Let's face it, we're all connected now. We take it for granted that we access our bank accounts from our laptops or phones. It's so convenient. It's so easy ...
... for someone else to take your money and / or steal your identity.
Online security is paramount and not enough people do it properly. No one imagines they'll be compromised and few consider the ramifications if someone get's access to their account, especially email. It's often the "keys to the kingdom" which allow access to everything else by resetting passwords to them.
Even if someone doesn't steal our money or identity, how would you feel about personal information being leaked for all the world to see? Look at the DNC hacks and what they did to the election - a perfect example of someone failing with basic email security that could so easily have been prevented.
So, I'm going to outline some of the risks we face and some tools you can use. It isn't difficult to have great online security and make the bad guys pass you by.
The biggest danger is, of course, using weak passwords. Sorry, but "password" really doesn't cut it anymore (it it ever did).
There are lists of 1,000's of commonly used passwords and if you are using one of them, you will be pwned.
You can test how strong your password is using https://howsecureismypassword.net/
So, I use a strong password. So I'm good ... right?
Well, unfortunately, YOU may have a strong password but someone else might not. Far too often, even big companies that have whole departments dedicated to "security" are sloppy and leave a window open. Yahoo just lost a billion accounts. A billion!!!
You can check if your email is included in any data breaches at https://haveibeenpwned.com/
What this means is that your super-strong password might be compromised because someone else got shoddy or lazy. You can't have security if you re-use the same passwords on multiple sites because if one of them handles it wrong (and trust me, IT security in companies is often pitiful) then all those sites are now open to someone and you wouldn't even know it.
Some people have several passwords - the cheap throwaway one for registering on things like forums, a more secure one for social media and the ultra-secure one for banking etc... Admit it, it's probably the same password with a '1' added at the end or some variation to satisfy the lame complexity requirements of the site.
What you really need is a separate password for every site, and a super strong one. I know, I know, you're never going to remember them all. But it's OK, you don't have to. You use a password manager that will generate them and store them for you and can then auto-sign-in when you need.
I've found https://www.lastpass.com/ works great.
But uh oh, now you put all your accounts and password information in one bucket - what if someone accesses that? This is the thing that needs to have extra security, same goes for email (which is often the recovery mechanism for any other account).
What you need is "2 factor authentication". This means you need 2 things to sign in - something you know (your password) and something you "have" which can be a mobile phone or some other device.
At the very least, you should setup 2 factor authentication with your phone. This can be to send you a text message with a code or using an app. I've found https://www.authy.com/ works well and can be used both on a computer and on a mobile device.
Both methods generate one-time passcodes so even if someone was trying thousands of passwords per second, heck, even if they KNOW your actual password ... they cannot sign in without the one-time code - a code that is constantly changing every 30 seconds. What typically happens is people don't try lots of passwords with one account, they try one password with lots of emails - remember that list of commonly used passwords? If you use one, that's how they get in.
It can become a little tiring having to grab your phone everytime you want to sign-in to some service. Some, like Gmail, soften the blow a little by letting you "trust" a device for a certain period (like 30 days) and they also do a good job of notifying you of new sign-in's.
An easier method and one that is more secure is to use a security fob. This is a device that you plug into your USB key and press a button to "authorize" the sign-in. Take a look at https://www.yubico.com/ for some good ones. These go beyond the one-time passcode security by preventing man-in-the-middle attacks. So, if you click a link in an email that takes you to what looks like a google sign-in page and you don't notice, you don't give the person the code they need to sign-in as the fob has the security needed to prevent it (otherwise you put the code in and someone in the middle can use that valid code to access your account).
Now, you can secure your email and password manager (plus other services) with 2 factor authentication and sleep soundly knowing that you have dramatically reduced the likelihood of anyone getting unauthorized access to any of your accounts.
It's going to cost you some time plus about $40 for a security key and $12 a year for a LastPass subscription - well worth investing in.
One final thing to remember - you can print off a sheet of backup codes for emergency access to your email account. Do this and store it someplace safe. You can also register multiple Yubi keys as a backup so Mr and Mrs can each have a key and act as the backup for the other so you don't get locked out of any account.
Just read through the instructions and take things slowly. It's not as hard as it looks to be secure and you won't become the next John Podesta.
Edited to add: something I absolutely HATE is when companies (often banks) have those stupid questions that are inconvenient but add zero protection. You know the ones - what is your mother's maiden name, what city did you meet your spouse etc... The actually open your accounts up because many of them have a limited number of answers ... favourite sport, team or color? Pretty easy to guess (esp. if you share things on social media).
So instead of giving real answers, always generate a strong stream of gibberish with the password manager and it will save the answer for you whenever you need it.