Introduction: Why do I need to protect myself?
Now more than ever, our daily lives are becoming incsreasingly tied to our online presence. All of this means that the global threat of hackers and key-logging viruses are increasing as well.
Think about it for a moment: have you ever used the same password for more than one account? Most people are aware that they should be using a separate password for different accounts, but they choose not to because it’s too inconvenient to have to memorize so many different passwords.
But that’s not all – nowadays, our entire digital persona is hosted online. If your password is brute-forced, hijacked or circumvented in some fashion – the hacker could then gain access to all of your social media accounts, your bank accounts or even your cell phone plan!
How is this possible? Because many of us tie all of these services into our personal email accounts.
When you tell your banking institution, your cell phone provider, Facebook or Twitter that you forgot your password, where does this information usually end up? The answer is they send a password reset link to your email!
This exact situation is how so many hackers have managed to embarrass politicians, large-scale enterprise companies and the like – because they didn’t really hack into the accounts at all. Instead, they simply took advantage of well-known exploits such as a weak password or an unpatched web server.
So how do you protect yourself? Sounds like a pretty good idea right? Keep reading to learn how!
What is 2-step verification and why is it so important?
2-factor authentication, more commonly referred to as 2-step verification, is a means of securing your login credentials with a secondary method in addition to using a password. It could be as simple as requiring you to respond by answering a series of secret questions, or entering a code sent over text message, but even that’s no longer considered secure in today’s day and age (because secret questions can be guessed and SMS text messaging can be intercepted).
Instead, the more appropriate method is to set up a code generator. These simple apps are free to download on iPhone and Android and are available from many trusted providers, including:
- Google Authenticator – iPhone Download / Android Download
- LastPass Authenticator – iPhone Download / Android Download
- Microsoft Authenticator – iPhone Download / Android Download
Many of these apps work the exact same way, and are compatible with each other’s services. They can also be used alongside one another if you prefer to keep things separate.
Here’s how it works:
- The app generates a random code every n seconds
- When you go to log into a service such as Facebook or Gmail, you enter your password as you normally would
- If the service is configured to use 2-step verification, you will be prompted to enter the code on your phone in addition to the password.
This very simple code is enough to protect your account even if a hacker manages to get your password. Think about it – the hacker needs to have possession of your smartphone to access the account. Even *if* they somehow manage to get into the account using an exploit, and you’re using the same password across different services (which you really shouldn’t), as long as you have 2FA set up on those other services too the hacker would be unable to access them.
OK, so I downloaded an authenticator app on my phone. What now?
This is where things get a little tricky – see, each service has their own way of configuring 2-step verification, and because more people only just started using the technology, some of them are not exactly polished yet.
The good news is, many of them have step-by-step documentation, so rather than creating a very long article, we’ve listed a collection of links for some of the most common services below:
- Apple ID – https://support.apple.com/en-us/HT204915
- Google – https://www.google.com/landing/2step/
- Microsoft – https://support.microsoft.com/en-ca/help/12408/microsoft-account-about-two-step-verification
- Facebook – https://www.facebook.com/help/148233965247823
- Twitter – https://support.twitter.com/articles/20170388
- LinkedIn – https://www.linkedin.com/help/linkedin/answer/544/turning-two-step-verification-on-and-off?lang=en
- Amazon – https://www.amazon.com/gp/help/customer/display.html?nodeId=201962420
- Instagram – https://www.facebook.com/help/instagram/566810106808145?helpref=hc_fnav
- Snapchat – https://support.snapchat.com/en-GB/article/enable-login-verification
- WhatsApp – https://faq.whatsapp.com/en/android/26000021/
- LastPass – https://helpdesk.lastpass.com/multifactor-authentication-options/
Sounds great! But what if the service I’m using doesn’t support the authenticator method?
It’s a sad fact that some of the largest institutions are still using old, outdated methods of security such as secret questions or worse, nothing at all. Of particular concern is that many of these institutions are in the financial sector, including most major banks! So what can you do?
The best thing you can do is voice your concerns on each company’s Facebook and Twitter pages.
If enough people get together and let these companies know that our privacy and security are important, then eventually they will have no choice but to listen to their customers.
Alternatively, you can vote with your wallet and switch to an alternative service that does support 2-step verification. Here’s a great website that provides a very comprehensive list of these services. Another great feature on this site is that they have included Facebook / Twitter buttons for automatically sending a message to the social media accounts of companies that are not currently using the technology:
So what are you waiting for? Get out there and voice your concerns!
Additional ways to secure your account
So you’re stuck with a service provider that doesn’t use 2-factor, and you have no other alternatives. What do you do now?
Well, here’s a very simple solution that we recommend using even if you have 2FA enabled.
You know the old adage about using an extra long password with loads of random characters? Well it turns out the guy who himself wrote it admitted that he was totally wrong. But hey, at least he admitted it and is now driving people towards making a positive change!
So what is actually the best method for creating a password? Forget random password generators (sorry, Norton IdentifySafe)!
The best method is actually to choose 3 or 4 random words, and simply type them out with spaces included. It’s been proven that choosing words is both easier to remember and way more secure.
To explain how, the best web comic series ever pretty much summed it all up with their extremely relevant observation (as they often do; there really is a relevant XKCD comic for everything):
But, even with the 4 random word method, you might still have trouble remembering passwords for so many different accounts. This is where a password management service like LastPass comes in. This service is free, but they also offer a paid option which gives you some extra features.
The way LastPass works is that you have one master password which unlocks access to the rest of your passwords, and can auto-fill passwords into web forms and iPhone / Android apps for you. It’s a very nifty service, with the added benefit of not typing passwords by hand which reduces the attack surface if your computer happens to be compromised by a key-logger.
Now you might question how it affects your security if you are using the same password to access all of your other passwords – well, aside from eliminating keystrokes, LastPass also supports 2-step verification and yes you should absolutely use it!
Just remember, if you forget your master password, not even LastPass themselves can access it, so no matter what you do, do not forget it!
My company needs help with this stuff. How do we make sure all of our staff are using this type of security?
Perfect Leap can help! We specialize in helping companies identify common technology pitfalls.
In addition, we will streamline your business to provide longterm benefits. If this is something you’re interested in, then go ahead and reach out to us; we’re here to help!