You might be thinking to yourself “Why are we talking about computer security? This is supposed to be about TouchDesigner and interactive tech and immersive media!” The truth of the matter is simple, in this industry we end up working with a lot of big companies with a lot of information they don’t want out in the public. This could be something as simple as some plans written inside of a PDF for an upcoming event you’re working on to more sensitive materials such as unreleased content from popular shows. Whatever the case may be, the reality is that if you end up being the cause of information or asset leaks, it doesn’t matter if you meant it or not, you could be in some serious legal trouble.
So on that dark note, I put together some easy things you can do to heighten your security and make sure you can avoid those situations and many other terrible situations all together (like having your emails hacked, bank accounts hacked, social media accounts taken over, servers used for bitcoin mining, etc). Let’s dive in!
Step 1: Password manager
Do you use the same password (or one with slight variations) for many services? This could be ticking time bomb for you. What often happens in data breaches is that hackers aren’t always looking to hack the big banks and Google’s of the world (although as we see in the news, they can and do!). The hackers these days know that many people use the same passwords across many services so they target services with a large amount of users that may not have their security practices up to snuff. Once they’ve breached those services and have access to usernames and passwords, they quickly take all of those credentials and bounce between real major services like Facebook and Gmail trying to use the exact same credentials. A lot of the time, this unfortunately works and using those credentials will get them into your accounts.
This is where a password manager app comes in handy. It allows you to make a completely different password for every single service that you use without you having to struggle to remember all of them. Plain and simple. The benefit of a password manager is that it completely mitigates the impact that a hack or breach of one of your services can have on the rest of your digital life. Someone hacks into your League of Legends account? Well no big deal since you didn’t use the same login information for your Gmail or Instagram. You just go to League of Legends and change your password and back to normal (hopefully…).
For most folks in our industry, I recommend the use of a password manager called Bitwarden. It is open source, had its code professionally audited by third parties, works on many devices, works well and is intuitive, and has a free tier plan that will work for most general users who just need to hold usernames and passwords. If you’re working with a small team or company, you can opt to pay for business features which include sharing credentials and keeping attachments in your Bitwarden vaults as well. It’s got an iOS app, Android app, and browser extensions for just about every browser.
Step 2: Two-factor authentication
Credentials become much stronger when they involve both something you know (your password) and something you have (an authentication device). A lot of the big celebrity hacks you hear about on the news, such as the iCloud scandal from a few years ago actually have nothing to do with the services being compromised. What actually happened is that through some way, shape, or form, the username and password of the person were found out, and once that happens, anyone from anywhere can usually just hop into your account and take over. There was only “one-factor to the authentication” which was the passwords. Setting up a password manager can usually help with this, but if someone gets access to your computer, they may start trying to login to services where your password may still be saved.
Two-factor authentication to the rescue! What two-factor authentication (2FA) adds to the equation is usually a device that you have to have with you as that acts as a second stage of the authentication. So once you enter a username and password (from you password manager!) the system then brings up another prompt that asks for a code from your authentication device, which is constantly changing codes every 30 seconds or so. You grab your phone (my recommended second authentication device for most folks), look at the 6 digit code, enter it in, and now you’re logged in. This little action that means almost nothing in your day-to-day life adds so much security to your online life. That means that even if someone was to ever break into your Bitwarden, had all of your passwords, they still couldn’t break into your accounts unless they also stole your phone, had it’s pin code (please lock your devices!), and then were able to get into your 2FA app as well. At that point, I’d say you’re a pretty big target and you’ll need more than my advice to stay safe…
For most folks, I recommend using Authy on your mobile device as your second authentication device. It’s unfortunately not totally open source, but it has a good history in the industry and offers a good balance of being a secure 2FA app while offering conveniences that will help you stick to using it. There are iOS and Android apps that both look good and have secure features like adding an additional pin code when launching the app. It also has encrypted cloud backups of your secret keys used to generate the 2FA codes (which for most people is fine to have and use), which can prevent a bad situation where you lose your phone or break it and then you’re unable to login to your accounts because you don’t have your 2FA codes anymore. I highly recommend most people getting started with these should use the encrypted cloud backup of Authy, as well as make sure they download and save the backup codes that most services will give you upon setting up 2FA.
A lot of services will try to suggest using your phone number and text messages (SMS) or phone calls as your 2FA methods. These are not considered secure in the computer security industry anymore. It is always recommended to use application-based security, such as using Authy or other apps. On many services when you enable 2FA, it may say “app-based” or even “Google Authenticator Setup” and either of those will work because the process behind all 2FA apps is the same: you’ll see a QR code pop up on screen, you take a picture of that from the app, and you enter a code from the app into the website to confirm the two are in sync, and you’re done.
Only 2 steps?
I could write forever about computer security (don’t ask me why…) but the reality of the matter is that these two steps alone will take you into the high 90 percentile of media people when it comes to security over your digital services and data. Security is like layers of an onion, you can continue to keep adding more and more layers such as good data backups (to prevent ransomware from ruining you) or choosing not to run your own servers (unless you’re very comfortable hardening and updating a server), but there’s no real end to it, just a trade off between convenience, energy, time, and security. In my recommendations in this industry and from a computer security standpoint, these two steps will be enough to secure your services while minimizing the impact of breaches and hacks that are out of your control.
Password managers and 2FA…it’s really that simple. Get an app for both, set them up, start using them. The unfortunate reality is that breaches and hacks are constantly happening. It’s not a matter of if a hack will happen, it’s generally only a matter of when a hack will happen. With that mindset, it’s best to keep your data and services secure while still being convenient for you so that you can avoid any issues in your career, especially considering so many people trust us with their information or assets. Enjoy!