Although the blame and fault of these hacks rest entirely on the criminals, each new case is a stark reminder that security in the digital world is just as urgent as that in the real world.
Whether you're storing data on Apple's iCloud, Google Accounts, Microsoft, Dropbox, or any other service, there are steps you can take to protect yourself from would-be hackers better. Here's how:
Don't use weak passwords
Everyone should know by now to avoid passwords like "password," "123456," your birthdate (or anyone's birthday), nickname, pet's name, child's name (or anyone's name). You also want to avoid any word or set of words in the dictionary and even common variations thereof, like d!ct!0n@ry.
Anything easy for you to remember is also easy for someone else to guess or "brute force."
Use strong, pseudo-random passwords
The best passwords are blobs of pseudo-random letters, numbers, and symbols. The longer the series, the stronger the password. Most of us don't have to worry about nation-states or hackers with similar resources trying to get into our accounts. However, once you start using a password manager (see below), you might as well be as secure as possible.
Don't use the same password for more than one website
Let's say you set up your iCloud account with a strong password but use the same password to set up your account with home supply store. Then that home supply store gets hacked and, it turns out, they didn't bother to secure passwords properly. The hackers then start trying those passwords on other sites, including your iCloud account.
If your passwords are all different, one hack doesn't compromise all your accounts.
Do use a password manager to store and auto-fill unique passwords
It's impossible to remember even one long, secure password, let alone dozens of unique ones for every site you visit online. That's where a password manager like 1Password or Lastpass comes in. They'll generate the long, strong passwords for you, store them, and when you go to those sites, they'll automatically fill in the passwords for you.
They also support Touch ID and copy/paste, so they're easy to use.
Don't use researchable security questions
Security questions are bad for security, and I wish companies would stop using them. If you're a public figure, Wikipedia can usually provide anyone with the answers to several common security questions. Even if you're not a public figure, Google can sometimes offer the same information. And if people get those answers, they can reset your password and try to get into your account.
So, avoid using security questions, regardless.
Do treat security questions like extra passwords
If a service insists on requiring security questions for password recovery or reset, don't use anything anyone else can research. Instead, treat security questions as extra password fields.
Generate long, strong blobs of pseudo-random characters and store them in your password manager. Then, if you ever need them, copy/paste them in.
Don't just use passwords
A password is a single factor. If that's all you use and someone somehow gets your password or security questions, they can get access to your account.
Add in a second factor, though, and the password only gets them halfway.
Do use 2-factor authentication
Most major online services, including iCloud, offer 2-factor authentication (2fa). Apple's version pops up a token code on your iPhone, iPad, or Mac, and you have to punch it in to get access. Other systems use apps like Google Authenticator, 1Password, or Authy to supply you with a token. (If the service only offers tokens over SMS, it's not as secure — contact them and ask them to provide proper 2-factor support.)
Don't click on links in emails
Phishing is when a hacker sends out volumes of fake emails saying there's a problem with your account, a special deal you can get, or anything else designed to entice you to click on a link. Spear phishing is similar, but targeted just at you and is often more personal and even more enticing.The link is to a fake account page where they hope you'll type in your real password so they can get it. Never click a link in any email asking you to enter your login information anywhere.
Do go to account sites directly
If you get an email from Apple, Google, Microsoft, Dropbox, or anyone stating there's a problem with your account, open your browser and type in the website address yourself —iCloud.co.uk,Gmail.co.uk,dropbox.co.uk, etc. — and then use your password manager to log in.
If there is a problem, there should be a notification for that problem on the account page along with any real steps you need to follow.