The New Hampshire Community Loan Fund encourages all our staff, customers, and supporters to protect their information and identity online.
To get you started, we have compiled the following list of information security fundamentals:
Passwords are a good starting point in practicing good information security habits. Here are tips for generating and using passwords online:
- Length and complexity are both important. Any search for “most breached passwords” will quickly show you a list of hundreds of common passwords that are easily crackable by bad actors. Passwords like “Iloveyou,” “password,” and “Password1” are all bad ideas. Pattern-based passwords like “12qwaszx,” “123456qwerty,” and “1qaz2wsx” are also very common and very easily cracked by modern tools.
We suggest using a highly-rated password manager (see #4 below), but if you want to generate and maintain your own, pick passwords that are at least 16 characters long and contain both upper- and lower-case letters. If you can add or substitute a few special characters, your passwords will be even stronger.
- Don't use the same password for multiple accounts. This is a highly common practice and one we all need to eliminate. If just one of those accounts is compromised and your username and password end up in the hands of a criminal, they will attempt to log into many, many, websites, databases, email accounts, etc. using those credentials.
When you use different passwords for each account, only one account is subject to breach from any particular attack. On the other hand, if you used a password multiple times, every account you have with that password will end up compromised as the result of one attack.
- Don't store your passwords in a spreadsheet, text document, or other file on your computer. If your computer is ever compromised by a hacker, this type of document will be invaluable to them and cause a huge headache for you.
Also, avoid writing your passwords on paper—anyone who finds your list will have access to anything you have written down. If you can, use a password manager (see next paragraph) or, if that is not an option for you, memorize your passwords.
- ISecurity researchers highly recommend by security researchers that you use a password manager such as 1Password, LastPass, or other similar software to both generate and manage your passwords.
This will require you to remember only one long and complex password to enter into the manager, which will store passwords far more complex and lengthy than you would be able to remember.
Multi-factor authentication (MFA) is one of the best ways to protect your data because it requires more than just a username and a password to allow access. There are several types and levels of MFA, but all of them rely on you having a second source of authentication when attempting to log into a website.
This way, a thief won't be able to use your username and password to log into the website because they won’t have your second source of authentication (most commonly, a smartphone). Many sites allow the enabling of MFA and will instruct you on how to set it up.
Typically, setting up MFA means registering your mobile phone number in your account on the website in question, then using an app (like Microsoft Authenticator) to complete the MFA process. Once this is set up, when you enter your username and password into the website you'll will be prompted by your smartphone to authorize access to the site on the computer.
If your username and password are used by someone else, they will be stopped from logging in unless you authorize it through your smartphone app. In turn, you will know your password has been stolen because you will receive a request to authorize logging into the site when you are not trying to log in.
Avoid phishing scams (think before you click)
Phishing is still the most successful and most common way of hacking a computer user. It happens when an attacker creates an email that looks like it came from a legitimate website and tells the recipient they must do something quickly to stop something bad from happening.
The email may look like it’s from your credit card company and say unusual activity has been detected on your account and you need to log in to verify, or something of that nature. Once you click the link in the email, the bad stuff starts happening!
That link might immediately download a malicious piece of software,. Or it might take you to what appears to be a legitimate site but when you enter your login credentials, you have submitted them to an attacker who then uses them to access your account.
Typically, phishing messages contain at least one of the following:
- Language urging you to take immediate action.
- Something to make you feel excited (“You’ve won $500! Click here to redeem”) or to otherwise distract you into clicking a link.
- Contain an attachment for you to open. Be highly suspicious of all attachments you receive, even if they are from people you know, if you are not expecting something from the sender.
Below are some guidelines for avoiding falling victim to a phishing scam:
- WHEN IN DOUBT, VERIFY BY ANOTHER MEANS OF COMMUNICATION. If you have any reason to suspect an email is illegitimate, assume it is and attempt to contact the sender via another means. For example, if the message appears to be from your credit card company, call the phone number on the back of your card and ask a representative to confirm the email message is legitimate.
- Check the validity of links by hovering over them to see the URL. For example, if the alleged sender is Microsoft, any links in that email should begin with https://microsoft.com/. If you see anything else at the start of that URL, the email is not legitimate.
- Never assume the person listed as the sender is the actual sender. It takes less than five minutes to find tools online that will allow you to spoof an email address and to learn how to use those tools.
- Be aware phishing takes many forms and is not limited to email. It is common to see phishing links come through as a text on your phone with a link as well. Never click a link you receive on your smartphone without verifying the sender and the legitimacy of the link.
Everyone should use and maintain a reputable anti-virus software package on their computer. There are several reputable vendors, including Windows Defender, Sophos, Symantec Antivirus, and McAfee Antivirus.
Installing, running, and updating one of these software packages helps ensure any viruses you pick up through email or web browsing will be quarantined from the rest of your computer and can be fully removed before causing greater harm to your computer.
Manage your digital footprint
If you don’t use an account anymore, delete it! Whether it’s an old eBay account you no longer use, a social media profile on a platform you no longer care about, a shopping site you don’t buy from anymore, or a fitness app you stopped using, having unnecessary open accounts out there is a hazardous practice. Closing and deleting any accounts you no longer use ensures, if those accounts ever have a security breach, your information won’t be at risk.
Update your software
All software needs patching over time. Help keep your computer, mobile devices, and home router secure by checking frequently to see if software or firmware updates are available. If they are, apply them.
Much hacking involves taking advantage of unpatched systems using known weaknesses. The more up-to-date you keep your equipment, the more difficult it is to hack.
Never send private information over public wifi
Never, ever, use free public wifi to transmit sensitive data. Do this only on secure, private, networks you know. And avoid connecting to random free wifi points while out in public. When visiting a shop, restaurant, doctor’s office, or store, it’s best to ask a staff member if the wifi offered there belongs to the organization. If you can’t verify the broadcaster of the wifi signal, you may well connect to an attacker when you think you are connecting to a coffee shop’s wifi.
Back up your data frequently
In the event of something happening to your computer, having good backups will ensure you are able to recover your data quickly and fully. Whether family photos or financial records, losing items because no backup was available can be gut-wrenching.
See our Website Privacy Statement.