How to make sure data you store in the cloud stays secure

OneDrive on Android
OneDrive on Android (Image credit: Windows Central)

In the wake of high-profile hacks and thanks to awareness campaigns like Data Privacy Day, many people are coming to the realization that their cloud storage isn't exactly as secure as they thought. While all the blame in the world can be placed on the hackers responsible, this sort of thing will almost certainly happen again, and placing blame won't protect your data if it is targeted. No matter what cloud storage service you use, there are a few things you can do to ensure sensitive data remains as secure as possible.

Dealing with passwords

When it comes to passwords, there are some general rules to follow that will make it harder for hackers to guess or brute-force their way past the gates you set up.

Ditch old, weak passwords

The old TV trope of guessing a user's password by simply typing "password" didn't come about for no reason. Plenty of people used to (and likely still do) use a variation of this weak password.

Setting your password to something as easy to remember as "password" or something close — like your birthday, hometown or address — means any interested hackers will have an easy time getting in.

A strong password is a long password that includes letters, numbers, and symbols arranged in no particular pattern. These passwords are virtually impossible to guess, and using brute force takes longer for longer passwords. These can be difficult to remember, but that's where password managers come in.

Use different passwords for different services

Creating a great password for your cloud storage account will keep your data safer in the long run, but not if you use that same password for other services. Say you create an account on a random shopping website so that you can receive newsletters about sales, and you use the same great password you used for, say, OneDrive.

Now it's revealed that the shopping website didn't really protect its users' information, and an interested hacker has a new collection of passwords. Because your password isn't different between services, that one weak website has potentially compromised a collection of services you use every day.

Use a password manager to keep track of your passwords

One of the main reasons people use short, common passwords is because they're easy to remember. Now that you have a different strong password for each service, they're not exactly easy to keep track of. Enter password managers. These services will keep track of all your passwords, will auto-fill password fields, and will even generate quality passwords so you don't have to. There are plenty of password managers out there, but check out our choice for the best:

True Key manages all your passwords in Edge with no hassle

Play it smart when using security questions

Plenty of services will ask you to provide a security question or two when you sign up. These security questions can be used in the event of a forgotten password, but they can also be used as a way for other people to get into your account. Why? Most security questions involve something about your school, your hometown, or your mother's maiden name. In plenty of cases, especially if you're at all in the public light, the answers to these questions can be researched and found.

If you have the option, forego adding security questions. If the service you're signing up for requires you to add a security question or two, don't use answers that can be researched. Instead, create a long, strong password as an answer to the security question. Store the "answers" in your password manager and access them if the need arises.

Setting up two-factor authentication

On top of creating a strong password as an access point to your data, setting up two-factor authentication (2FA) should be done wherever possible. Once 2FA is set up, you'll receive a unique code that must also be entered. Many services will text a code to your phone, while others take advantage of dedicated apps that deal with distributing your 2FA codes. This extra step will take more time to log in, but it is invaluable.

How to easily check if your favorite service has two-factor authentication

YubiKey

YubiKey is a neat little tool that gives you 2FA to carry around in your pocket. It's essentially a USB stick you can put on your keyring, or around your neck, that is compatible with Windows Hello and a number of other services, including Dropbox and several password managers.

In order to, say, get into your password manager's vault of saved passwords (an incredibly potent vault), you have to enter the master password plus insert the YubiKey into a USB slot on your PC. Any would-be hackers would need to actually get the physical YubiKey from you, providing that crucial secondary authentication method.

See at Amazon (opens in new tab)

Encrypting your data in the cloud

When you upload photos and data to the cloud, you expect some privacy and security, which, in most cases, comes in the form of encryption. And not only transit encryption, but resting encryption for your files that are already saved in the cloud. Many services already provide this level of security — some require you to go with business accounts — but there is still a problem. In most of these cases, the cloud service itself holds the key to the encryption, meaning if they are compromised, your data will potentially be served up on a platter.

Instead of trusting the cloud service to safeguard the key to your data, you can take matters into your own hand by encrypting especially sensitive files before they even leave your PC. There are plenty of these encryption services available, including Boxcryptor and Rclone, but make sure to pick one that is compatible with your cloud service of choice. Remember, you don't have to personally encrypt everything that goes into the cloud, but you'll be glad if you did in the event of a hack.

If you're particularly concerned about the security of the internet connection you're using — most important if you frequent public spaces with free Wi-Fi — adding a VPN service to the mix isn't a bad idea. It will up your privacy when it comes to essentially any online activity, which is a major goal here.

If you're not sure where to start, we've put together a beginner's guide that will get you up to speed, and we've also rounded up the best VPN services out there.

Best VPN services

Avoiding phishing and scams

Now that you've created a strong password and have set up 2FA, you must remain vigilant when it comes to phishing. Phishing tactics usually involve an enticing or official-looking email sent your way that requires you to click a link and enter your password on the website the link opens.

These nefarious sites will closely resemble official sites, but they are designed to nab your username and password — no matter how strong — with your help. If you ever receive an email asking you to sign in through a link, ignore it.

Instead, navigate your way to the website in question by typing it into your browser. This ensures you're accessing the real website, and any problems mentioned in the suspect email (if they exist) should also be evident when you log in.

The number one rule to avoid phishing is to be wary at all times when navigating the internet. If something seems off or a little too good to be true, it probably is.

The bottom line

Although nothing is ever 100 percent safe online, following the methods explained above will help keep your data safer than before. If you're sending private documents to other people, don't forget to ensure they're also following these guidelines for keeping online data safe.

