Hackers can look really dumb when they themselves are hacked; so their security practices will be useful for the rest of us!

With so much seemingly contradictory advice flying around, securing your organisation or personal network against cyber attacks can feel like a daunting prospect. From how to build a strong password to whether or not connected devices are a good idea … one is never sure which tip is best suited to one’s needs.

That is why bug-bounty specialist HackerOne has asked its army of hackers what measures they themselves follow to keep safe.   

On managing passwords

Newbie HackerOne hacker, Katie Paxton-Fear aka InsiderPHD, shares her practical approach for managing passwords, which can be a huge mental load to remember and generate: “I use a password manager (LastPass) to store my passwords—it also generates them for me, which saves me coming up with new ones. I know it sounds super insecure but for some passwords I write down a hint—it is better to have something written down physically than stored digitally anywhere other than a password manager. Obviously, I keep these written password hints in a safe location, always on my person, and keep good physical security measures—not writing what the hint is for or taking pictures of the hint.”

Multi-factor authentication can also help add another layer of security so, if a password is compromised, the account does not also become compromised. You have program-specific authentications such as Blizzard Authenticator, but there are also authenticators that can be set up for multiple programs, such as Microsoft Authenticator. “My final piece of advice is to use an algorithm, incorporating the name of a website or service into a password. I used to use this method but now I simply keep all unique passwords in my password manager.”

British hacker, Tom Hudson a.k.a Tomnomnom, follows up with his top tips:

  • Use a password manager
  • Have a different password for every account—preferably long ones auto-generated by your password manager
  • Enable Two-Factor Authentication where possible—with a preference for non-SMS based methods where available (e.g. Authy/Google Authenticator)
  • Use the ‘notify me’ service on haveibeenpwned.com to help identify when your account details might be compromised

Tech you might want to avoid

Privacy conscious German hacker, Julien Ahrens a.k.a Mr. Tuxracer, says: “I personally avoid any app or website that has had major breaches in the past. For example, certain social media sites because they have had breaches or data privacy issues, and more than once. I also avoid nearly anything related to IoT. Everything is connected to the internet today, even your crazy, pink, fluffy toaster, but most of the vendors have no real interest (or budget) for security, only selling their new product. I have found a vulnerability in every IoT product that I have had a look at in the past, and I do not want to have this in my home.”

Pragmatist Katie adds, “I know a lot of people avoid certain technology but I rely on a spidey sense of cyber danger; I look for red flags, similar to spotting a phishing website: if it seems dodgy, you should trust your instincts. When I do use sites that I suspect do not take security seriously, I opt to use services like Paypal where I know security is a priority, instead of letting a website save my payment details. As for mobile apps, I keep on top of any apps that use sensitive information, like my location or health information, and if I think they do not need that information, I simply delete the app from my phone. The only technology I avoid using for anything day-to-day is my hacking tablet! It is purposefully completely unsafe for bug hunting!

On securing your smart home

Hackers prefer to eschew IoT as a notorious security weak spot, but British hacker, James Kettle a.k.a albinowax, advises that anyone who wants to sleep safe in the knowledge they have secured their smart fridge, doorbell or TV should follow these rules for smart devices:

  • Smart devices are most exposed to attack if attackers end up on your WIFI/LAN, so I lock down my wifi by using a strong, non-default password
  • Use wired connections instead of WiFi where possible
  • Isolate smart devices on a different VLAN, however, this is not very easy and may require a fancy router

On social engineering

American hacker, Jesse a.k.a Random Deduction, advises:

  • Do not follow links in emails. Instead, go to the site directly.
  • If you receive a call/text from a bank or any organization, tell them you will call them back. Use the number on the back of your card or from the company’s website, not one the potential hacker gave you, to reach out to the organization directly.

Lisa Jiggetts a.k.a cyberjin adds: Things that make me the slightest bit suspicious raise red flags, like weird calls, texts and emails. It is getting harder these days because the bad guys are really good. I fell for one earlier this year; they spoofed one of my banks’ phone numbers for an old account that I do not use but, a couple of minutes into the call, alarm bells started ringing. They had already changed my address on my account and I didn’t have 2FA set up the time, so I knew that my login credentials were compromised and that is how they initially got in.

On using tech to stay secure

Indian hacker, Sandeep Sing a.k.a GeekBoy, recommends the Telegram messaging app, which offers multiple features for security and privacy.

Lisa Jiggetts says she tries to keep social media posts minimal, without divulging too much personal info that could be used for a potential attack. “I always check the privacy settings to make sure a new setting was not “snuck in” after an update, and that the settings are set at the most restrictive option. On my phone, I keep Bluetooth, Wi-Fi and GPS turned off unless I am using it. I always use a VPN whether on my phone or laptop. All of my accounts are set to use 2FA and I regularly change my passwords and use a password manager.”

Swedish hacker, Fredrik Alexandersson a.k.a Stok, says that he always struggles with remembering passwords, so some kind of password manager is a must. “If it is Lastpass, 1Password or any other solution, it does not really matter as long as you use it in combination with two-factor authentication. Preferably one that uses any kind of “push” technology so you just have to approve your login on your phone. I am also a big advocate of using VPN services that care about their customer’s privacy, just like mullvad.net. So always make sure you read up on the Privacy agreement on your VPN provider so you do not end up signing a user agreement with a Man-in-the-Middle attack-like service.”

Jesse adds “whenever possible, enable multi-factor authentication on your accounts. Using a mobile app like Authy or Duo to obtain an authentication code that allows you to log in after you supply your password will stop a huge portion of attacks on the average person.”