5 secure habits for privacy-obsessed PC users

Getting a little sloppy with your security? Time to shape up. Practice these five habits to protect your data at home, in the office and out in the world.

A paranoid user with a laptop computer looks around suspiciously. [credit: Thinkstock]

Today's Best Tech Deals

Picked by PCWorld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

We know how it goes: You mean to practice safe computing habits, really you do. But when you fire up your computer, you just want to get stuff done—and that’s when even savvy users begin to cut security corners.

We’d all do well to take a lesson from truly paranoid PC users, who don’t let impatience or laziness stand in the way of protecting their data. Let’s take a look at some of their security habits that you may want to practice regularly.

After all, staying safe online doesn’t have to be onerous or time-consuming. Invest an hour or two this weekend to put a few safeguards in place, consciously start to practice a few good habits—and before you know it, your good intentions will become a daily reality.

1. Use a VPN everywhere

A perennial concern of the security conscious is having an interloper listen in on online activities, which can make you a ripe target for phishing attacks or even result in a hijacked connection. This could happen in a variety of settings, including at unprotected public Wi-Fi hotspots, fake cellular base towers or Wi-Fi access points or hotel networks that have been compromised by hackers targeting executives traveling on business.

While enabling two-factor authentication (see below) and visiting only websites that are secured with HTTPS can alleviate some of these risks, a hacker in any of the above scenarios could still gain far too much information about the sites you visit. You may also be unknowingly exposed to threats posed by insecure apps running in the background on your laptop.

It makes much more sense to access the Internet through a virtual private network in which all outgoing and incoming traffic is funneled through an encrypted channel to a trusted Internet gateway. Another advantage of this strategy is how it masks your current IP address, which should further reduce opportunities for phishing.

Fortunately, commercial VPN offerings such as VyprVPN and PureVPN abound for individuals and small businesses, and are typically priced at between $5 and $10 per month. Almost all of these services provide their own VPN client to log in to the correct servers with minimum configuration required. Affordability aside, some considerations when choosing a suitable VPN service include its performance in the region where you live or travel to, the number of simultaneous client devices it supports, the platforms it supports and its reliability.

For users with technical chops, an alternative is to set up your own VPN connection to a VPN server in the office or even on a home router. This is worth considering due to the increasing number of home routers and other network appliances that are capable of acting as a VPN server. For instance, the recently released Synology Router RT1900ac offers add-on software that turns the router into a VPN server. You can also configure your Windows PC to act as a VPN router.

Synology router VPN server screenshot Paul Mah

Wireless routers such as the Synology Router are increasingly offering built-in VPN capability.

2. Enable two-step or two-factor authentication for your online accounts

Basic password hygiene—creating lengthy, complicated passwords/passphrases, using different passwords/passphrases for different accounts and managing them all with a password manager—is still an important security fundamental, but it isn’t nearly enough to protect your computer in 2016.

Bad guys use multiple methods to steal static passwords: devices like the $99 WiFi Pineapple that can be used to masquerade as Wi-Fi access points, $10 hardware sniffers that spy on and decrypt the signals from wireless keyboards, and keylogging hardware devices that can be plugged unobtrusively into a PC (there are dozens available on Amazon). Malware attacks, bugs in poorly written software and man-in-the-middle loopholes open up additional threat vectors.

As such, having a second, dynamic code that is generated on the fly and delivered via an alternate, trusted route overcomes some of the inherent vulnerabilities of a static password and increases the likelihood that your account will stay safe even if your password is compromised. The simplest and most common form that this security measure takes is a one-time code sent to your cell phone via SMS when you log in to an account. Just type in the code to complete the login.

Because the code is sent to your phone, some industry watchers hold that this two-step process is a simple form of two-factor authentication, which adds something you have (your phone) to something you know (your password). Other experts argue that because it relies on SMS, which is inherently insecure and can be intercepted by someone who doesn’t physically possess your phone, it’s not true two-factor authentication. Semantics aside, two-step verification is still much more secure than relying on a password alone.

Even more secure are two-factor authentication methods where codes are generated on a device itself, such as mobile phone apps that are primed to generate one-time codes on demand, hardware security fobs such as RSA authenticators that generate a code for you to type in, or devices like the $40 YubiKey that are plugged into an available USB port. Slowly gaining in popularity is multi-factor authentication, which adds something you are (using a fingerprint or other unique biometric data) to something you know and something you have.

hardware security tokens from banks Paul Mah

Banks in Singapore, where the author lives, are mandated by law to implement two-factor security for their customers. Many use hardware security fobs like these. (Headphones shown for scale.)

While every online service will benefit from the use of two-step or two-factor authentication, a good place to start is with your email account and your cloud storage service. The latter is self-explanatory, while the former is important because a hacker who gains access to your email account can use it to reset the passwords of all your online services linked to it.

In fact, the threat of an email address being leveraged to social-engineer additional information from customer service departments is real, and security experts recommend that really important accounts such as the root credentials of an Amazon Web Services account, for example, should be linked to an email account that isn’t used anywhere else.

Next page: More security tips

1 2 Page 1
Page 1 of 2
Shop Tech Products at Amazon