Simple Cybersecurity Tips for PhD Students (or anyone, really)

Do you know what your online passwords are? If you do, you might need to reconsider how you manage your passwords!

Your username and password are what keeps other people from getting access to your online services. Whether its your email, insurance, newspaper or social media accounts, it is your username and password which tells the website to allow you in but keep all other people out. Passwords, however, are often seen by people as an inconvenience and a hassle. People find it hard to remember them and the majority of people who use the internet have bad habits when it comes to managing their passwords. This is exploited by cybercriminals who use many techniques to try and capture your password, either from you or from the website where it is stored.

When you create an online account, both your username (which is often your email address) and your password are stored in a database. The website should then encode your password, so it is stored as a long series of letters of number, and not the original characters which you entered the website. This protects you, as it means the cybercriminals must then break the encoded data to get your original password. However, there is a strong market for both ‘plaintext’ and encoded password data among cybercriminals and data stolen from one website can be sold many times.

Unfortunately, it is well known that most people will reuse the same password over multiple sites. This means that if password information is stolen from one website, it can be used for many other websites, which is one of the reasons why there is a such a strong trade in password data. Ideally, every password that you use should be unique to that website, so a data breach for one site won’t let cybercriminals access any other of your online accounts. Cybersecurity expert Troy Hunt has a built a free service, where you can check to see if your email or password have been stolen in a data breach and are available to cybercriminals.

So what makes a good password? There are many myths around passwords, with people thinking that the more random they are, the more secure they are, which isn’t always true as when it comes to passwords, size matters. ‘Brute forcing’ a password is when someone systematically tries all possible combinations of letters, numbers and symbols and is a common way to try and break encoded password. An example of a complicated password is Gz@J,F7q but because it is short, it would take only 18 hours to be broken by a ‘moderate’ password guessing rig. A longer password such as dfG*$UA*n&5NfV@4BbNL^ k would take the same rig over a billion, trillion centuries to break by brute force.

Secondly, your password should also be as complex as possible. Complexity refers to the use of upper-case characters, symbols and other special characters. The more complex a password, the less likely it can be broken by using dictionary attacks (where whole words are tried instead of just characters), by exploiting password trends or by substituting in commonly symbols (such as 1 for l and 3 for e). Complex passwords result in randomness (cryptographers refer to this as entropy) in passwords which requires the attacker to fall back on brute-forcing the password which is slow.

Ideally, every password that you use should be long, be unique and be complex, but unless you are gifted with a photographic memory, these will be very impractical to use. Luckily, there are now Password Manager tools available which will create very secure passwords for each of your accounts which you don’t need to remember. There are commercial Password Managers such as 1Password and LastPass as well as free, opensource programs such as Keepass. Many programs also come with extensions for your browser so your passwords will be automatically entered when you visit a site.

Password managers help you to have good, strong passwords for all of your online account, and you only need to remember one password – the one to access your Password Manager.

If you don’t want to go down the route of either paying for a password manager service or using an opensource one, there is a very simple way, which was told to me by a friend in Google, to create strong, unique password for all of your online accounts while still only having to remember one password.

Firstly, create a list of all your online accounts. For each account, create a complex and random password. You can use an online tool or whatever method you prefer, so long as they are random and not related to other. You should be left with a table like this:

FacebookNXB!V4FH
TwitterrK^KYqyH
Gmail43JDT!G2

Don’t worry if don’t think that you can remember them – you won’t have to. Save the table somewhere safe like Dropbox and print off two copies. Keep one of the copies of the table at home, where it won’t be lost and keep the other copy in your wallet or purse (you may want to laminate it).

Finally, think of a simple phrase to remember which is quite long. An example would be ‘Slate.Ladder,Tesla Plank’. This is the phrase that you have to remember, and if you do write it down, it should never be kept with the table. Your password for each account will be both the secret phrase and the code in the table, so for Facebook your password is ‘Slate.Ladder,Tesla PlankNX!V4FH’.

Using this method, your passwords are now long, complex and unique to each site, and you only need to remember one password.

Finally, for added security, you should enable Two Factor Authentication for all of your online accounts. Two Factor Authentication (2FA) adds an extra step when you try and login to an online service. If you provide the correct username and password, you will also be asked to enter a code. This code is time limited and will either be sent to your device or can be accessed by a 2FA App such as Google Authenticator or Authy.

2FA protects you against people accessing your online accounts even when they have your username and password, as they will now need to get the correct code in order to login successfully. Most online services support 2FA, and many websites will only present a 2FA challenge when you are logging in from a different device than you normally use.

Encrypting Data

Do you store confidential data for your PhD? Does this data contain Personally Identifiable Information? If so, you should encrypt it.

Firstly, you should encrypt the information on your computer anyway. This means that if your computer is ever stolen, the first thing the thieves will do is wipe it, so your data won’t be going anywhere. This is called ‘Full Disk Encryption’. On Mac, it is available for all recent versions of MacOs (as well as iOS), while for Windows users, it is only available on Windows10 Pro.

Instruction for Mac users are here, while for Windows Users, its here. You should also do this for your mobile – both Android and iOS offer this service and again, it means that if your phone is stolen, it will be wiped without people getting access to your apps, contacts, etc.

The above guides are necessary, but not sufficient for the storing of PII. Instead, you’ll need to encrypt this data also, using a separate mechanism from the full disk encryption.

One simple way to do this is to use VeraCrypt. VeraCrypt is an Open Source successor to TrueCrypt, which was one of the most popular Open Source encryption tools until the developers mysteriously vanished, and sparked off a number of conspiracy theories.

VeraCrypt offers a simple-to-use system to easily encrypt files using strong encryption techniques and works on most operating systems. VeraCrypt can also provide Full Disk Encryption for operating systems which don’t provide the service (I’m looking at you, Windows 10 Home).

With VeraCrypt, you create a ‘Container’ which is encrypted and inside, you store your PII data. This container operates like a folder, and can then be used and backed up as normal or stored on a cloud account like DropBox. You can only open the Container using the password you set, so your files are safe so long as you set a good password.

You can also use Two Factor Authentication by securing the VeraCrypt file with both a strong password and a keyfile, which you save to a USB. This way, you’ll need both the USB and the password to access the files which have PII.

A word of warning however, if you forget your password, or lose the USB (if you have gone down the 2FA route), then you will have permanently lost access to the data…

Finally, as with all encryption software, you are using it to prevent the loss of data in the event that your computer is stolen, lost or hacked, and to protect the data given to you in the course of your research.

It won’t prevent someone from gaining access if they really want to, if they are an intelligence agency or a well resourced cybercrime group. Nor will it prevent official Law Enforcement agencies from arriving with a warrant and compelling you to open the folder. If you have the kind of data that needs that level of protection, this isn’t the blog for you. Try here instead.