Maybe you don’t send messages detailing the shenanigans of political parties or the actions of foreign governments. And maybe your email will never be the subject of an FBI probe. But that doesn’t mean you don’t have to be concerned about email security. This past week, security researchers discovered yet another major data breach, this one exposing more than 711 million email addresses and passwords. This article originally appeared on lightningstrikestudios.com. If you’re reading it anywhere else, it’s stolen. Please let me know at firstname.lastname@example.org
Even if all you do is send pictures of your cat to your friends, you need to secure your email. This is because weak security doesn’t just make YOU more vulnerable to hacking. It can expose the personal information of all those with whom you communicate, making THEM more vulnerable as well.
Here are a few steps you can take to make your email more secure.
Change your email password on a regular and frequent basis. Email providers and hosting companies should alert their users as soon as possible after a security breach occurs so users can quickly change their passwords. But not all do, or they themselves may not become aware of the breach until long after the fact. By changing your password frequently, you give hackers less time to exploit it.
If you have multiple accounts, use a different password for each one. That way, if one account is compromised it won’t expose the others. If you have multiple passwords to remember – and these days, who doesn’t? – consider using a password management tool like the free and open source KeePassXC, available for Mac, Linux, and Windows:
Use complex passwords. The more complex your password, the longer it takes for hackers to crack it. So avoid common words, phrases, and numbers, such as the make and year of your car. If you must have a password that’s easy to remember, use an initialism of a longer phrase, substituting numbers and characters where possible. For example, “My favorite meal is pizza with garlic bread and cheese” becomes Mfm1PwGB&C.
KeePassX, mentioned above, can generate complex passwords for you. And since it allows you to copy and paste passwords without retyping them, you don’t need passwords that are easy to remember.
Does using encryption add a level of complexity to your email activity? Yes, it does. Is it worth it? Yes, it is. Sending email without encryption is like sending postal mail without sealing the envelope; you have no way of knowing who else is reading your messages.
While OpenPGP can be complicated to use, there are tools that make it much easier. Thunderbird is a solid choice, available for Mac, Linux, and Windows:
If you’re using Microsoft Outlook, consider installing the add-on Encryptomatic OpenPGP for Outlook:
If you’re using Apple Mail, GPG Suite includes GPGMail, a plugin for Apple Mail that allows you to encrypt, decrypt, sign, and verify mail using GnuPG:
There’s even a browser add-on for Firefox and Chrome – Mailvelope – that allows you to use OpenPGP with webmail systems like Gmail, Yahoo Mail, and Live:
And ProtonMail makes the entire process seamless and painless:
Whatever system you use, be sure to keep your public and secret keys backed up and secure.
If you get into the habit of digitally signing each and every message you send, the people you communicate with will come to expect it, and won’t be fooled if they receive an un-signed message that appears to be from you but that’s really from a spam bot. Include a signature block at the bottom of each message you send – which also provides valuable marketing space – with a link to your public key and your key’s fingerprint.
Obviously, this has not been an in-depth discussion of every aspect of email security. If you actually do work with political parties or foreign governments; or if your business involves high tech, healthcare, or finance; or if you’re just really concerned about security, get professional help.
If you want to know more about securing your email, check out the excellent articles Email Self-Defense from the Free Software Foundation, and Common Encryption Types, Protocols and Algorithms Explained from Comparitech.
By the way, here’s our OpenPGP / GnuPG public key:
36A1 66D7 3050 DDB9 1B26 F582 59FD 9BA6 5493 5714
At LightningStrike Studios, we respect our client’s privacy. We’re always willing to sign non-disclosure agreements, but even without them we never disclose our client’s confidential information without their permission. If you need help with a project – a website, marketing content, or social media campaign – contact us. We’d be glad to help.