Chapter 2: Account security
Introduction
This section contains activities and a case study designed to get journalists thinking about how best to protect their online accounts. Many journalists also use their personal accounts for work leaving them and their information more vulnerable to digital threats, including hacking attempts and targeted phishing campaigns.
This chapter will cover:
- Best practice for managing content in accounts
- How to create secure passwords and where to store them
- What two-factor authentication (2FA) is and how to use it
- Guidance for better protecting against phishing
Training journalists for the first time?
Take a look at our helpful guidance below:
- Journalists often use their online accounts for both personal and work purposes, especially if they are freelancers. This means they have a lot of sensitive content stored in their personal accounts. Journalists should be encouraged where possible to separate out their accounts online accounts into work and personal ones.
- Journalists are often unaware of where information is being stored in their accounts and on their devices. Highlight the importance of carrying out an audit of their accounts and regularly backing up and deleting content. Trainers may wish to look at chapter five of this guide for more details on how to do this.
- Media outlets sometimes encourage journalists to use their personal social media for work purposes, including contacting sources. These accounts are more vulnerable to attack as they are public facing and outlets often do not offer journalists help to secure them.
- Journalists often have sensitive conversations with sources via social media platforms and/or email. These communications are being stored by the tech platform and can be subpoenaed at a later date (this means that someone, like a security service, can ask a court to give them access to the content of those accounts, though the company can challenge this in court). It is important to tell journalists that even though they delete content, the company is still keeping a copy of that data. If sources are reaching out via social media, journalists should be encouraged to move conversations over to a more secure means of communication, such as Signal or WhatsApp. This will be covered more in the chapter on secure communications.
- Media outlets often have out-dated guidance on best practice for passwords and two-factor authentication. This outdated guidance might include recommending that journalists use short passwords with a lot of random-looking characters, or that they change their passwords frequently. It is important to acknowledge this and tell journalists that you are teaching them the current best practice which they should use for all their personal accounts. You can explain that some of this outdated guidance applied at a time when password and computer technology was a little different.
- Journalists working for media outlets are likely to have questions around how best to share passwords with team members. This is often because more than one person needs access to the outlet’s official social media accounts. They are likely to be currently storing their passwords in a spreadsheet which they share with others.
- Some journalists are at high risk of targeted phishing attacks, which are skilfully crafted and can be difficult to detect. It is important for the trainer to highlight which governments or online threat actors typically use phishing techniques and share the tactics that they use in the local context. The trainer should provide practical guidance on how best to protect against phishing. Telling journalists not to click on links or documents is not feasible as journalists frequently need to do so for their work.
- It’s important for journalists to understand their own risk profile when it comes to account security. The trainer should set aside time to complete the risk assessment document on account security.
Training digital security for the first time?
This section covers best practice that can be used when teaching the activities in this chapter. See the resources section in this chapter for further reading.
Gaining access to data
- There are a number of ways that people can obtain data from online accounts. This includes, hacking the account by guessing the password, putting malware on a device that allows someone to access information, physically taking a device and looking at the data, and a legal request from a government to a company for data.
- To best protect data from legal requests and data breaches, journalists should ensure that their data is being kept in an encrypted form on the server of the company they are using. They can do an online search for the name of the company using the keyword encryption to find out how their data is being stored. This can be followed up by looking at the terms and conditions for each company to see how information is kept.
Managing content in accounts
- Having sensitive and personal data sitting in accounts can put journalists and sources at risk if those accounts are hacked or if someone gains physical access to them.
- Encourage journalists to backup and remove data that they no longer need in all their accounts, including email, social media platforms and cloud accounts. They should be encouraged to remove both personal and work items, such as personal direct messages, photos, sensitive work documents, and more.
- Even though data is deleted from the personal accounts, a copy of that data may still sit on the server of the company and can be subpoenaed by a government.
Two-factor authentication
- One of the best and fastest ways to secure an account is to turn on two-factor authentication, also known as 2FA. Two-factor authentication is another layer of security added to an account to better protect it. It normally takes the form of a code sent to a device or it can also be a hardware key that can be inserted into a computer or phone.
- Why use 2FA? In order to gain access to someone’s account, the attacker would need to have the email address, the password, and the code. Turning on 2FA significantly protects accounts from being hacked.
- There are a number of different types of 2FA, including SMS, email, authenticator apps, and security keys. Which one your journalists use depends on the threats that they face.
- You can add more than one 2FA option to an account. For example, an authenticator app and a security key. This is important because it stops people from being locked out of their accounts should they lose access to one form of their 2FA.
