Security

How to shop online and stay secure

Don't be lazy when it comes to your privacy. Stay safe this holiday season with these helpful tips.

Now Playing: Watch this: Protect your credit card on Cyber Monday
1:07
winter-2016-cnet-magazine-cover.jpg

See more stories from CNET Magazine.

Mark Mann

It's that time of year again: Soon we'll begin scouring the internet to find the lowest prices for holiday gifts. As a savvy online shopper, you'll visit multiple websites to find the perfect deal, usually creating accounts with your credit card and other personal information. But when it's time for checkout, don't make the same mistakes I did. Protect yourself and your password.

Where I went wrong

My troubles began with a password that I created almost 10 years ago. It was based on my favorite college team and over the years evolved to include a mix of capital letters, numbers and symbols. I used this password in the early days of MySpace and then again on some message boards that I soon forgot about. Later, I added it to my LinkedIn, Domino's and Walmart accounts.

I thought, naively, that it was good enough. But ignorance and laziness ended up being my downfall. It was simply too easy to recycle the same password, or a variation of that same password, over and over again. It became second-nature.

And then my digital world came crashing down. I was one of several million users across multiple sites -- MySpace, LinkedIn and several enthusiast message boards -- whose accounts were compromised by a series of data breaches. (Hackers often cross-reference email addresses from multiple databases, and know they've hit paydirt when the same password is attached to the same email.)

A friend helped me search through the leaked database, which was posted on a Pastebin forum, to see if my information was public. A few clicks later, there it was in plain view: My personal email and password were sitting right there for all to see.

I panicked. What was I going to do? I frantically started changing passwords, but it was too late. I couldn't change them fast enough, and over the next few weeks, I had to dispute unauthorized purchases at Walmart, Staples and Domino's. (Yes, someone actually stole my free pizza rewards.) I spent hours on the phone with my bank and credit card companies to reverse these unauthorized charges.

It was stressful and draining even if I was lucky enough to get my money -- and my pizza rewards -- back. And, worst of all -- it was completely avoidable.

cnetpassword.jpg
Britt Spencer

Try a password manager

Since that painful lesson, I've used a password manager. It changed my life, and it will change yours.

These programs store all of your passwords in an encrypted vault that can only be opened by a master password you create and only you know. Since the software can't even see that master password, you should use a unique password that you'll be able to remember -- but avoid all of those dead simple ones (like birthdays or pet names) that anyone could get from looking at your Facebook page.

I personally ended up going with a service called LastPass. Why? It was the cheapest of the three services I tested; it had rave reviews from many security experts; and it was easy to use. LastPass also had all the features I was looking for like compatibility with Google Authenticator for extra security and a mobile app (iOS and Android) that works with my phone's fingerprint sensor. It also notifies me when my passwords are weak or used on multiple websites, and will auto-generate passwords and sync across all my devices.

LastPass previously charged a fee of $12 per year to sync passwords across multiple devices, such as a computer, tablet or phone. To entice newcomers, the service allowed you to access select features for free on either the web or on a mobile device, but syncing between the two required a premium membership. Not any more -- that service is now free. I always found paying what amounted to a dollar a month was a small price to pay for my online digital security. Now that it's free, there is no excuse not to be using the service.

An argument against LastPass and other online password managers is that you are essentially providing a third party with complete access to your passwords -- and creating a single point of failure, a master key for your online identity. What if the service were to get hacked and the information were to fall into the wrong hands?

In fact, LastPass was hacked in 2015 -- but the results were actually encouraging. The hackers were able to access email addresses, password reminders and some other information, but they never got access to password data (which is encrypted) nor did they access the master passwords, which LastPass doesn't store. (LastPass encouraged users to change their master password, though, just to be safe.)

While LastPass appealed to me, it's not the only password manager out there. Other popular services include 1Password and Dashlane. There is also KeePass, which is free and open-source, and stores password information on your own computer rather than online and in the cloud.

All are quite good, with different features and interfaces. I recommend researching all of them out to find the one that fits your needs. So, in other words, it's not that different from searching for those holiday shopping bargains -- but the payoff can be a lot more beneficial.

lastpass.jpg
Sarah Tew/CNET

Protect yourself online

Whether you use a password manager or not, these tips will help keep your online activity safe and secure.

Stop using the same password

I was lazy and used the same password over and over again. Don't be like me. Instead create a different password for each app, website and service that you use.

Make your passwords strong

Always use a combination of complex characters, symbols, capital letters and, if possible, spaces. Don't use publicly available information, such as a pet's name or a birthday, and make the password as unique as possible -- Facebook123, 123456, password! and dan15 aren't good passwords to use.

Always use two-step verification

Two-step verification makes it more difficult for hackers to access your accounts, even if they're able to obtain your password. Each time you sign into your account, you will be prompted to enter a time-sensitive security code that has been sent to your mobile phone. I already used two-step verification on my Google, Facebook and Twitter accounts -- and even my online banking. That's the only reason they remained safe and secure. When available, you should always have two-step verification enabled.

Check out as guest

Nearly every online retailer will ask you to create an account before checkout. If you can check out as a "guest," you should. Using a guest account will keep a lot of your personal data off the company's servers and safe in the event of a hack.

This may work for websites you don't visit very often, but it isn't practical for sites you purchase from frequently or those that don't allow guest accounts such as Amazon.

This story appears in the winter 2016 edition of CNET Magazine. For other magazine stories, click here.