Skip to main content

How to Be Smarter About Security than the CIA Director

CIA Director John O. Brennan in his official portrait. Credit: Central Intelligence Agency

(Image credit: CIA Director John O. Brennan in his official portrait. Credit: Central Intelligence Agency)

If you watched the TV news this morning, it looks like even the director of the CIA has a thing or two to learn when it comes to cybersecurity. An American teenager allegedly accessed Director John O. Brennan's AOL account without permission, then proceeded to share a number of sensitive documents. The fallout has been confusing, to say the least.

If this can happen to John Brennan, there's a good chance it can happen to you, although everyday users should be reminded that they make much less tempting targets than prominent public officials. Still, there are a number of steps you can take to make your account a little bit more secure than his.

Follow this simple primer, and you can proudly (and correctly) claim that your personal information is better-defended than that of one of the world's most powerful men.

Don't Use AOL

Just about everyone who was online during the '90s had an AOL address (and approximately 10,000 of those free CDs), but that doesn't mean you should still be using it. This isn't simply hating on AOL because it's a relic of the age of the Backstreet Boys and James Cameron's Titanic, but rather because it doesn't offer two-factor authentication.

MORE: Best Android Antivirus Software and Apps

Two-factor authentication is the best line of defense against email account hijacking, and it's a damned effective one. Whenever you want to log into your e-mail account, your service provider will text a numerical code to your phone, or send a code to a secondary e-mail address. (The first option is generally more secure; it's easier to guess a password than to physically steal a phone.)

Without that code, a username and password by themselves are insufficient to get into an email account. This measure might have saved Brennan a massive headache, provided that the AOL customer-service technician whom Brennan's assailant claims to have conned had used it to send a code to Brennan's cellphone.

Choose a Service with Two-Factor Authentication

Now that you know what two-factor authentication is and why it's useful, it's time to get an email address that allows you to use it. There are many free services that use two-factor authentication, including Gmail, Yahoo and Outlook. Corporate and university addresses may also offer it, so check with your provider. For a more comprehensive list, check out the Two Factor Auth (2FA) website, then follow a link to an email provider that looks good and follow the instructions.

Create a Strong Password

While a strong password by itself wouldn't have saved Brennan (the attacker got ahold of the account through a bit of clever trickery on the phone), it's always a smart precaution. If you're going to use "password" or "12345," you may as well just hand your inbox over to attackers right now, because they're not going to dissuade anyone.

A long password that combines lower-case letters, capital letters, numbers and punctuation symbols is usually the most secure, and you probably shouldn't use the name of your favorite family member or pet. You can even use a site like Strong Password Generator to create a random one for you, which is probably the safest method of all. Whatever you do, make sure you don't use the password for other accounts; if you do, one data breach is all it will take to put your data at risk.

Enable Two-Factor Authentication

Depending on your email service, the steps for enabling two-factor authentication will vary. Generally speaking, go to the support section of your provider's website, select two-factor authentication and follow the steps given. You'll have to provide your phone number, and you will receive text messages during the process. (You can also just Google "[email provider] two-step authentication" and find the appropriate link, but make absolutely sure you click on the real provider's site and not a convincing phishing attempt!)

Check the Account Periodically

If you have multiple email accounts, make sure you don't go too long without checking in. Disused accounts are gold mines for potential attackers, since they can abuse the information with abandon.

If there's an email address you find you've been checking less and less frequently, consider disabling it altogether rather than allowing it to act as an information portal for a thorough cybercriminal. Likewise, if you see strange e-mails being sent from your account, or locations you don't recognize as access points, change the password, enable two-factor authentication and/or disable the account right away.