Threat: Criminals could break into one of your online accounts.
How the threat plays out: Hackers often use leaked lists of stolen or breached passwords to try to crack email or financial or social media accounts. They will try every password on the list to see if any of them work.
Make a unique password for each of your important accounts, such as your financial accounts and email. And make it hard to crack. A good way to do that is to make it long—but even then, a movie title or a well-known song lyric is probably not unusual enough. I generate long, unique passwords for most websites using 1Password
, and for passwords that I want to be able to remember (like email) I use the Diceware method
to generate unique passwords composed of six random words.
A criminal could “phish
” you to steal your username and password to an important email or bank account.
How the threat plays out: Phishing occurs when a criminal sends you an email with a link that looks like the login page for your email or bank account but is actually a website operated by the criminal to collect your username and password.
Use two-factor authentication
—which essentially creates an additional one-time password to gain access to your accounts—for your most important accounts (financial accounts and email). There are several ways to set up two-factor authentication. The easiest but least secure way is to set up a system where the website texts you a login code each time you access the account. More secure is to use an authenticator app
on your phone that generates a code you can use to login. The gold standard—but a more inconvenient method—is to invest in a physical security key
that you use to confirm your login.
— Alfred Ng, reporter
Someone could “dox
How the threat plays out: “Doxing” is the malicious practice of releasing your personal information—such as home address, social security number, or phone number—online in the hopes that someone will use that information to threaten you in real life. Journalists and politicians regularly face this type of attack, but other people can also be targeted for harassment or revenge.
Unlike many countries, the U.S. does not have a comprehensive federal privacy law that requires data brokers to remove your personal information from their sites. However, many sites do let you submit requests to remove your data, even though it’s not always easy to find the link. ProPublica released a helpful guide
with links to the removal request pages for the biggest firms. Privacy experts also recommend that you “dox yourself” to find leaks in your data privacy. Here’s an excellent how-to
from The New York Times information security team.
Defense 2: To keep your home address protected, you can also get a post office box and use it everywhere you can instead of the address where you live. This is most effective if you choose a UPS box or another private-vendor box that uses a street address with a unit number for delivery, so it appears to be a real home address. However, this works best for renters. Property ownership records are often public and not removable.
Defense 3: Vary your username. If you use a password manager, it can generate non-identifiable usernames for social media, dating sites, or OnlyFans. This makes it harder for someone to Google your username to find embarrassing details about you.
—Adrianne Jeffries and Jon Keegan, investigative data reporters