Digital Security for Journalists

While we often worry about sophisticated digital attacks, the most common attacks for accessing news organizations’ accounts depend on only a few simple weaknesses. These weaknesses are usually a combination of predictable passwords, phishing emails designed to steal login credentials, as well as malicious file attachments in email and elsewhere. While the attacks are simple, so are the defenses. This collection of resources and learning materials will walk you through practices recommended by security specialists for defending your newsroom against common attacks on your accounts.

Security for Journalists,  The Basics / In Short

Protecting yourself, your colleagues, your organization and your sources starts with basic security practices.

  • Choose strong passwords, and do not use the same password everywhere
  • Use 2-step verification on your email and other critical accounts
  • Always check the URL before you enter a password
  • Be suspicious of generic messages that try to get you to click a link
  • Try to avoid downloading attachments, viewing them online if possible
  • Encrypt the drives of all your computers

Two decades after passwords became a part of daily experience, the most common password is still 123456. How far we’ve come. For some reason many people think dragon and shadow are clever passwords too. For the record, they are not. Nothing that appears in a dictionary is a good password…because you can give a dictionary to a computer and have it guess passwords, tirelessly, day after day, millions of guesses per second. This is why some sites require numbers and punctuation or especially long passwords.

Weird passwords can be hard to remember, so consider pass-phrases instead—simple combinations of multiple words.

These steps are free, easy, and dramatically increase security. There’s a lot more to know about protecting yourself, your colleagues, and your sources, but these are the basics. Every journalist whether working on a sensitive story or not—should be doing at least this much. (By Jonathan Stray)

Detailed information about the subject ;

How to: Enable Two-factor Authentication

Two-factor authentication (or “2FA”) is a way to let a user identify him or herself to a service provider by requiring a combination of two different authentication methods. These components may be something that the user knows (like a password or PIN), something that the user possesses (like a keyfob or mobile phone), or something that is attached to or inseparable from the user (like your fingerprints).

You probably already use two-factor authentication in other parts of your life.  When you use an ATM to withdraw cash, you must have both your physical bankcard (something you possess) and your PIN code (something that you know).  Right now, however, many online services only use one factor to identify their users by default—a password.

How do I enable 2FA?

This differs from platform to platform, as does the terminology used. Facebook calls the process “login approvals,” Twitter calls it “login verification,” and Google calls it “2-step verification.” To enable 2FA on most platforms, you will only need a mobile phone capable of receiving SMSes.

An extensive list of sites supporting 2FA is available at

If you want better protection against stolen passwords, you should go through this list, and turn on 2FA for all of the important web accounts you rely on.

Password Security for Beginners

It’s also important to use different passwords on different systems. Otherwise, anyone who is able to hack into the password database of your favorite artisanal cat toy supplier will also be able to get into your email. And if someone can get into your email, they can get into pretty much every other online service you use, because most services let you reset your password via email. Also, anyone who can get into your email can see all the messages you exchange with everyone else, which means your bad email security compromises other people. Not good.

Password managers make it easy to remember a single password, and still have long, unique passwords on all of your accounts. How is this possible? You use just one password to unlock your secure password “vault.” From your vault, you can quickly fill out login forms on all of your devices.

How do you get started?

A few password managers are usually recommended by security specialists, including LastPass, KeePass, and 1Password. They are all good options, but have different features that may impact which you want to use. Let’s quickly highlight some of the features of each tool. I’ve written guides for each, and pointed to links below.


Happy! Easy to use, and well-designed. Perhaps the easiest for unfamiliar users. Syncs to a desktop application so you can access your passwords offline.
Not so happy. More expensive than alternatives ($36 annually OR $65 one time), and does not natively support Linux.


Happy! Well-designed, easy to use, and it’s free. Supports many desktop and mobile operating systems.
Not so happy. Slightly more work to set up than 1Password (e.g., manually setting up keyboard shortcuts). Because it’s tightly integrated into your browser, you may sometimes have a difficult time accessing your passwords offline.


Happy! Free and open source. KeePass can work on most platforms and operating systems. With KeePass, you control where your data are located (e.g., you can be “offline only” if needed).
Not so happy. Not as intuitive, and not as well-designed as alternatives. Unlike 1Password or LastPass, KeePass isn’t really one tightly integrated application — it’s an ecosystem of compatible applications. It will also require you to find a sync tool (e.g., Dropbox) if you want to sync across devices.   ( By: Martin Shelton )

Encrypt Your Drive

You have to assume that you’ll lose your laptop, the same way you have to assume that someone will eventually try to open your unlocked front door. The only question is what happens next.

You probably have a login password on your computer. This is important, as it prevents anyone from opening your files…as long as they restrict themselves to using your computer in the normal way. It only takes a screwdriver to remove your drive and install it in an external case, so that it can be connected to any other computer. Then your login password means nothing, because the attacker never needs to log in.

The solution is to encrypt the entire drive so that it cannot be read without that login password. Modern operating systems make this very easy: both Windows and Mac have built-in whole disk encryption. You only need to turn it on. When disk encryption is on, the operating system automatically encrypts your data when you save it to disk, and decrypts it when you re-open your files, using a secret key derived from your login password.

Whoever ends up with your laptop gets only gibberish.

Whole disk encryption is another one of those easy things that dramatically improves security. Once again, it’s free and convenient and there is really no reason not to use it. Go turn it on right now. It may take a few hours to encrypt all your existing files, but you can use your computer while it’s happening.

It’s also possible to encrypt external hard drives and removable media like USB sticks—and you should definitely do this for any storage device that contains information you don’t want someone else to see.


Phishing is the practice of obtaining access by sending a message that entices the user to do something insecure. Hard numbers are impossible to come by, but I suspect that the majority of successful attacks on journalists involve phishing.

The classic phishing scam is an email asking the user to go to a site and enter their password for some reason.

Like all phishing, a fake login screen relies on tricking the user. Phishing is a social technique, not a technical trick. It’s fundamentally a con, relying on trust and laziness. Always manually check the URL before you enter your password on a web page.

Note that the URL you see in an email isn’t necessarily the URL you will reach if you click the link. Here is the phishing email sent to AP employees shortly before the AP Twitter account was hacked.

For insatance, It looks like the link goes to, but it actually went to a fake login page. This is because the text of a link has no necessary necessary relation to the URL—just like the link in the previous sentence does not go to the URL went to fake login page.

Internet Explorer, FireFox and Chrome show you where a link goes when you hover over it (before you click on it ) by displaying the actual destination URL the bottom of the browser window. It’s possible to turn on link previews for Safari. Unfortunately this won’t help if you view your email in Outlook or on a mobile browser.

This AP attack email appears to come from another AP staff member, but it doesn’t. Email is not a secure protocol and it is notoriously easy to fake the “from” field and other header information. Or the attackers may have gained access to one AP account and used it to send legitimate-seeming emails to other people. This is why it is so important to secure your accounts even if you yourself are not a target: you don’t want your credentials used to help fool someone else.

Attachments Security

Email attachments are particularly suspicious. They might obviously be applications, for example files ending with “.exe” on Windows (short for “executable”) or “.app” on Mac. Don’t ever run a program that someone sends to you by email, or any other insecure communication channel!

Other attachments are less obviously runnable programs. Common tricks are naming executable programs to look like document files and embedding scripts inside of documents. The bottom line is that attachments must be considered suspicious, especially attachments you were not expecting, or when attached to a suspicious message. If you’re using GMail, you can open attachments inside the GMail document viewer to avoid ever having to download them to your computer.