In a change to my normal content, I wanted to write something to help people make their internet life a little more secure. It’s all too easy now for people with bad intentions to gain access to your online accounts. Once one account is compromised, this can lead attackers to other services and potentially steal your identity (and possibly your money). I am going to talk about a few simple steps that you can take to strengthen your online security.
Why have I put the word “complex” in double-quotes? It really annoys me when websites make it difficult for you when choosing a password by enforcing a set of arbitrary password complexity rules. Automated password crackers know about common letter substitutions (such as zero for O, one or exclamation mark for I, and so on) and will try these variations, so this sort of password complexity won’t protect you that well. As this cartoon from the brilliant xkcd.com shows, the best password is a long password:
So, whilst a pass phrase like correcthorsebatterystaple is nice and long, and easy to remember, it’s unlikely to meet the “complexity” criteria for a lot of websites, so this is where I’d recommend you use a Password Manager.
One Ring to rule them all
It’s all too tempting to use the same password (or minor variations of it) on all of the websites that you frequent. However, this can be an open door for an identity thief. If they manage to gain access to your Facebook account (for example), they will then use those credentials to see if they can access your email accounts, other social media platforms, storage services (like Dropbox) and so on. Just try to imagine what havoc someone could wreak if they had open access to all of these….
To counter this, I suggest that you use a unique, completely random password for each website or service that you use. Obviously, this will mean lots of different passwords to remember and this is where a Password Manager will help you. Personally, I recommend KeePass, but there are many other well respected options, such as Dashlane, LastPass and 1Password. All Password Managers need a master password to access their repository – it’s here that I suggest you use a pass phrase, rather a simple password.
Some of these password managers run locally on your laptop or mobile device, others work as a web-based service – it’s up to you how you feel about having your passwords stored in someone else’s cloud. Having said that, a cheap option is to use a free password manager like KeePass and then store the password file on Dropbox, so that it can be accessed across all your devices.
So, we’ve tightened up the passwords on your accounts, but that still doesn’t make them 100% secure. To be honest, nothing is 100% secure, but there are more things we can do to keep unauthorised people out of your accounts. The next level of security that you can apply to any account is to enable Multi Factor Authentication or MFA. This is where more than one thing is used to authenticate the access to your account, such as:
- Something you know
- Something you have
- Something you are
Something you know is easy – that’s your nice, long secure password that you generated and stored in your password manager. Something you have is usually a device that can generate a numerical token that changes on a regular basis. This could be a dedicated device (such as an RSA SecurID), but more likely to be an App on your mobile phone. A less secure version of this is where the token is sent to your phone by SMS. Whilst this is better than nothing, an attacker can “spoof” your SIM and intercept tokens sent in this way. Finally, Something you are is related to biometric security, something like a fingerprint.
Websites and other web-based services usually only use two factors: Something you know and Something you have, and so this is known as 2FA or Two Factor Authentication. A majority of websites that support 2FA allow you to use an App to generate authentication tokens. There are many Apps, but two of the best known are Google Authenticator and Microsoft Authenticator. However, these Apps become linked to your specific phone, so when you upgrade your device, you have to go through a lengthy process of de-registering and cr-creating each of your websites.
This is why I recommend using Authy – with Authy your token keys are backed up to the cloud, which makes device migration very simple. You can even run Authy on your phone and laptop at the same time for extra convenience. One thing I should point out though – once you have Authy running on your two devices, I would recommend that you go into the Settings and switch off the ability to add further clients. That way, if someone were to hack your account, they wouldn’t be able to access your keys, unless they had one of your devices as well.
Obviously, you need to enable 2FA on the websites that you use and Authy has a really good step-by-step guide to enabling 2FA on most popular websites. There are some notable exceptions: for example, eBay forces you to use their own mobile App as an authenticator; American Express does not support any form of 2FA at all.
- Use a Password Manager to generate and store long unique randomised passwords
- Use a suitable pass phrase as your master password to your password store
- Enable 2FA on all of your websites and web services