By Kristen Mitchell
October is National Cybersecurity Awareness Month, making now a good time to evaluate your personal digital security practices and determine where you can make improvements.
GW Today spoke with Adam Aviv, associate professor of computer science in the School of Engineering and Applied Science, about how individuals can best protect their online identities. An expert in computer- and cyber-security and privacy, last year Dr. Aviv received a National Science Foundation CAREER award to study how users authenticate on their mobile devices.
This month GW Information Technology is also promoting virtual events to discuss topics like securing your devices at home, and how to spot and avoid phishing attacks and scams.
Check out what Dr. Aviv said you can do to strengthen your digital privacy:
Q: What are the three easy personal actions everyone can take to safeguard their digital security?
A: If I had to name three, straightforward things, the first one would be to enable two-factor authentication on as many accounts as possible. The easiest option is using your phone number to get a text. Just increasing that barrier a little bit to prevent someone from accessing your account will be a huge benefit. The second really easy thing to do is start to use a password manager. In particular, use a password manager where you automatically generate passwords using some sort of randomization tool so that your passwords are long, random and very hard to guess.
Third, you could make sure you have device encryption turned on. A lot of modern computers today and even your phone have a very simple check button that reads ‘I want to encrypt my device.’ That will really help you in case your device is lost or stolen.
Q: What does it mean to generate a strong password?
A: It should be something that you didn’t come up with yourself. The best password is probably 16 random characters—numbers, symbols, letters— generated by a password manager. If you have to know your own password, for example, it’s something you have to enter regularly because it’s your system password, then you should try and use longer phrases that you can remember and include special symbols and numbers in order to make it slightly more complex.
Q:What's a common mistake or misconception people have about password security?
A: Your personal strategy for coming up with passwords, no matter how crafty or creative you think it is, is probably not that secure when up against an automated password cracking tool. You could maybe protect your information from a person in a cafe trying to gain access to your accounts, but you won’t trick a machine. Passwords are just simply hard for you to reason about and remember. Frankly, if you’ve come up with a strategy, it’s probably part of the automated tool already, and it will be guessed. The way you make your password secure is, very simply, just to make it really long and add extra complexity.
If you want to be more advanced in trying to protect your accounts online, you can go to a site like haveibeenpwned.com and actually look at where your email address has shown up in breaches. From there you can mitigate that risk by either changing your password for those sites, deleting those accounts or changing any passwords you have reused somewhere else—which you should not do anyway.
Other than when there is an event, there isn’t a good reason to change your passwords all the time. That’s another common misconception. You've already spent a lot of energy developing these passwords and learning them, especially the ones you have to type often. Unless there is an incident, don’t put yourself through the pain of having to come up with something else because you’re more likely to just make it easier over time. When you do that, you lose the security you’ve gained.
Q: A lot of us are spending more time at home because of COVID-19. How can people best protect their digital privacy at home?
A: A really easy thing for being at home, especially for students, is if you want to access stuff on campus, get familiar with the campus Virtual Private Network (VPN). You have to download the VPN software, but this will make it easier to access articles for class and other materials, just as if you are on campus.
There are a lot of free VPNs out there and people often think using these improve your privacy. It’s not clear that a VPN is super helpful because these companies can track information about you because you are going through their gateways, and they know the exit points. So you may not need a VPN at home to protect your privacy generally, but you should use the VPN to access campus information, and you’ll get at least the secondary effect of encryption.
A lot of people know this already, but you should also be using an encrypted WiFi network at your home. If you have an Alexa or a voice assistant at home, you can also review all the recordings that they have made about you and delete them if you’re interested in that. You can also change how long they store that information.
Q: What kind of research are you working on now with smartphone passwords?
A: We have a lot of really exciting work going on from the mobile space. We’ve been looking at how people chose PINS and are trying to suggest ways to improve PIN selection. People use lots of PINS for a lot of different kinds of access the same way they use passwords—and their choice of those PINS are not necessarily that complex. We’ve also started doing work on how people interact with data collection and other adverse events. We’re very interested in how people understand and react to data breaches.
We’re also interested in how people manage their daily digital lives. For example, if you have to send information online for a reimbursement, and you have to fill out a form that requires your social security number, and you are interacting with this person you’ve never interacted with before, how do you navigate that situation? Recently we are also looking at how older users, in particular users over the age of 60, interact with password managers. We’re interested in where the digital divides are around age and the adoption of security tools.