1. Having a strong password actually can prevent most attacks
Yahoo's Chief Information Security Officer Alex Stamos has spent most of his career finding security vulnerabilities and figuring out how attackers might try to exploit software flaws. He's seen everything from the most devious hacks to the simplest social engineering scams. And in all that time, he's found that there are two simple solutions for the vast majority of users: strong passwords and two-factor authentication.
Stamos says that the biggest problem is that the media focuses on stories about the deepest and most complicated hacks, leaving users feeling like there's nothing they can do to defend themselves. But that's just not true. He told me via email:
I've noticed a lot of nihilism in the media, security industry and general public since the Snowden docs came out. This generally expresses itself as people throwing up their hands and saying "there is nothing we can do to be safe". While it's true that there is little most people can do when facing a top-tier intelligence apparatus with the ability to rewrite hard drive firmware, this should not dissuade users from doing what they can to protect themselves from more likely threats and security professionals from building usable protections for realistic adversaries.
Users can protect themselves against the most likely and pernicious threat actors by taking two simple steps:
1) Installing a password manager and using it to create unique passwords for every service they use.
2) Activating second-factor authentication options (usually via text messages) on their email and social networking accounts.
The latter is especially important since attackers love to take over the email and social accounts of millions of people and then automatically use them to pivot to other accounts or to gather data on which accounts belong to high-value targets.
So I would really like the media to stop spreading the idea that just because incredible feats are possible on the high-end of the threat spectrum, doesn't mean it isn't possible to keep yourself safe in the vast majority of scenarios.
Adam J. O'Donnell, a Principal Engineer with Cisco's Advanced Malware Protection group, amplified Stamos' basic advice:
Oh, and my advice for the average person: Make good backups and test them. Use a password vault and a different password on every website.
Yep, having a good password is easy — and it's still the best thing you can do.