The New Hampshire Community Loan Fund encourages all our staff, customers, and supporters to protect their information and identity online and to continuously educate themselves about information security. To get you started, we have compiled the following list of information security fundamentals:

Passwords

Passwords are a good starting point in practicing good information security habits.  Here are tips for generation and use of passwords for online sites:

1. Length and complexity are both important.  Any search for “most breached passwords” will quickly show you a list of hundreds of common passwords that are easily crackable by bad actors. Passwords like “Iloveyou,” “password,” and “Password1” are all bad ideas. Pattern-based passwords like “12qwaszx,” “123456qwerty,” and “1qaz2wsx” are also very common and very easily cracked by modern tools. We suggest using a highly rated password manager (see #4 below), but if you want to generate and maintain your own, pick passwords that are at least 16 characters long and contain both upper- and lower-case letters. If you can add or substitute a few special characters, your passwords will be even stronger.
2. Do not use the same password for multiple accounts. This is a highly common practice that we all need to eliminate. If just one of those accounts is compromised and your username and password end up in the hands of a criminal, they will attempt to log into many, many, websites, databases, email accounts, etc. using those credentials. When you use different passwords for each account, only one account is subject to breach from any particular attack. On the other hand, if you used a password multiple times, every account you have with that password will end up compromised as the result of one attack.
3. Do not store your passwords in a spreadsheet, text document, or other file on your computer. If your computer is ever compromised by a hacker, this type of document will be invaluable to them and cause a huge headache for you. Avoid writing your passwords on paper as well—anyone who finds your list will have access to anything you have written down. If you can, use a password manager (see next paragraph) or, if that is not an option for you, memorize your passwords.
4. If you can, it is highly recommended by reputable security researchers that you use a password manager such as 1Password, LastPass, or other similar software to both generate and manage your passwords. This will require you to remember only one long and complex password to enter into the manager, and all other passwords stored within the manager can be far more complex and lengthy than you would be able to remember.

Multi-factor authentication

Multi-factor authentication (MFA) is one of the best ways to protect your data because it requires more than just a username and a password to allow access. There are several types and levels of MFA, but all of them rely on you having a second source of authentication when attempting to log into a website. This way, if your username and password are stolen, the thief won’t be able to use them to log into the website because they won’t have your second source of authentication (most commonly, a smartphone). Many sites allow for MFA to be enabled and will instruct you on how to set it up for their particular site.

Typically, setting up MFA means registering your mobile phone number in your account on the website in question, then using an app (like Microsoft Authenticator) to complete the MFA process. Once this is set up, if you enter your username and password into the website using your computer, you will then be prompted by your smartphone to authorize access to the site on the computer. If your username and password are used by someone else, they will be stopped from logging in unless you authorize it through your smartphone app. In turn, you will know your password has been stolen because you will receive a request to authorize logging into the site when you are not trying to log in.

Avoid phishing scams (think before you click)

Phishing is still the most successful and most common way for a computer user to be hacked. Phishing is a type of social engineering attack wherein the attacker creates an email that looks like it came from a legitimate website and tells the recipient they must do something quickly to stop something bad from happening. The email may look like it’s from your credit card company and say unusual activity has been detected on your account and you need to log in to verify, or something of that nature. Once you click the link in the email, the bad stuff starts happening! It could be that link will immediately download a malicious piece of software, or it may be that the link takes you to what appears to be a legitimate site but, when you enter your login credentials, you really have just submitted them to an attacker who then uses them to access your account. Typically, phishing messages contain at least one of the following:

1. Language urging you to take immediate action.
2. Something to make you feel excited (“You’ve won $500! Click here to redeem”) or to otherwise distract you into clicking a link.
3. Contain an attachment for you to open. Be highly suspicious of all attachments you receive, even if they are from people you know, if you are not expecting something from the sender.

Below are some guidelines for avoiding falling victim to a phishing scam:

1. WHEN IN DOUBT, VERIFY BY ANOTHER MEANS OF COMMUNICATION. If you have any reason to suspect an email is illegitimate, assume it is and attempt to contact the sender via another means. For example, if the message appears to be from your credit card company, call the phone number on the back of your card and ask a representative to confirm the email message is legitimate.
2. Check the validity of links by hovering over them to see the URL. For example, if the alleged sender is Microsoft, any links in that email should begin with https://microsoft.com/.  If you see anything else at the start of that URL, the email is not legitimate.
3. Never assume the person listed as the sender is the actual sender. It takes less than five minutes to find tools online that will allow you to spoof an email address and to learn how to use those tools.
4. Be aware phishing takes many forms and is not limited to email. It is common to see phishing links come through as a text on your phone with a link as well. Never click a link you receive on your smartphone without verifying the sender and the legitimacy of the link.

Anti-virus

Everyone should use and maintain a reputable anti-virus software package on their computer. There are several reputable vendors, including Windows Defender, Sophos, Symantec Antivirus, and McAfee Antivirus.. Installing, running, and updating one of these software packages helps ensure any viruses you pick up through email or web browsing will be quarantined from the rest of your computer and can be fully removed before causing greater harm to your computer.

Manage your digital footprint

If you don’t use an account anymore, delete it! Whether it’s an old eBay account you no longer use, a social media profile on a platform you no longer care about, a shopping site you don’t buy from any more, or a fitness app you stopped using, having unnecessary open accounts out there is a hazardous practice. Closing and deleting any accounts you no longer use ensures, if those accounts ever have a security breach, your information won’t be at risk.

Update your software

All software needs patching over time. Help keep your computer, mobile devices, and home router secure by checking frequently to see if software or firmware updates are available. If they are, apply them. A large part of hacking involves taking advantage of unpatched systems using known weaknesses. The more up-to-date you keep your equipment, the more difficult it is to hack.

Never send private information over public wifi

Never, ever, use free public wifi to transmit sensitive data. Do this only on secure, private, networks you know.  And avoid connecting to random free wifi points while out in public. When visiting a shop, restaurant, doctor’s office, or store, it’s best to ask a staff member if the wifi offered there belongs to the organization. If you can’t verify the broadcaster of the wifi signal, you may well connect to an attacker when you think you are connecting to a coffee shop’s wifi.

Back up your data frequently

In the event of something happening to your computer, having good backups will ensure you are able to recover your data quickly and fully. Whether family photos or financial records, losing items because no backup was available can be gut-wrenching.

See our Website Privacy Statement.