Eight things you need to do right now to protect yourself online

Yahoo’s revelation that 1bn of its accounts were hacked should make us all sit up and take notice

1. Use unique passwords for all your accounts

What: Stop kidding yourself that you only re-use passwords on accounts that don't matter, or that you have an unbreakable password scheme that no one else can guess. Every single thing with a password needs to have a unique password, shared with nothing else.

Why: Services get hacked, with entire databases of passwords published in the open. People get "phished", tricked into entering their passwords into shady imitations of the sites they intended to visit. If this happens, you want to limit the damage, ensuring that only one site gets breached.

2. Use a password manager

What: Software like LastPass (free) or 1Password ($2.99/month or $49), which will store your passwords, generate secure random ones for you, and sync them across multiple devices.

Why: If you can memorise all your passwords, you can almost guarantee that they aren't varied enough to be secure. A password manager may feel like putting all your eggs in one basket, but it's a padded secure basket kept up-to-date by the best minds in the basket business, and what you're doing right now is more like juggling the eggs above your head while blindfolded.


How: Download the password manager, install it on your desktop (you can do mobile later), and start running it. You don't even have to change your passwords all at once: the manager will notice when you log in, and ask you whether you want to save the new password. That should be your cue to create a new one.

3. Use random passwords

What: Once you've got your password manager, use it to generate secure random passwords for you, rather than trying to invent your own.

Why: You aren't as random as you think, and "brute forcing" passwords – systematically trying every variation until you succeed – is getting quicker at the same rate computers are. If you have a handy method for creating passwords, like "take the first letter of every word in a line of poetry", then someone else has probably also realised the same thing, and written a programme to automatically guess those passwords. Try searching Google for "tbontbtitq" (or "to be or not to be, that is the question") if you don't believe this.

How: You've already got your password manager set up, yes? Even if you haven't, some browsers will do it for you. Apple's Safari, for instance, will happily generate random passwords when signing up for new accounts, then store them in iCloud Keychain.

4. Turn on two-step verification everywhere you can

What: Many services, including Facebook, Google, Twitter, Tumblr and more, let you enable two-step verification, also known as two-factor authentication. As well as a password, you need to prove you have access to a second trusted device, normally a phone, to log on. How you prove that varies: sometimes a text is sent, sometimes you use a special app, sometimes you just hit a notification on your phone.

Why: Two-step verification prevents a third-party from logging in to your accounts even if they have managed to steal your password. It's an added layer of security, which makes it very difficult indeed to hack in to protect accounts.

How: Every service has a different method for enabling the process, which hurts take-up, but handy resource Turn On 2FA will walk you through it for all the sites you use.

5. Update your software

What: Most software has an automatic update function. Use it.

Why: Most hacks are carried out by attacking software using weaknesses that were known, and fixed, long ago. It's like we've invented vaccines, but you're still catching smallpox. Particular focus should be paid to your operating system, web browser, and Adobe Flash.

How: Enable automatic updates.

6. Put a six-digit PIN on your phone and set it to wipe if it’s guessed wrongly too many times

What: Your phone has the ability to require a PIN before it is unlocked it. Use it.

Why: If your phone gets taken while it's unlocked, there's not much you can do. But if it's locked when it gets stolen, you can prevent the bad loss of hundreds of pounds of technology from turning into the loss of enough personal data to have your identity stolen too.

How: On an iPhone, open settings, hit Touch ID & Passcode, flick on Erase Data, and click Change Passcode to set it to a six-digit PIN. Almost every Android is different, but look for a "security" menu in the settings app, sometimes under "personal". Then, head to the "lock screen" menu to enable the auto-erase feature.

7. Enable full-disk encryption

What: Your computer's hard drive can be set to automatically encrypt when it's turned off.

Why: You think the risk of identity theft is bad when your phone is stolen, just think what happens when your computer is lifted.

How: On a Mac, enable FileVault; on Windows, turn on BitLocker.

8. Back-up to an external hard drive

What: Everything on your computer should be stored on a physically separate hard drive under your possession. Ideally, everything on your phone should be stored on your computer which should then be etc etc.

Why: If the worst happens, and you lose everything, you need to be able to restore. This could happen because of a ransomware attack, because someone decided to personally ruin your life, or just because of a literal lighting strike. Cloud storage will help, but cloud platforms go bust unexpectedly, are just as vulnerable to hacking, and have an annoying tendency to "mirror" your computer – meaning something deleted from your local storage can be deleted from the cloud at the same time.

How: Buy a cheap USB hard drive.

– (Guardian service)