I was recently asked a series of questions about how to protect your security online. I’d like to share the answers here – and please feel free to reach out if you have any comments.

1. How can you create the best passwords that are hacker-proof but easy to remember?  

The best passwords aren’t words, but phrases. Pick something that you won’t forget and has personal meaning, but an outsider would have no way of knowing – line from a favorite song, inside family joke (e.g., “sneeze your brains are dusty” or “get a horse” or “people like macadamia nuts”), opening line from favorite book (e.g. “Call me Ishmael,” “Arma virumque canō,” “Mr. and Mrs. Dursley, of number four Privet Drive”).

Of course, you can abbreviate and substitute numbers and special characters to make the pass phrase more obscure – G3t@h0rs3 for “get a horse.”

2. If you can’t remember your passwords, what’s a safe way to store them?

There are many commercial and free password storage tools available. For most people, simply storing them in a (low tech) paper notebook or a simple text document with an innocuous file name is sufficient. Security professionals hate Security by Obscurity instead of real security controls in corporate settings, but for a personal system, who would know that the file name “Grandma’s Easter Recipes” is actually your list of passwords?

3. What is a safe way to answer security questions (i.e. when they ask for your pet’s name, or the school you went to, etc.) that hackers wouldn’t be able to guess?

You should always answer these questions truthfully, so you will know the correct answer if need to reset a password or access an account. But don’t choose challenge questions that are based on publicly available information or that a hacker can answer with a few keystrokes, such as “mother’s maiden name.” Most challenge-response authentication tools on major web sites offer a selection of questions. First pet name, favorite food, childhood friend’s name – these are all great choices because they are things only you would know, but will never forget.

4. How can you protect credit cards from “e-pickpockets?”

Protecting your credit cards is REALLY important. There are two issues here: theft and identity theft.

First, designate a single credit card you will use only for online purchases. That way, it will be obvious if there are fraudulent charges when you review the monthly statement.Second, to guard against identity theft, we need a tiny technical lesson here. Every web site has an address, or URL. We know them as cnn.com, accuweather.com, etc. The full URL in your web browser looks like http://www.google.com. Before you ever enter a credit card number (or any other sensitive information) on a website, look for the URL to start with https:// – the “s” is for secure transmission. https://www.amazon.com means that the information you submit will be encrypted in transit over the Internet and not vulnerable. 

5. What’s an easy way to tell if an ATM has been compromised?

It can be difficult, but there are ways to tell if an ATM has been compromised. When you step up to the ATM, pull and jiggle the card reader to see if it moves more than it should. Some thieves will cover the official card reader with a fake replica to skim your card number without you knowing. You can also look for any suspicious objects on or near the ATM that might contain a spy camera to watch you enter your PIN number. Lastly, avoid using ATMs outside or in dimly lit areas – they are much easier for a thief to hack. Your best bet is always an ATM located inside a bank branch.

6. Is there any way to keep your Facebook photos from being stolen to make a fake account?

This is called social engineering, and it’s hard to prevent outright. Anyone you have granted access to your Facebook or other social media accounts can technically copy any of your photos and other content. So, be smart about what you post on social media, especially if your account is public. If you are worried about a particular image being stolen or used inappropriately, you can also use Google’s “Reverse Image Search” to see if it’s been posted anywhere else on the web. The tool is available at https://images.google.com – click the camera icon that says “Search by Image” and paste the image you’d like to search for.