Here’s My Zoom Security Checklist

A senior video chats on a laptop computer on his living room sofa
Roman Samborskyi / Shutterstock.com

Zoom is the hit software product of the coronavirus pandemic, and it’s easy to see why. We all need to connect right now, and Zoom is really easy to use.

That’s also the problem.

Whenever a technology is easy to use, it’s often easy to exploit. And Zoom is finding that out the hard way.

If you haven’t heard the word “Zoom-bombing” by now, you will. Creeps barge into video meetings uninvited and do awful things, largely because Zoom makes it so easy to set up and join meetings. Teachers are finding unwanted digital visitors show up posting porn in front of students; a virtual meeting of black women was interrupted by an invader screaming racist slurs. It’s awful.

Meanwhile, the firm has made some major missteps on its own. It was sharing users’ information with Facebook without their knowledge; it was matching anonymized users with their LinkedIn profiles; it has a spooky “attention monitoring” feature for bosses. (A list of even more horribles is here.)

Zoom is providing a lifeline for millions of people right now, many of them students using the service for free, so I don’t think we should be too hard on it. I also don’t think you should avoid it because of all these missteps. But you should proceed with care when using Zoom, and I’ll give you my advice in a moment.

But first I want to explain the problem a bit. Zoom usage is … zooming. CEO Eric Yuan said in a blog post this week that his company never expected to suddenly be the world’s platform for communicating, and a flood of new consumer use cases have exposed the service’s flaws. How big is that flood?

“As of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid,” he wrote.

Here’s why that matters to you: Yuan has admirably said he’s stopped all feature development for 90 days and is putting all his resources into fixing security and privacy issues. That’s good, but so far, it hasn’t worked. Moving forward, I’d be very skeptical of Zoom’s claims while it deals with the sudden usage crunch and criticism.

In other words, don’t plan on Zoom taking care of your safety. Do it yourself, by checking many settings manually.

For example, Zoom has claimed publicly (here, to security journalist Brian Krebs, and here, in an FBI warning) that meetings are password-protected by default — meaning only users with the password can enter. That defies my personal experience, and empirical evidence. My inbox is littered right now with meeting invitations, not a one requiring a password. And my own meetings, which I hosted, didn’t require a password until I manually set that option.

That matters because, without a password, it’s not all that hard to barge into open Zoom meetings. All you need is a meeting ID, which is usually a nine-digit number.

These can be guessed, or someone could just stumble around looking for random open meetings. Zoom says it stops would-be bombers from brute-forcing their way into meetings by guessing a series of numbers in sequential order, but researchers say they’ve defeated this measure. Krebs talked to a researcher who created a tool that went looking for open Zoom meetings and found 14% of all meetings right now were not password-protected.

When I reviewed Zoom’s password settings, I found the options very confusing.

Ultimately, there is a single setting that meeting hosts can toggle which requires passwords on all new meetings — it’s under Settings, then “Require a password when scheduling new meetings.”

But there are several other places where users can toggle security settings. A host can simply require that users authenticate by logging into Zoom, rather than require a password. A host can require a password for only a single meeting. Hosts can require passwords only for users who dial in. Teachers can set a password for a virtual classroom. Meanwhile, a host can limit a meeting to a preselected list of members with certain email addresses.

All these options might make an IT manager at a large company happy. But it strikes me that Zoom doesn’t have a unified vision for authentication of participants, just a bunch of features.

For newbies, this is a disaster. Zoom is begging for misuse by teachers who are trying to make 25 excited kids sit still long enough to share the stories they wrote that day. Don’t forget, everyone who hosts a Zoom meeting right now is also performing tech support, and dealing with panicked Facebook messages and emails from participants who can’t get into the meeting for some reason. That’s also a recipe for relaxing all controls, making things easier for Zoom-bombers.