- If a company offers 2FA it should also offer the option of saving a backup code or backup codes for that account. These are a one-time code that can be used should the journalist be unable to access their form of 2FA.
- While SMS is suitable for the majority of people they may not be secure for journalists facing threats from government actors or other very highly skilled actors. This is because the code could be intercepted or accessed via the tele-communications company. When teaching about 2FA, emphasize that SMS-based 2FA is far better than having no 2FA at all, but that we heavily encourage journalists to take up other forms of 2FA instead.
- Where possible, encourage journalists to use an authenticator app. These are easy to set up and free to use. There are a number of apps available, and it’s easiest to go with a mainstream one like Google Authenticator.
- Security keys are physical devices that you link to your accounts. To link the key to your account you have to insert the key into your computer or phone, go to the account you want to add the key to and follow the steps to set up 2FA. It is advisable to have more than one key linked to the account in case of loss or theft. Keep one key with you, for example on your keychain, and store the other key somewhere safe. Once set up, when you log into your account you will need your email address, your password and you may be prompted to insert your security key. Security keys are an effective way to prevent phishing attacks. For more details, see the section on phishing below.
Passwords
- A good password is a long password, more than 15 characters. This is because the longer it is the more difficult it is for a computer algorithm to crack.
- There are two types of passwords; passwords made up of a mixture of numbers, symbols and letters, and passwords that are made up of a random collection of words. These are called passphrases. Both types of passwords are fine to use. People often find it easier to remember passphrases so this may be a better option if the journalist is not able to use a password manager.
- Do not use personal data, such as a date of birth or pet’s name, when creating a password. This information can easily be obtained online and used to guess your password.
- Do not reuse passwords, use a different password for each online account. This is because companies are often hacked and people’s personal data, such as email addresses and passwords, are stolen. These are then sold online to others, such as criminals and governments. If a password is breached and you have used that password on more than one account then the other accounts are vulnerable. The password for your email service is particularly crucial; if an attacker breaches this account, they can not only read your messages and send messages on your behalf but also reset passwords for all your other accounts.
Password managers
- Password managers are currently the most secure way to protect passwords. A password manager is a service that creates, stores and automatically fills out a password for an account. It can be downloaded as an app, used as a plug-in in a browser, and also accessed via a website.
- There are a number of password managers available. When choosing a password manager, do an online search to see if the company has had any security breaches, check to see if they do discounted accounts for journalists and media outlets, and review any special features they may have, such as a travel mode.
- Ensure that the password manager is protected by a long and unique password. It may help to think of the password before downloading the password manager.
- When a journalist adds an account to their password manager they should ensure they generate a new password for it.
- Password managers help protect against a type of phishing attack where the attacker creates a fake login page, for example a fake login for Gmail. Those types of attacks will use a fake URL, such as gmaiil[.]com. Since a password manager will read a websit’s URL and only fill it in if the URL matches that of the real website, it will be able to spot and prevent such an attack.
Phishing
- A phishing attack is used to obtain someone’s personal data, such as account login details, or financial information. A message is sent to a user encouraging them to click on a link. While pretending to be legitimate, this link can lead to a fake login page which will capture login credentials or contain malware that once downloaded onto a device and run can obtain sensitive data or lock the user out of their computer. Some phishing attacks target many people with the same link. Others can be highly targeted.
- A spear phishing attack is an attack directed at an individual or small group of people. The adversary will normally spend time studying the person or people and collecting personal data on them. This information will then be included in a message sent to the targeted person along with a malicious link. Spear phishing attacks can be very difficult to spot because they have been designed with the target in mind. These types of attacks are commonly used by governments and online hacking groups to target journalists.
Completing the risk assessment
When speaking about the risk assessment and personal security plan it may be helpful to touch upon the following:
- Encourage journalists to think about who may wish to target their accounts and the tech capacity of those threatening them. To find out the tech capacity, the journalist should look up the adversary online along with key words, such as hacking, identity theft, phishing and spyware. If the threat is a government, the journalist should also check whether new legislation is being passed to allow them easier access to data. Journalists should use keywords, such as media and communications law or terrorism acts, when conducting the search. They should also be encouraged to check annual transparency reports published by major tech companies to see whether they are complying with government requests for data.
- Encourage journalists to research the online services they use or want to use. Ask them to look into who owns those services, how they store their data, where that data is stored, and whether they share data with others. Highlight how it’s best to use services which share as little data as possible with others.
- Journalists at high risk, either because they are already facing attacks or because they are likely to be targeted by sophisticated hacking or phishing attempts, should be encouraged to take immediate steps to secure their accounts.