Updated January 28, 2019 It's Data Privacy Day again and we've refreshed this article in the hopes that it will help keep more than a few people from any unfortunate leaks or hacks.

Cale Hunt
Senior Editor, Laptop Reviews

Cale Hunt is a Senior Editor at Windows Central. He focuses mainly on laptop reviews, news, and accessory coverage. He's been reviewing laptops and accessories full time since 2016, with hundreds of reviews published for Windows Central. He is an avid PC gamer and multi-platform user, and spends most of his time either tinkering with or writing about tech.

20 Comments
  • How does OneDrive stack up against hacking (presuming your passwords are good and secure)? Can't figure out if OneDrive offers encryption natively or you have to encrypt stuff first, then save up? Is it all related to NTFS encryption, BitLocker, etc.?
  • you can not keep things safe in the cloud.. PERIOD..
  • Really?! The security posture of all the mainstream cloud providers outstrips the on-prem posture of 98% of the companies out there by *orders* of magnitude. You're probably 10x safer in the cloud than rolling out and maintaining your own infrastructure with your own resources. Nothing's 100% sure, but in terms of measured RISK?! The cloud completely destroys on-prem. (And no, I do not work for any cloud provider.)
  • Does Microsoft accept 16> password length now?
  • MS Account accepts at least 25 characters (tried by myself), but I think there are no limit
  • So it's a recent change (and silent), because some weeks ago it wasn't possible.
  • Back in the 17th of februar after a certain event I changed to 50 long one. So if you are experiencing issues, maybe it is regional or contains some invalid characters. Unfortunately some providers accept invalid characters and lengths, but only AFTER changing the password. This causes the service to tell your new password is incorrect, then though it is not, next time you sign in.
  • SpiderOak provides cloud storage where the local client encrypts the data BEFORE it is sent up to the server.  Since it is encrpyted on your system, even the employees cannot access your files even if you WANTED them to. Of course, lose the passphrase for the encryption and, well,.. your stuck!  Also, that means yet another "password" to remember.
  • It's essentially useless since your data resides in a place where by law it can be subject to checks. In the US may work well. Perhaps other places in the Anglosphere. Much less useful for the others. Even without that, data transiting online is subject to a lot of things and while residing in the the cloud ( which is a physical device somewhere else) is not safe either. I deleted my Dropbox account when they changed their terms of use. I have my 1tb of cloud on Microsoft office entirely unused. The cloud is simply unsafe. I use a NAT and sleep tight.
  • In the article, the link to Best Password Protectors is broken. Anyone have it? Post here?
  • Are you talking about the link to the best password managers? Seems to be working for me...
  • Can someone explain Password Managers please? Doesn't using a password manager mean that ALL your passwords would then be stored somewhere in the 'Cloud' for a hacker to potentially get at? Doesn't sound at all secure! I am very wary of putting anything on the 'cloud' because it means there must be an administrator out there somewhere who potentially has access to that information. How can I really know my information is secure?
  • The idea is to use one very strong, very difficult password that you can remember for the password manager, with 2FA or even something like a ubikey, and store your account information there. I use my password manager to generate my usernames, when they aren't an email address, and passwords for me with the greatest complexity that the site will allow. That ensures it won't be possible to guess it and helps me avoid duplication.
  • First, in most password managers like LastPass, all the passwords are encrypted in the servers, so even if a hacker intercepted the datas, they won't be readable unless the hacker spends the last days of his life trying to crack the passwords. Second, those servers are much more protected than your regular notebook with passwords since they have actual trained professionals that have experience with it.
  • You would have thought Equifax would have trained security professionals, but hackers managed to get access to half of America's personal data. This article is very good. I practice some of these things, but not all. More layers of security usually means more inconvenience. I also don't trust password managers. All it would take is a keyboard sniffing virus to get your password to your password manager and then they would have access to everything you own. Two factor authentication and that key thing would help protect you from this though. Other things I worry about is how easy it would be to spoof being you on the phone with your bank. This is why any identifying personal information should be treated with security measures. For example, do not give out personal information via email. If a hacker has enough information about you, they might be able to fool the bank they are you and have your password reset. And finally, you should freeze your credit line. A law passed last year make it free. With the Equifax data breach, and many others that have happened in the last few years, you can pretty much assume your personal data is all over the dark web.
  • What is the computing cloud? A collection of computers, sitting in someone's warehouse/building. Where they have access to your stuff anytime.
    Equals no security!!!!
    What is needed is a big storm, to blow away the the most insecure, computer platform to date.
  • ...you do realize that it is just illegal for companies to just check other people's data without their consent except for cases with the justice. Also, cloud storage is MUCH more secure than a single hard drive at your house that can be destroyed or stolen easily. Those datas are much more protected in servers with actual trained professionals that are hired to protect the network than a regular guy that is forced to use a computer for their work.
  • Is anyone successfully using a Yubi key Nano with a 950/XL with NFC? I have read both positive and negative experiences.
  • One thing to keep your data safe is never SHARE from OneDrive. The link it creates and emails out is a PUBLICALLY accessible link. :( You say share with a person and anyone who intercepts or is forwarded that email has full access without you knowing to the shared data. OneDrive needs authenticated sharing so it can keep your data private.
  • As precaution procedures, all what you have mentioned are ok, but yet you need to use a service such Tresorit that secure your data from their side as well, no one can access accept you. I love that.