1Password, and others) is a solution that lets you manage all your passwords in one place. You should always have a very strong password and two-factor authentication to get to your password manager. Most of them will automatically log you in to various websites; create unique and complex passwords (you chose how long and how crazy/complex) for you; yet still let you view your use ID and password. LastPass, my favorite, even has a mobile app that synchs with my computer. If I create a new password for a new website on my computer, it shows up on my iPhone. I can let the LastPass tool automatically log me in, or just view (and copy-and-paste) the password into a website. Plus, the mobile version uses Apple Touch ID.

PC Magazine has a great review of the best password managers.

Bottom line: Strongly consider using a password manager.

Be Smart

It used to be that information security people like me would tell user, “You need to have a really long, strong password. Use letters, numbers, and special characters.” While this is still generally good advice, the problem is the bad guys aren’t trying to break into websites by guessing passwords. They are simply getting passwords. Either by using passwords stolen from another website; fooling unsuspecting users into giving up their password through “phishing” emails (Hi, I’m with the helpdesk, I need your password); or by infecting your computer with malicious software called a “keystroke logger” that captures your password as you type it. So in these situations it really doesn’t matter how long or strong your password is.

Internet users today need to be smart when it comes to how you treat your passwords.  Don't get fooled by the phishing emails!  Keep your computer's operating system and anti-virus software up-to-date.  Keep your web browser up-to-date.  Both Google (Chrome) and Firefox have released multiple updates this year alone.  Be cautious about your web activities.  Don't accept offers for "free" security software that pops up on your screen.  Be wary of anyone trying to steal your passwords.

Bottom line:  "Be wise as serpents"