Top 10 Things You Must Do to Avoid Getting Hacked

This article was written for Peak Prosperity by Terence Kam, Founder and Cybersecurity Consultant at You can follow his company on LinkedIn. Or subscribe to his writings on Medium, where he writes on a wider variety of topics.
One of the wonders of technology in this Information Age is that it allows for economies of scale that have never been possible before. It allows for Big Tech companies like Google, Facebook and Apple to scale up to serve billions of people.

But there is a dark side to technology as well.

It allows cyber-criminals to scale up their crimes as well, which massively increases the pay-off. Also, unlike ‘traditional’ crimes like bank robberies, cyber-criminals have a much lower risk of getting caught by authorities. They are often carried out from overseas, in places where the jurisdiction of your local law enforcement does not apply. In other words, technology helps make cyber-crime a very lucrative ‘business’.

With economic crises erupting all over the world, more and more people are falling into poverty and financial strife. Throughout history, whenever economically difficult times arrive, ‘traditional’ crimes like robberies and theft increase. But today, a lot more of these ‘traditional’ crimes are going to ‘migrate’ into the cyber realm. That means cyber-crimes are going to increase and as a result, cybersecurity is going to be more important.

Below are some of the basic steps you can take to improve your cybersecurity.

Invest in a password manager app

Let me be blunt.

If you don’t use a secure password manager app, you will eventually suffer some kind of data breach.

Remember the infamous Colonial Pipeline ransomware attack that caused extensive fuel shortages in the southwestern United States? It was caused by someone using a lousy password. Why was a lousy password used in the first place? Because someone didn’t use a password manager.

Why do you need a password manager?

Well, the password is an ancient authentication method used for thousands of years. This ancient method is no match for the astronomically powerful machines that hackers have at their disposal today. When you use your human brain to come up with passwords, it is like bringing a butter knife to a gunfight with hackers. That’s why, to win against the hackers, you need to bring a gun to a gunfight. That gun is the password manager.

A password manager can do powerful things that the human brain cannot (more scary details are explained here):

  • Generate extremely long and random passwords that cannot be guessed by machines (not even a futuristic quantum computer). Only such passwords are safe from hackers. But the human brain cannot remember such passwords. However, a password manager can do it for you.
  • Ensure all your passwords are unique. If you don’t ensure that all your passwords are unique across all your website accounts, then you are taking a risk with your cybersecurity. Nowadays, with too many digital accounts in our life (I have several hundred!), our human brain is not able to remember all these unique passwords. But a password manager can.
Furthermore, a password manager can do the following for you:
  • Warn you if you are using lousy passwords. If you use a lousy password, a good password manager is going to warn you about it.
  • Warn you of data breaches in websites. Some password managers will warn you if a particular website suffers a data breach and therefore, which of your passwords are in danger of being stolen.
  • Protect you from phishing attacks. Password managers have the facility where they can automatically pre-fill in your passwords on websites. They know which password to fill because they can match the web address in the web-browser address bar with the web address of your password stored in their database. If you go to a phishing website, the web address will not match. Therefore, they will not pre-fill your password on the phishing website. This will tip you off that something is not right.
I recommend the following password managers:

Set up 2nd-Factor-Authentication (2FA)

Password as an authentication method is broken. But unfortunately, we are still stuck with this ancient method today. Therefore, we need something more than the password to secure our digital accounts.

To do that, we need at least 2 of the following to ensure secure authentication:

  1. Something you know (i.e. password)
  2. Something you have (e.g. mobile phone, authentication token)
  3. Something you are (e.g. fingerprint, face, iris)
We already have (1). We also need either (2) or (3). That (2) or (3) is known as the 2nd-Factor-Authentication (2FA).

More and more websites are allowing you to set up 2FA to further protect your digital accounts. For example, Google allows you to use the following as the 2FA:

  • Text messages on your phone
  • Google Authenticator app
  • A prompt in your Gmail app
  • Physical tokens like the YubiKey or the Titan Security Key
Note that 2FA is called differently by different vendors:
  • 2-Step Verification
  • 2-Factor Authentication
  • Multifactor Authentication
  • Duo Verification
But they all mean the same thing.

Avoid text messages of 2FA wherever possible

Some vendors use text messages as a form of 2FA. If you can have a choice of 2FA, avoid it.

