- Passwords, no matter how complex or unique, are easily hackable.
- Enable two-factor authentication on all possible internet accounts.
- Use an authenticator app instead of a texted code where possible.
- Change personally identifiable information on any account that doesn’t offer 2FA.
- Subscribe to email notifications at https://haveibeenpwned.com/ to know when you’ve been hacked.
This is going to be a lengthy public service announcement to improve your internet security. I’d keep it brief, but I don’t think it would do the subject matter justice.
– Call to action –
Some of you may know about two factor authentication. Others don’t.
Either way, if you haven’t enabled it, do it as soon as possible.
– What is two-factor authentication? –
Two factor authentication (2FA) means you have to have two things to login to a site, instead of the usual one (your password). In most cases, you need a code and your normal password.
– But Craig, can’t they just steal the code? –
The code changes about every minute, so even if they steal it, it’s likely to be invalid by the time they can use it. This code can either be texted to you (better than just a password), or provided to you in an authenticator app (best method).
With 2FA enabled, even if someone steals your password, they still have to have your phone to get in to your account.
Remember that if you’re just using your password to login and you reuse your passwords on multiple sites, they only have to get your password from one site to have access to all of them. The more sites you reuse it on, the better chance that it will get hacked.
–I don’t reuse passwords. Mine are uniquely generated by a password manager. Is that safe?–
Storing your passwords in a supposedly secure password manager (like LastPass) isn’t foolproof. Companies that store passwords are naturally huge targets for hackers. LastPass was hacked fairly recently.
If you only remember one thing about this post, let it be this: bits (the things that store information in a computer) are -literally- made to be copied. Passwords, no matter how long or extravagant, are not secure. At the end of the day, someone doesn’t have to guess your password, they just need to figure out how to copy it from somewhere else (hacking) or get customer service to change it for them (social engineering). We need a better method, and 2FA is a step in that direction.
Do NOT count on sites never getting hacked. Sites get hacked regularly.
–What if a site doesn’t offer two factor authentication?–
If a site doesn’t offer two factor authentication, then the best you can do is change or remove as much of your identifying information as possible. If there are any credit cards associated with the account, remove them. You want to manually enter them.
Also, -make sure to change your information before you delete your account- (if deleting is what you want to do). On the web, when you think you’re ‘deleting’ your account, you’re usually just flipping a switch that hides your account from you. Your data is still saved somewhere. The business / site in question can still get it if they want, and so can hackers.
–This sounds great, but I don’t know how to do this!–
If you’re not a computer person, and need help setting up two factor authentication, let me know and I’ll do my best to help you get set up.
–I’ve already got 2FA enabled, is there anything else I can do to increase my security–
Sure – change any available 2FA accounts to get your code through an authenticator app rather than a text message. Phone company customer service can be manipulated to send your texts somewhere else.
Also, the site below tracks the latest hacks to find out who has been hacked. If you click ‘notify me’ at the top and enter your email addresses, they’ll send you an email whenever they discover that your information has been hacked. They’ve often sent me an email before the official vendor lets me know that my account has been hacked. -https://haveibeenpwned.com/
Thanks for sticking with me. Hopefully this prevents at least one person from getting hacked.
–Extra Credit Materials–
Other fun things about 2FA and passwords:
Wired articles on 2FA (including how to set it up on major accounts)http://www.wired.com/tag/two-factor-authentication/
How an attacker can social engineer the phone company to bypass your 2FA (or why you should use an authentication app instead of texts where possible) http://www.howtogeek.com/…/here%E2%80%99s-how-an-attacker-…/
A fun comic on password strength – https://xkcd.com/936/