Andrew writes, “It seems like every week there’s another scary news story about a big bank or a major company getting hacked. Is there any way to safely shop online, or should I just stay off the internet altogether?”

You’re right, Andrew, there have been a few pretty severe hacks of some large corporations recently. Unfortunately, we probably haven’t seen the last of them. But here’s the thing: staying off the internet probably won’t help you at all.

Image credit: Sean MacEntee / Flickr

Most of the businesses that have been hacked lately were retail stores, and the people affected were those who had shopped in the stores’ brick and mortar locations, not online. Hackers found their way into the companies’ servers, and were able to skim credit card numbers as they were scanned into the database.

Banks similarly store your information in databases that are connected to the internet. While they take security precautions, those defenses are sometimes compromised by hacking groups that have become more organized and sophisticated.

You see, Andrew, you don’t even have to be online for businesses or banks to store your information online.

All of this can understandably seem pretty scary. Luckily there are systems in place to protect you if your information is stolen. The Federal Deposit Insurance Corporation, or FDIC, says that customers can only be held responsible for a maximum of $50 for a fraudulent transaction, provided they report it to their bank or credit card company quickly. In fact, most credit card companies will rarely hold someone responsible for any fraudulent charges on their card, as long as they report those charges in a timely manner.

The trick is to keep an eye on your bank account and credit card statements. Be on the lookout for transactions you don’t remember making. Remember, the sooner your report a fraudulent transaction, the more likely you are to get all of your money back.

It really is okay to shop online, just as long as you use some common sense. For example, only give your credit card information to reputable online retailers. And make sure you use good, unique passwords. Like we’ve said before, long passwords of 15 characters or more are best. You should also avoid using easily guessable names or words for passwords. Have different passwords for different websites, especially the important ones like your bank, your favorite online store and your primary email account. We also recommend using a password manager like LastPass or DashLane.

Stay safe, and happy shopping!

Photo Credit: “Credit Cards” by Sean MacEntee is used under CC BY 2.0.

The big news in tech right now is a dangerous bug in the internet known as ‘Heartbleed’ which could be putting your personal information at risk. Here’s what you need to know about it and what you can do.

What is Heartbleed?

Heartbleed is a “vulnerability,” or a hole in the elaborate security systems in place around the web. Imagine if there was one company that made over half the locks on doors in the world. Now imagine that someone discovered that all those locks could be picked easily and without anyone noticing. That frightening situation is basically what has happened on the internet.

To put it simply, Heartbleed is basically a programming error that makes many secure websites less secure. When you visit a page that asks for private information, such as a password or a credit card number, that page almost always has a lock icon beside its web address. This means that the page uses SSL, the technology that secures web pages with sensitive information. A popular and widespread version of SSL is OpenSSL, which is used by almost 60 percent of all websites. OpenSSL is where this bug was found.

On some versions of this system a small but critical error made it possible for a hacker to “snoop” the encrypted data being passed back and forth without being detected. Experts estimate that this problem has existed for the past two years.

While some internet security threats are overblown, this one is real. World-renowned internet security expert and author Bruce Schneier recently stated that “on a scale of 1 to 10, this is an 11.”

What Can I Do About It?

The bad news is that there is not a lot that ordinary users can do about this. It is up to the companies that run the compromised websites to fix it. Patches are available, and IT administrators world-wide should be scrambling to implement them.

For the moment, the best thing you can do is to avoid compromised websites that have not yet been fixed. How do you know if a site is compromised? You can check it by entering the address of the site at this page: http://filippo.io/Heartbleed/

Major websites that are known to be SAFE and were UNAFFECTED include:

• Twitter
• Amazon
• Microsoft (and sub-sites)
• AOL
• Paypal
• Most banking websites

Major websites that are SAFE but had been PREVIOUSLY AFFECTED include:

• Google
• Gmail
• YouTube
• Facebook
• Yahoo!
• Instragram
• Pinterest
• OKCupid
• GoDaddy

Mashable has a long list of sites that were affected with up-to-date information about their security status.

Should I Change My Passwords?

Yes, as long as the website you are changing your password on has been fixed. If you change your password on a site that is still vulnerable, hackers can simply grab your new password! At this point, however, it should be safe to change your password virtually everywhere.

Your best bet to protect yourself is to use separate passwords for every website.

We have long preached the virtues of password managers. These are programs that can generate truly random passwords and remember which password goes with which website for you. It used to be just a good idea to use a password manager, but now you need to seriously consider using one.

The password managers we recommend are LastPass, DashLane and KeePass. LastPass and DashLane store your passwords in a very secure cloud so you can access them from all your computers and mobile devices. KeePass stores them on your hard drive. Use whichever feels more comfortable to you, but please use one!

