At some point in the past, I began making new year’s resolutions for doing a bit of personal privacy and security maintenance on New Year’s Day or thereabouts. I would usually have a bit of downtime to finally get around to doing the things I’d been putting off all year. It’s become a fun habit that I wanted to share.
One of my first endeavors was to change all of my passwords on New Year’s Day. It’s great to change passwords more often, though, and this is made easier with the use of a password manager. A password manager removes the need to remember an ever-growing list of constantly changing passwords. This allows you to use completely random passwords for everything, ensuring that the breach of one website won’t affect your account’s security on others. You should never re-use passwords between different websites or systems.
If you use key based authentication for SSH or cloud API access, this is a good time to rotate those credentials, also. Keys and passwords used in automation can stay in use much longer than is safe and should be hunted down and rotated.
Enable Multi-Factor Authentication
In later years, I started seeing the option to enable multi factor authentication, but again, I’d put it off until later. So, after you’ve changed your passwords and started using a password manager, your next step is to enable multi-factor authentication.
Multi-factor or two-factor authentication (MFA or 2FA) is authentication based on at least two factors, something you know, such as your password, and something you have, such as your phone, email, or an authenticator device. You’ve probably already seen this used in various places without even knowing about it. This is a crucial safeguard to help keep your accounts secure in the event of a data breach.
With multi-factor authentication, upon logging into a website with your password, another step will be required to complete the login process. This may be a code the website sends to your email, sends to your phone via text message, or that comes from specific applications designed for the purpose. You should generally avoid using SMS for multi factor authentication and stick to email or use of a multi-factor token application such as Google Authenticator, LastPass, or Authy.
Each website or service will have a slightly different scheme for signing up for multi-factor authentication, but this is a good time to enable the extra security. Start with your most important accounts and work backwards. You should absolutely use multi-factor authentication on your primary identity accounts, such as email and other single-sign-on providers, and on the accounts of your financial institutions.
If you’re looking for help adding multi-factor authentication to your social media sites, read this handy guide by Tyler Reguly: https://www.tripwire.com/state-of-security/security-data-protection/value-two-factor-authentication/
Review Security and Privacy Related Settings
It’s also a good idea to check that your operating system, software, and devices are fully updated with the latest security patches. Ensure that all possible auto-update mechanisms have been enabled so that you are always up to date.
Along with this, you can review privacy settings for your common software and websites, paying particular attention to social networks. Ensure that you aren’t oversharing when you post.
Free Annual Credit Report
It’s possible that a security breach of a website can lead to identity theft and credit fraud. U.S. federal law authorizes free annual credit reports via AnnualCreditReport.com, and many other countries have similar mandates.
Reviewing your free credit reports as part of your new year’s routine will notify you if anything suspicious or unexpected shows up.
There you have it. Along with eating traditional good luck foods, this is my security and privacy to-do list for New Year’s Day.