Text messaging is an old technology that is not designed with security in mind. It is not private and there are a lot of cases where hackers had used SIM port hacks to intercept their victims’ text messages.

Update your software and operating system

The IT industry has not figured out how to write secure code.

Every time hardware and software vendors released new products, more lines of computer code are released as well. More lines of code mean more cybersecurity holes. That means there are always holes to be patched.

Worse still, there are always massive backlogs of holes to be found and patched. For example, even today, Microsoft is still finding holes in code written a dozen years ago in their latest Windows operating system!

Therefore, vendors are always on the never-ending treadmill of releasing patches for security holes in their code. You will need to be always up to date with the patches to be secure.

That includes your web-browsers (Firefox, Chrome), operating systems (e.g. Windows, macOS, Linux, Android, iOS, iPadOS), email software (e.g. Outlook, Gmail). Also, don’t forget the software code in your hardware appliances (e.g. routers, Smart TV, Internet-of-Things).

Remember: Anti-malware software is just the starting point for cybersecurity

There is a myth out there that says that all you need is anti-virus software and you will be digitally secure. This is NOT true!

That may be true 20 years ago. But hackers and cyber-criminals are getting smarter and smarter over the years. For one, anti-virus software cannot catch and detect every malware. Also, it cannot prevent sophisticated hackers from exploiting security holes deep in the operating system. In other words, sophisticated hackers can bypass anti-virus software.

Today, at best, anti-virus software is merely only the STARTING POINT of keeping yourself digitally secure. Having one is better than none. But do not let its presence lull you into complacency.

Don’t go installing software/apps that you are not looking for

This is a simple rule of thumb to follow.

If you are asked to install a software or app out of the blue, don’t do it. For example, a website may suddenly warn you that you need to install particular software to avoid being hacked. Or you need to install a particular video player software to view certain videos. There is a high chance that you may end up installing malware on your computer or device.

This is related to one of the 10 Immutable Laws of Cybersecurity:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
Before you install any software or apps, always stop and ask yourself whether you trust whoever wrote the software. If in doubt, don’t.

Don’t forget web-browser extensions

Your web browser will also contain many third-party extensions (sometimes called “add-ons” and “plug-ins”), which are third-party computer instruction code that modifies or adds functionality to your web browser (e.g. help it perform specific functions like viewing special graphic formats or playing multimedia files).

They can be given permissions to access the ‘inner plumbings’ of your web browser, which can mean that they are permitted to access your private information in your web-browsing session. Therefore, you need to audit the extensions’ permissions from time to time to ensure that they are appropriate. If you are not comfortable with an extension’s permissions, you should disable it.

The general rule is to avoid installing web browser extensions wherever possible. If you have to, only install the ones from developers you trust.

Always check the web-browser address bar

A phishing attack is a scam in which the attacker pretends to be from a legitimate business such as a bank, telephone or internet service provider.

Usually, the scammer sends you a legitimate email that tries to induce you to click on a link to his website. That website looks almost indistinguishable from the legitimate website of an entity.

Except for one thing.

The web address of the phishing scam is not from the entity. Most phishing scams can be thwarted if their victims look carefully at the web browser address bar.

There are, however, more sophisticated phishing scams that try to fool people who check the address bar. I have listed some of them here. But most scams can be avoided by simply checking the address bar.

Ensure that the internal storage of your devices and computers are encrypted

Consider this news report from a recent news article,
Criminal networks are feeding off Australians' lust for new technology by skimming data from computers dumped in Africa and Asia - and using it for blackmail, fraud and identity theft.

They will pay as much as $200 on the black market for discarded computer hard drives, which they mine for bank details, credit card numbers and account passwords.

These hard drives are among the mountains of electronic waste earmarked for recycling here. Instead, they are illegally shipped to developing countries by operators seeking bigger profits.

Before you resell, dispose or recycle your device, computer and disks, you have to take precautions to ensure that your personal information does not fall into the wrong hands. If not, you may find yourself to be a victim of identity theft later on. The best way to do that is to ensure all your data in your devices and computers are encrypted beforehand.

The latest Windows PC and Macs have encryption turned on by default. But older PCs and Macs may require you to turn on the encryption manually. All iPhones and iPads are encrypted.