- Journalists are likely to be hesitant about managing content in their accounts and separating out their work data from their personal because of the length of time it will take, and the resources required, such as funds for extra devices. It can be helpful for the trainer to speak with the journalists about the accounts and find out which ones are the most important to secure first. This can include accounts with large amounts of personal or sensitive data.
- Some journalists, such as those who regularly travel or work within sensitive regions, might be at risk of being detained, being forced to unlock their devices, and having those devices searched by authorities. If this is a risk, talk to journalists about what information they keep on their devices (including in any password managers that might be within those devices) and what steps they could take to reduce the amount of information at risk. Those steps could include giving pseudonyms to key contacts in their address book and using disappearing messages. We look a bit more into that in chapters 3 and 6.
Common questions asked
Below are some common questions that journalists ask about account security. It can be helpful to have answers to these prepared in advance.
How can I manage all the content in my accounts, it’s so much?!
Explain that little and often is key here. Journalists should prioritize the accounts they feel are most important or vulnerable and start to backup and remove content. It is often easier to set aside 10-15 minutes on a regular basis to remove content rather than try and do it all at once.
What happens if I turn on 2FA but lose my phone or security key?
This is a very common question. Explain that you can add more than one type of 2FA to the account to protect against this. All services offering 2FA should also have the option to save backup codes which will allow the journalist to enter the account should they lose access to their phone or key. If they are using an authenticator app most of these now give the option to save the backup codes online. If the journalist is using a security key then they will need two, one as a backup which should be linked to the accounts and then stored somewhere safe.
What happens if someone hacks the company that provides me with my password manager?
Stress that password managers are currently the most secure way to protect passwords for the majority of people. Explain that these companies are keeping that data on their servers in an encrypted form which means that even if they are hacked then the attackers should not be able to obtain that data. What is important is that the journalists secures their own password manager account using 2FA and a long password that has not been used on any other account. Explain that attackers largely gain access to accounts because people reuse passwords or are using short passwords that are easy to guess.
My threat is a government and I’m at high-risk of surveillance and/or detention. What should I do to better secure my accounts?
More information would be needed here in order to better advise the journalist. He or she should have an individual consultation to work out the best way to secure their accounts. It’s important to highlight that even though they are using passwords and 2FA they may still be physically asked to unlock their accounts. It may also be wise for them not to use a password manager if they are at risk of people accessing their devices.
Learning outcomes
At the end of the session journalists:
- Understand the threats that their accounts face and have a greater awareness of how their work could mean they are more at risk of particular attacks
- Know what makes a strong password and are confident about being able to create one
- Know what 2FA is and know the steps needed to set it up on their accounts
- Learn about different types of tools and services that can help them to protect their accounts, including different forms of 2FA, and password managers
Templates and tools
The following templates and tools can be useful for teaching this session:
- Different types of 2FA services, including authenticator apps and security keys. See the section, Training digital security for the first time?, for more information.
- Options for password managers. See the section, Training digital security for the first time?, for more information.
- Risk assessment template
Resources
The following resources may be helpful for teaching this chapter:
Create and maintain strong passwords by Security in a Box
Using password managers to stay safe online by the Electronic Frontier Foundation
Phishing prevention and email hygiene by the Freedom of the Press Foundation
Using physical security keys to secure accounts against phishing by the Committee to Protect Journalists
Use a security key by Consumer Reports Security Planner
Set Up Multifactor Authentication by Consumer Reports Security Planner
Get a Password Manager by Consumer Reports Security Planner
Activities
The activities below are designed to accompany this training session on account security. Trainers should feel free to use their own activities as well as to adapt the materials in this guide to best suit the needs of the journalists they are training. The number and type of activities selected will depend on the level of knowledge of the trainer as well as the amount of time the trainer has to spend with the participants. For those new to training in digital safety, don’t forget to review the section, Training digital security for the first time?, for best practice guidance.
Getting started
What’s in your accounts?
| Learning outcomes | Time | Difficulty level | Resources |
|---|---|---|---|
| Journalists become more aware about what content is stored in their accounts and how it can put them and others at risk. | 45 minutes | Low | Whiteboard or flipchart, Board pens, PPT slides |
❶ Step one
- Ask the journalists to brainstorm all the different types of accounts they have on a piece of paper. They should think about accounts they use for communicating with others, shopping apps, apps for travel, etc.
- Then ask the journalists to list the different types of content they hold in accounts, for example home address, credit card details.
❷ Step two
- Facilitate a discussion on what the journalists learned from doing this activity. Ask the following questions
- What did you learn from doing this activity?
