How to help your family stay more secure online

Many of us travel during the holidays to visit family, have them visit us, or at least touch base with those we haven't talked to in a while. One of the kindest gifts you can give beyond your own company and a new blender is to help relatives sort out online password and security problems that they may not even know they have.

The trick is to balance knowledge, agency, and capability. Don't set up your 97-year-old grandfather with a two-factor authentication approach unless he both wants it and can, unaided, use it. Likewise, your 22-year-old daughter living away from home after college might appreciate mom's password advice, but she might not take it to heart unless you share your own story of woe--and maybe pick up the cost of password-management software.

You may think this is a problem afflicting only older people--and for you, "older" might include people younger than me, a 40-something tech veteran. But I've increasingly found that teenagers up to those in their 20s can be surprisingly computer illiterate about matters we oldsters think are baseline, because modern OSes and other tools haven't required that they master the details to have effective access. Don't assume your niece or son-in-law is making smarter security decisions than mawmaw. (Mawmaw may have programmed mainframes for most of her working career, anyway.)

Of course, if you're asked for help, the sky's the limit in how well you can lock down somebody else's stuff. Just remember that you're the one they'll call when they can't unlock it.

Fresh passwords and keeping track

Picking unique, strong passwords for each service we interact with is the best plan. But you know very well that about 95 percent of your family members--unless they have computer-science degrees or work at companies that educate employees well about security--use "123456" or their child's or pet's name as their way in everywhere. (Replacing letters with common numbers or symbols doesn't help--"p@ssw0rd" is just as crackable as "password".)

Since the Target data breach in 2013 and after numerous well-covered security and privacy debacles in 2014, humans who normally could not care a whit about the integrity of their online identities and information are open to discussion. Some may have thrown in the hat and refuse to worry about it assuming there's way to be safe, of course, but others want a solution.

The simplest offer you can make is to help a relative come up with at least one strong, pronounceable password that doesn't entirely use words found in a dictionary and is sufficiently long. Using password software, I just generated the 14-character "spaj-i-odd-ord", which is acceptable at most sites. (I used 1Password for that. You can also turn to Keychain Access in Applications/Utilities: select File > New Password Item, and then click the key icon to choose among formulas.)

If your relation is comfortable with it, you can create the password with them and retain a copy of it in case they lose it later. A common rule is never to write one's password down, but that applies to people who are in a situation where other people regularly have access to their computer. Even if that's the case, writing it down somewhere where your flesh and blood or in-law knows to look later, but which isn't obvious or easily findable, is a good rule.

Then work with them to change their current password at every site they routinely use, especially banking, medical, or other financial sites. Even if they don't want you to know the password, you can help them think through where they have used the password. If a site has particular requirements, such as not allowing hyphens, removing hyphens or inserting a number should help, but have your relative write those variants down as well, preferably noting the exceptions.

Better still, for relations who have enough computer knowledge and moxie to deal with it, is to have them (or you) purchase and install 1Password or LastPass, which work on all the major desktop and mobile platforms. Both programs can generate strong passwords on demand, and offer browser plug-ins to allow filling in passwords on Web sites. In iOS, both offer iOS 8 extensions to fill in passwords within the Safari browser.

Because both packages have network-based synchronization, you can be an aid (again, with permission!) by being part of the synced set of systems for that relative's passwords. That can be as simple with 1Password as using a shared Dropbox folder to sync their password archive; or, in LastPass, for them to give you their account password, as LastPass has a Web app.

For an aged or ailing family member who has given you power of attorney in the case they are incapacitated, a shared set of their passwords can make it much easier to carry out tasks on their behalf and settle affairs.

Phishing, cc'ing email, and other monitoring

Scams are nothing new, but making sure your family is aware of how frequent the attempts are, even when they aren't sophisticated, is still critical. I have relations who cannot seemingly accept, even after being phished (having a spoof email lead them to a site at which they entered credentials for their email), that email messages can be forged as easily as someone could use a photocopy machine to invent an official-looking letter.

Older people are often targeted with a variety of online scams for several reasons: they tend to have more money more readily available; they are often, but certainly not always, less technically savvy; and as we age, our critical faculties may lag. And if someone has been scammed, they're often shy about discussing it with family or authorities, especially if they've been cheated out of money. Young people can also be remarkably credulous before they've made their way in the world, and may be equally embarrassed to talk about it.

Encourage family members to delete email (or report it as spam) that requests any personal or account information of any kind. Help them understand that no viable online service or financial institution will ever accept a credit-card number or ask for a password via email. You could also suggest they forward any such request to you for your evaluation, even though that increases your work load. Better that than help them recover from account hijacks. Particularly vulnerable relatives may agree to or ask that you have access to their email accounts to help them sort through nonsense.

Point them to resources in your state or at the federal level that they can refer to, such as Fraud Fighters at the Washington State Attorney General's site, or's online fraud information site. Bookmark the sites, too.

More insidious are look-alike sites that someone may be persuaded to visit by clicking a link in phishing email, or that their machines are redirected to after malware is installed. Those are harder to fight against. A recent study found that the best-composed fake pages could fool 45 percent of all visitors. But even the worst pages captured the belief of 3 percent of users. Telling relatives to type in addresses (like,,,, and the like) or use browser bookmarks that you can help them set up reduces some of the potential of being successfully phished.

Holidays are also a good time to make sure family members with Windows or Android devices have anti-malware/anti-virus software installed, to help deter some of the effects of clicking or tapping the wrong thing. Read the professional reviews, because there are so many options and lots of dubious review sites that receive commissions on sales. Some packages are outright purchases, while others require an automatically renewing subscription fee. (Attacks against Mac OS X have tended to be of the variety that cannot be caught in advance, although software like Little Snitch can help alert you to anything weird. iOS doesn't allow anti-anything software.) Some software will install browser plug-ins to alert or block even the most carefully composed forged site after it's been reported to a central registry.

You might also be able to help through remote access software on a desktop system. The service from LogMeIn (free for simple use) allows remote sessions--including remote control--without any prearrangement, just the installation of a tiny bit of software that you can guide the other party through. iTeleport for Mac OS X ($29.99) requires installation on any host computer and the use of a Google account login to tunnel through any intervening networks and allow remote access. (Back to My Mac is an option, but requires much more configuration and isn't terrific at crossing all network boundaries to make a connection.)

Nobody wants to have their accounts, finances, and private details exposed, but the cold, hard world is tough to navigate without a little help. You can be your family's digital lifesaver in just a well-spent afternoon.

Join the CSO newsletter!

Error: Please check your email address.

Tags Target1Passwordpasswordssecurityphishing

More about DropboxGoogleLogMeIn

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place