But only some Android devices are encrypted. You need to check the settings and may have to turn on encryption manually.

Don’t forget to securely erase all your external drives and USB sticks

Do you know that when you ‘erase’ files or ‘format’ your external disks, the data is not removed? What happened is that the operating system merely marked the area that stores the ‘erased’ files and ‘formatted’ disks to be ready for reuse later on.

There are lots of data recovery software in the market that helps you recover ‘erased’ files and ‘formatted’ disks. If you store confidential data on such disks and lose/dispose of them, someone else can easily recover your confidential data.

Therefore, you need specialised secure erasure software like DBAN and iola DriveScrubber to truly scrub off confidential data from your ‘erased’ and ‘formatted’ disks.

Alternatively, you can encrypt your external disks beforehand so that you don’t need to secure erase your disks before disposal.

<img class=“alignnone size-full wp-image-647424” src=“” alt=“”" width=“2560” height=“1477” />

One last thing. Because cyber-criminals are opportunists, you do not need absolute cybersecurity.

To understand why let me tell you a joke:
Two men were chased by a bear. The first man told the second man, “Why bother to run? We can never ever outrun the bear!”

The second man answered, “I don’t have to outrun the bear. I only have to outrun YOU!”

The principle is this: If you are much more cyber-secure than most other people, cybercriminals, being the opportunists that they are, will find some other easier targets. As long as you are not specially targeted, it is easier for cybercriminals to target someone else.

That means you don’t have to fall into the paranoia of absolute cybersecurity.

Have cybersecurity tips to share? Join the conversation below...


This is a companion discussion topic for the original entry at

1 Like

I might be a overly paranoid when it comes to passwords. I use the password manager extension for the Trezor cryptocurrency hardware wallet to log into LastPass with a monster password (+100 characters) and a Yubikey. Then LastPass logs into the sites with another monster password. The nice thing about the Trezor is that a master password is not entered on the keyboard. Entering the Trezor’s pin number on its touchscreen activates its manager. I continue to use it with LastPass since LP works with a lot more complicated login screens.

Great list! Here are some others.