So, here’s my quick-and-dirty advice for using Zoom in schools, or anywhere:

1. Know where the eject button is at all times

Just presume something bad might happen. A stranger could get into your Zoom, or a kid might show something inappropriate. And be ready. You have many options, from most drastic to least:

  • “X” the room. Close Zoom immediately. It’s brutal but it will end the problem. People can rejoin, it’s not the end of the world.
  • Make the user leave. Hosts can boot individual users by selecting “Remove” from the menu pictured below, which is reached by clicking the three dots next to the attendee’s image. (People you remove cannot get back into the meeting). Hosts can also mute users or turn off their video at any time by selecting “Stop Video” from the menu below. It’s also possible to mute all participants from the participants panel on the right.
  • Use the “attendee-on-hold” option to put users in timeout for a short while, a bit less dramatic than “remove.” That feature must be toggled on from the administrative options menu.
Screenshot of settings on a Zoom conference
Bob Sullivan / Money Talks News

2. Use Gallery View

It’s easier to see what everyone is doing in “Gallery View” rather than Speaker View, so use that option.

Screenshot of a Zoom conference thumbnail of participant
Bob Sullivan / Money Talks News

3. Don’t start early

Class shouldn’t begin without the teacher in the room. Disable “Allow participants to join the meeting before the host arrives.”

Screenshot of a Zoom conference join before host setting
Bob Sullivan / Money Talks News

4. Use the “Waiting room” option

Enabling the “Waiting room” option lets you control who enters the meeting. Participants can be added one by one or as a group.

Screenshot of waiting room settings for a Zoom conference
Bob Sullivan / Money Talks News

5. Lock the door

Once all participants are logged in, the host can choose “Lock Meeting” to keep anyone else from joining. This sounds like a good idea, but if you have laggards, or someone drops out of the meeting because of an internet hiccup, it can be a pain. So use with care.

While we are in this lower-right-hand corner of Zoom, it’s not a bad idea to mute participants upon entering, either.

Screenshot of a Zoom conference
Bob Sullivan / Money Talks News

6. Limit or ban screen sharing

The Zoom feature causing the most trouble so far has been prank, disgusting screen sharing. Zoom says it now turns off screen sharing by default for anyone other than hosts. Double-check that.

Here are elaborate steps for turning screen sharing on and off from Zoom, but fooling with that setting sounds like trouble to me.

Screenshot of who can share a Zoom conference meeting
Bob Sullivan / Money Talks News

7. Require passwords, but manage them

Zoom allows you to email a link with the password attached to the URL (see below). That means anyone with the link can enter the room. That makes them less safe, but it’s a trade-off. It’s still safer than no-password meetings — random guessers can’t crash in. And requiring people to manually enter passwords might cause more headaches for hosts. (What’s the password?) This is where Zoom’s security paradigm could use more work.

Screenshot of options to require a password
Bob Sullivan / Money Talks News

So you know: This is what a Zoom meeting invite link looks like without an attached password:

https://us04web.zoom.us/j/3043XXXX1

And this is what a link looks like with an attached password:

https://us04web.zoom.us/j/3043XXXX1?pwd=V2x2VmxJZUFDXXXXXXXXWTIxSWJkQT09

8. Never post a Zoom meeting ID publicly

Don’t share a Zoom meeting idea in a public place, such as on social media. Discourage members from forwarding emails with meeting IDs, though that’s obviously tough to stop.

9. Never use your Personal Meeting ID for meetings

Your Personal Meeting ID is a static number, like a constantly running meeting, and it’ll be easy for hackers to exploit. I don’t know why this is a feature. Let Zoom generate unique IDs for meetings.

Screenshot of the personal meeting ID settings
Bob Sullivan / Money Talks News

10. Stop the note-passing

Hosts, especially teachers, can disable chat between participants. That’s probably a good idea in some situations.

Group chat options are a little tricky to find, too. You get to them by expanding the chat menu.

Screenshot of a Zoom conference
Bob Sullivan / Money Talks News

Zoom offers a lot more teacher-specific instructions on this page, but be warned: It’s not perfect. The link for “password-protect the classroom” when I visited was broken.

More from Bob Sullivan:

Disclosure: The information you read here is always objective. However, we sometimes receive compensation when you click links within our stories.