- Did you learn anything surprising?
- What information is at risk in your accounts? What steps do you think you can take to protect it?
❸ Step three
Walk journalists through basic best practice for account security. This can include:
- Having separate work and personal accounts. Separating out information online helps prevent all your personal data being accessed should one account be breached.
- Reviewing content held in accounts and backing up and deleting information that is no longer needed.
- Checking what information is publicly viewable on social media sites by reviewing the privacy settings.
- Carrying out an online search for their data by looking their name up online on all search engines. Journalists should review photos and videos as well as web results. Consult chapter seven for more details on how to
- Checking whether their accounts are logged in on other devices. Journalists can check this either in the settings section under account activity or security check up. If they see a device they do not recognise linked to their account they should take a screenshot of the information in case they need to show this data to anyone else, such as an editor. They should then remove the linked device and change their password.
Knowledge building
I Risk and technology
| Learning outcomes | Time | Difficulty level | Resources |
|---|---|---|---|
| Journalists start to think about the risks involved in using technology both in their personal lives and their work environment and how their work increases that risk. Participants gain a deeper insight into how others in their network can increase or decrease their risk |
45 minutes | Medium | Board or flipchart, pens |
Trainer note: this activity follows on from the introductory activity at the beginning of this chapter. Some of this activity asks journalists to talk about possible sensitive issues. Remind them that they do not have to talk about their own personal experiences instead they can speak about more general issues. Best practice for this activity can be found in the section, Training digital security for the first time?, located at the beginning of this chapter.
❶ Step one
- Ask the journalists to look at their previous work around their use of technology from the previous exercise. Ask them to think about what possible risks they could face from using technology. For example, are they concerned about hacking of their accounts? Do they worry about what data apps and services are collecting about them? Would they like to know more about how to secure sensitive documents?
❷ Step two
- Write up the following: What do you want to protect? Who are you protecting it from? How will you protect it? What happens if you fail to protect it?
- Ask the journalists to look at the questions and to think about what threats they could face. Ask them to write down answers to the questions.
- Help them think about the types of data that could be most vulnerable, for example, financial data, sensitive documents given to them by sources.
- Consider who may target them. For example, do they worry about being targeted by criminals who may steal their identity? Are they concerned about governments obtaining their data? Could they be threatened by online groups who may try to steal their information?
- Tell them that they may not know how to protect themselves yet and that these will be skills they will gain during the training session.
- Encourage them to think of the worst case scenario and what will happen if someone does gain access to their data. Explain that thinking about what could happen will help them plan to better protect it.
- Encourage participants to think of where risks occur when their personal life overlaps with their profession. For example, using the same phone for work and personal communications
❸ Step three
- Facilitate a class discussion on this issue pulling out common themes and threats.
II Introducing the risk assessment
| Learning outcomes | Time | Difficulty level | Resources |
|---|---|---|---|
| Introduce participants to the risk assessment and risk mitigation | 45 minutes | Medium | Whiteboard, flip chart, pens, risk assessment document |
Trainer note: this exercise requires that trainers have a good understanding of what steps journalists can take to protect themselves online. Best practice for this can be found at the beginning of each chapter of this guide.
❶ Step one
- Ask the journalists what they are currently doing to protect themselves in terms of digital security. Facilitate a class discussion and point out common answers. Some frequent answers could include:
- Using secure passwords
- Having two-factor authentication turned on
- Using Signal
- Using a VPN
Point out that it’s not important that journalists know how to do all of these security steps yet as they will learn them throughout the course.
❷ Step two
- Ask the journalist whether they have heard of a digital risk assessment and what it does. Give a brief overview using guidance from earlier in this chapter to help you if needed.
- Share the risk assessment template with the journalists and ask them to look through it. Answer any questions they might have.
❸ Step three
- Tell the journalists they are going to work alone to complete their section of the risk assessment titled thinking about general digital risk.
- Journalists should work on answering the questions and providing concrete steps for mitigating risk.
- Support should be provided should they have questions, doubts, or look like they need additional help.
❹ Step four
Help journalists reflect on the process by asking the following questions:
- What information have you learned in today’s session that has helped you make more informed decisions around this issue?
- What else do you think you need to learn?
Case study
This case study accompanies the course material and provides journalists with real-life examples of digital threats against media workers. It can be used to promote discussion around different types of risks as well as serve as a way to teach journalists steps to better protect themselves and others.
Our writeup: Case study on account security
HRW’s writeup: Iran: State-Backed Hacking of Activists, Journalists, Politicians