  1. Don’t click the link. Hackers often try to get your computer to download malicious software by tricking you into clicking a link (usually in an email or text). JavaScript code can be embedded in the html code in webpages and your web browser will run whatever code it downloads from a malicious website. Antivirus software helps with this but better not to run it in the first place. Be suspicious of all links sent to you that you didn’t ask for, and avoid shady websites (you know the ones I’m taking about). If you are not sure about a link, you can test it out by copying it and pasting it in a website reputation checker such as If you are sent a file you are unsure about, you can upload it to to check it out before opening it. These links are ok :wink:
  2. Do not log into your computer as an administrator unless you need to do administrator tasks. Make your daily use account on the computer a standard user account and use a separate administrator account for administration. If you are logged in as an administrator and get compromised by clicking that bad link or myriad other oopsies, you just gave the attacker way more power to take over your machine. On very secure networks, admin accounts are very locked down (e.g. web browsing not permitted…log into your standard account to surf web).
  3. Use a VPN service if you are using public wifi (or honestly any wifi other than your own). WiFi is very vulnerable to snooping and the access points and routers you connect to may not be trustworthy. VPN services ensure that your connection between your computer and your VPN service provider is encrypted so even if someone is snooping the wifi traffic or you are connected to a compromised access point, the data you are sending out cannot be deciphered or tampered with. I like PIA but there are many cheap reputable VPN services out there.
  4. The biggest cybersecurity problem for every organization is people because we tend to be lazy, greedy, and easily tricked by social engineering. Don’t give anyone your password. No legit organization will ever ask you for your password on the phone (except for special phone password or PINs that are separate from online account passwords). If a prince in Africa wants to wire you money and let you keep a few grand in exchange for helping get the money out, it’s a scam! If someone on craigslist wants to have their local representative come pay you way too much for your exact title of your posting, it’s a scam. If someone wants to send you a code that you read back to them on the phone to confirm your identity, they are trying to break into one of your two factor authentication accounts and trick you into giving them the code for the 2nd factor. If it sounds too good to be true, it is! Bad grammar and misspelling is a common sign something may not be legit (since many hackers are not native English speakers).
  5. Most banks have configurable notification settings for financial transactions. I have text notifications sent for all banking and credit card transactions so I know immediately if there is unauthorized activity.
1 Like
Don’t forget to securely erase all your external drives and USB sticks... Do you know that when you ‘erase’ files or ‘format’ your external disks, the data is not removed? ... you need specialised secure erasure software like DBAN and iola DriveScrubber to truly scrub off confidential data
The suggested alternative " can encrypt your external disks beforehand..." should also be considered as the primary approach for an external storage device containing confidential data. Here are two reasons:
  • In the event the device/USB stick is lost, at least you know it was encrypted.
  • Secure erasure software are not created equally.
Regarding the second bullet, storage devices are designed with some degree of wear protection in mind to prolong its lifespan. A number of erasure software work by (repeatedly) attempting to overwrite the "space" where a file used to be. Given the fact that flash memory devices (SSDs, USB sticks, SD-cards, etc.) utilize wear leveling techniques, an instruction from erasure software to overwrite a file with random data most likely just result in some other part of the device having that data written to it. I.e. some erasure software might just be wearing down the device without accomplishing the intended goal. I am not familiar with DBAN, which is one of the suggested secure erasure tools in the article, but a quick look at reveals that it does not support erasure of SSD drivers. In round numbers, if you bought your PC within the last ten years, DBAN is not your friend. Regarding storing confidential data, for instance privates keys for a crypto wallet on an external device, applying early security measures beforehand sounds more reasonable to me - as opposed to opting for a later secure clean-up approach. If the second option is utilized e.g. before disposing the device, consider deleting all files on the drive and then filling it up completely with other data. Rinse and repeat if necessary. If the storage device contains outright secrets, this approach will not suffice.
Avoid text messages of 2FA wherever possible... Text messaging is an old technology that is not designed with security in mind. It is not private and there are a lot of cases where hackers had used SIM port hacks to intercept their victims’ text messages.
The explanation is not wrong. In my opinion this attack vector belongs to a different category compared to the others on the author's list. Here's the nuance:
  • In this case a 'specific' individual is being targeting.
  • If an attacker is targeting your 2FA, it probably means that your credentials to some "valuable" account (e-mail, online shopping, etc.) which the 2FA is associated to has already been compromised.
This is, for an attacker there must be an incentive of a certain size before targeting a specific individual and their 2FA. This is in comparison to utilizing a broader attack, e.g. phishing where a big net is cast and attempting to catch whomever might step into the trap. In regards to text message as 2FA, I am not sure if this is currently an issue for general applications. However, from a privacy perspective I see the author's point.

OK, I agree with the concept of using a password manager. The problem that I see came up in the Solar Winds fiasco. Even the password manager is software and therefore it can also be hacked, or in the case of Solar Winds have a compromised update that opened all of it’s client to hacking.
I would suggest using a password generator and keeping a cheatsheet under your keyboard or in a safe.
Also- for systems that security is paramount such as SCADA control systems for Electrical grids, water supplies, etc. do not connect them to the internet in the first place. That is the best security.

1 Like

I would strongly suggest including the use web browser script blockers like NoScript. You can then enable scripted content on a per site basis. This also defeats most web advertising.
If you start seeing the sites you visit have a lot of third party scripting, then it’s a hint you might want to rethink using those sites. Or at least keep all that other stuff blocked.

Entropy is the measure of how hard a password is to break.
Password Entropy = Log2( symbols ^ length )
Number of symbols = 26 (a-z)
8 Characters long
ln( 36 ^ 36 ) / ln( 2 ) = 38
That is not very difficult to defeat with brute force processing.
Yes, you can add lots of symbols and mixed case, but as the math shows, longer passwords are exponentially better.
Here is a good password example, a typical md5 checksum ( 846c83175aef6c5dc1ce42e9e4c300e2 )
At 16 characters, the entropy value is: ln(16^36)/ln(2) = 144
Those are great for password managers, but what about us mere mortals?
Then try a password like this: “peakprosperityisanawesomewebsite2visit”.
At 39 characters with a number, that’s 201 entropy points and easy to remember.

Don’t forget what Assange used with David Leigh: a loooong phrase with one obvious word missing that is never written down, anywhere, ever.