If you are dead set against password managers, you should still try to use different passwords for different sites. Your Amazon password should be different from your email password, which should be different from your bank password. To help you remember these passwords, consider writing them down and storing them somewhere safe at home – like, maybe in a safe!

What Else Can I Do?

Become better educated about internet security! With so much of our lives now stored online, this is a topic that affects virtually everyone. Knowing good password practices, like how to make a hard-to-guess password and that you should have separate passwords for separate websites, is critical.

Check websites that you regularly visit for the Heartbleed vulnerability using the link above. If you find that one has problems, you could try emailing their IT administrators to inform them and find out what steps are being taken. In the meantime, stay off of that website. Once the hole is plugged, log in and change your password.

Keep an eye on bank statements and credit card information for unusual activity. Heartbleed was discovered by security researchers. We have no proof that hackers have been using it, but the possibility exists. That means you need to take precautions to protect yourself in the digital world.

If you have more questions, call us a 1-888-972-9868 or email us at questions@deemable.com.

Image credit: Stephen Jones / WJCT

In this first of four hour-long public radio specials for 2014, Ray and Tom hear from listeners experiencing problems with their Kindles, wondering how they can have safe and secure passwords, looking for advice on what kind of tablet they should purchase and more.

Links mentioned in the show:

• Laptop Magazine – Laptop Buying Guide
• Snopes.com – Facebook Blocking Religious Posts
• Avast! Anti-Virus
• PC Decrapifier
• Revo Uninstaller
• AdwCleaner
• Microsoft – End of Windows XP Support Guide
• Glympse
• MileBug
• CheckIt Speedometer
• Duolingo

Passwords are getting easier to crack even as we more create more complicated passwords. Hashcat, one of the leading password cracking software programs was just upgraded to allow it to break passwords of up to 55 characters in length. In addition to using a program like LastPass or Dashlane to store individual passwords for every website you log into, you should use two-factor authentication for every site that offers it. For more on two-factor authentication, here’s David Strom’s article from Dice News in Tech.

Protecting Logins with a Second Authentication Factor (via Dice News in Tech)

Two-factor authentication is catching on for a variety of consumer Web services. For those of you not in the know, this isn’t all that new. Years ago, various computer vendors set out to improve things with hardware-based two-factor authentication: Something uniquely in your possession that would generate a one-time code to work with a security appliance and better secure your logins. RSA made millions in this market, and over the years these tokens have been used by millions of users.
…

Q: I’ve heard that you’re supposed to have a good password to keep hackers from breaking into your account, but how do I know what a secure password is? I know I shouldn’t use something dumb like “123abc” but I don’t think I can remember a bunch of random letters and numbers. What would you recommend?

A: First of all, there are different guidelines for home users and work users. Here are some password security basics for home users:

• Never share a computer account.
• Never use the same password for more than one account.
• Never tell a password to anyone, including people who claim to be from customer service or security.
• Never email your password to anyone.
• Be sure to log off or lock your screen before leaving a computer unattended.
• Change your password whenever you think that it may have been compromised.
• Don’t use guessable passwords: this includes your spouse’s name, your kid’s name, your pet’s name, and of course your name.

A perfect password would be made up entirely of random letters numbers and special characters, be as long as possible, and not be used anywhere else. Unfortunately, this is not humanly possible. Unless you use something like LastPass. LastPass is a password management app that suggests complicated, secure passwords for any website or application, and it remembers all of them for you.

Here is another easy way to create strong, secure passwords: instead of using random letters and numbers, use a long string of separate words. For instance, something like “OrangeShrimpOrphanSingers”.

You can separate each word with a number to make the password alphanumeric. Try not to make the words related to each other because that will make them easier to guess. But you will likely find four words easier to remember than eight or 10 random characters, and because the password is longer, it is actually tougher to crack.

Oh, and you know how you’ve always been told not to write down passwords? Nah, go ahead, write them down on a piece of paper and lock them in your file cabinet. Look at it this way: if someone is in your house reading that piece of paper, you’ve got bigger problems. In addition to stealing your passwords, they’re probably also stealing your checkbook, your TV and the lunch meat out of your fridge.

Now, for business users, each corporation has their own policies. So, even if the policy is not optimal you have to follow it. If your company allows it, consider using LastPass.

Unlike what we said about home users, work users should never write down their passwords. There are too many people walking by your office or cubicle, and that means a lot of opportunities for casual password grabbing.

Also, never use a password for a business account that you also use for your personal accounts, because if your private information is compromised, then your corporate information will be also.