1 Like

I am not saying buying a password manager is “wrong”. I am saying it is grossly unnecessarily and will give you a very false sense of security. You can do approximately as well by using an algorithm to calculate a semi-unique password for each site or computer based upon, for example, the name of the website. Brute force attacks at the individual password level are very rare because they are not profitable enough.
In the real world most dangerous hacks don’t work by breaking passwords (brute force). Or, if they do, they do it at a site level – out of your control.
They work because “everything is broken”: and, as an example, just yesterday:
Hopefully that second article brings it home: the whole USB model, is intellectually bankrupt -- especially on Windoze. Find access to a Windoze machine, plug in a USB stick with ransomware, and you are off to the races. If the machine -- any Windoze machine -- is connected to the network, your network is toast. Under Linux (which I recommend) this can be better ameliorated (the OS can be made to only allow SPECIFIC USBs), but not entirely. So, some basic things which will give you vastly higher levels of security than a software password manager: (1) Figure out an algorithm simple enough for you to calculate passwords on the fly. If a site doesn’t contain “top secret” information use a throw away password with, perhaps, a really simple modification based on the name, and don’t worry too much about security on throw away accounts. (2) Avoid using the internet when unnecessary. Use a dedicated machine for internet browsing, or a dual boot, vs your working machine. Use hardware and/or software to allow you to easily turn on the internet when you actually need it – and, WHEN YOU DON’T EXPLICITLY NEED INTERNET, KEEP INTERNET OFF!!!! Don’t ever allow automatic software “upgrades”. (3) Avoid “the cloud” absolutely as much as possible. The cloud is, fundamentally, a low security, money making exploit, foisted on us by our Masters who want to own anything – including your body and your thinking. Don’t cooperate more than you have to. There are security breakins being reported virtually every day, in the cloud. That will never stop, because of the nature of tech. (4) Use lots and lots of ad and tracking blockers (or use Brave) on the internet. Don’t let them turn your computer into THEIR “Skinner Box”. Don’t watch ads. (5) Avoid software monocultures, of all sorts. In particular, Windoze IS the attack surface for nearly all serious security exploits. Avoid Windoze, and your security concerns go down dramatically. Absolutely, don’t use Windoze in your business. Don’t use Android. Don’t us Gmail or Microsoft Live. Don’t use Chrome, nor Edge – Brave or Chromium or Firefox work just fine and don’t pimp you. If you have to use something (e.g., Gmail) use it absolutely minimally. For God’s sake, respect yourself, yourself, your family, and your friends enough to not pimp out mind, body, and privacy for nothing. The world is stratifying into Eloi and Morlocks. Being a Time Traveller is a choice. Tor is nice. The Morlocks don’t like Tor too much. Well, those are some obvious things you can do relatively easily. Focussing on passwords is really, really, misleading. The insecurity is in the fundamentals Your Masters don’t want you to know about – seldom is it the password. If your password is “password”, maybe get a new brain.
1 Like

@Stph, I appreciate your input and while I cannot speak for others, I think some of what you are saying is not useful for your average user.

Figure out an algorithm simple enough for you to calculate passwords on the fly.

This is not correct in the real world - though a computer could generate every single possible combination of those characters in the time on that chart, no server would allow or could lookup and serve a response for all those combinations within that time. Not even close. Most will kick you out by the time you have missed a password after 4 attempts. The hacker would have to switch machines, networks or reset every few attempts. If that chart was virtually true, we would all have to have 15 character passwords. ( also you would have to have username as well )

1 Like

Hi Travis! I just gave you a thumbs up for showing the math.
That said, what you didn’t address were the elephants in the room – and why worrying about passwords is pretty much worrying about the wrong things. I wrote (maybe) too much about that in my other post, but I wanted to point out something even more fundamental.
ANY DECENT WEBSITE AND ANY DECENT OPERATING SYSTEM AND ANY DECENT APPLICATION DOESN’T ALLOW BRUTE FORCE ATTACKS. Try “brute force” attacking anything decent (intelligently constructed) and the account will be locked down after a mere handful of “guesses”. So the whole math issue of 32 bit “random” characters is almost entirely moot.
Where it ISN’T moot is if you are encrypting a long message and the message is the treasure. If someone intercepts your whole message, and has all the time in the world to run a cracker, they are going to get in no matter how many “random” characters is in the password. It may take them a day or three, but they will get in.
For most of us, except for maybe access to bit-coin, that isn’t the issue. For most people, security of financial and related personal information is the authentic concern. For that, site level, OS level, application level, and hardware level security is what matters. Avoid Windoze and reserve non-obvious passwords on financial information sites you have done 90% of what can be done. Use due diligence to assure, as best you can, that the vendor of the site is intelligent, diligent, and isn’t running Windoze nor doing other really-really fundamentally dumb things, and you should probably put your worry energy into something else: NOT a longer password.

Oh I agree.  Good passwords are like number five on my list.  The elephants in the room are junk software.  Decrypting is hard and hackers will always try to go around if possible.

  1. Patch your software

  2. Don’t get socialy engineered

  3. Don’t use bad software that give away your info and access.

  4. Use 2FA

  5. Use good passwords

  6. Use encryption

  7. Just use Linux

There are a lot of hacks where the bad guys get go through a back door and are able to get the full password database.  That’s where good passwords and encryption are important.  If you are using both, even the NSA would be challenged to decrypt the data.

Yes, systems like Gmail and Facebook, quality passwords do matter to an extent.  But, yes, they will lock out the failed attempts after only a few tries.

And remember too, don’t be that guy:


1 Like

A lot of this applies to any platform.
If you’re on mobile, you’ve already given the farm away - for free.
As Peter Gutmann pointed out years ago, the only secure computer hardware in the future might be produced in China for the Chinese market (although there’s reason to believe he might want to alter that statement today).
Build it yourself. That’s where you are. Nothing on your hardware is fully secure, and any daemon can be phoning home at any time. Particularly see the third and final URL in that list.
PS. It’s a criminal absurdity to overlook the fact that there’s a ginormous gap between Windows and non-Windows. Anyone who doesn’t appreciate this can never be taken seriously.

1 Like

I have some great older machines, stuff I built. Only reason, dont use them is WINDOWS GOD , doesnt like it. perhaps time to roll back some old hardware with linux.

1 Like

Dr. Vernon Coleman lays it all out for us re where we are heading - and much, much faster than most realize.

....So far around 4.5 billion people around the world use the internet and most have social media accounts. A fairly scary survey found that two thirds of individuals are willing to share information about themselves or others to get a shopping discount while half are willing to do so if it helps them skip queues at airports. One in two individuals say they are happy for the Government to monitor everyone’s social media behaviour if it means keeping the public safe. Of course, it will be impossible to find out what your social credit score is, to find out exactly how scores are made up or to correct any error. And scores will be changed in real time. So you could join a queue thinking you are entitled to hire a car or board a train and find, when you get to the front of the queue that your rating has changed and you can’t do either of those things. Governments, big companies and local authorities are already gathering information about you from facial recognition cameras, biometric studies at airports, drones, surveillance planes and social media. This is the technocratic state in full fly. Using a silly name or avatar on social media will provide you with absolutely no protection. They know exactly who stinkyfeet of Weymouth really is and they know the name, address and inside leg measurement of bumfluff from Colorado. You can forget about privacy, freedom or rights. ... Geotracking is the new normal now. Your financial records are combined with your criminal record, academic record, medical record and shopping patterns. They’re keeping an eye on the type of friends you have, the videos you watch, the people you date or marry or meet. This is Big Brother on speed In the brave new world, those with a low credit score won’t be able to move an inch. ... I leave you with this fact. There are public loos in China which won’t let you in without first checking your face and identifying you. Only then will the machine dispense the small quantity of loo paper you are allowed. How many sheets will you be allowed if you have a low credit score? Two? One? None at all? You may be smiling now. But see if you’re still smiling in twelve months’ time.
1 Like

Yes, I agree that SSD is much more tricky to secure erase than hard disk.
The DBAN software that I mentioned has a free version and a paid version. The paid version, called Blancco Drive Eraser has the added functionality of secure erasing SSD.

Hi Travis!
Regarding “peakprosperityisanawesomewebsite2visit” as a password, I’m afraid there’s not enough entropy despite its length.
You may want to read this article: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”.
It has come to the point where passwords that are easy for the human brain to remember no longer contain enough entropy.