Passwords just aren't enough anymore!
We're told that we should use strong passwords for everything we do online, and more so, we should have different passwords for all our account to stop hackers getting at our precious data.
Security experts recommend we make our passwords as long as possible, adding in capital letters, numbers and special characters to make our passwords harder to guess.
As an example of what is expected, a random password generator that I occasionally use to secure some of my systems here at PMC, throws out the following result: 53e;Lwl5fRmK+jT
To quote the eminent internet word-smith, Kimberly Wilkins "Ain't nobody got time for dat!"
Okay, it's a given, you need to make your passwords strong, but in the real world, we all need to remember those passwords for our day to day accounts, so most people do use simple-to-remember words or phrases with some extra punctuation or flourishes in there to make them harder to guess.
The main weakness of passwords is that they're a single layer of protection; someone could easily look over your shoulder as you're typing a password for example, or perhaps you've even been the unwitting victim of a phishing scam. Either way, when someone has your password, they can get into your account. Worse still, if you've used the same password for other online services, then it really doesn't take a determined hacker much work to find out more about you, which websites you use, who your friends are etc etc. Easy identity theft 101.
So how can we further shore up our online accounts?
From a personal stand point, I've been trying hard to advise friends and family to use two-step verification, but it's an uphill struggle, it all seems more complicated than it actually is. It's really not, and this is part of the reason why I'm writing this blog, so I can say "Look, I actually took time out at work to write this! It's really important. You should know about this." You'll all be making this PMC blogger a very happy guy if you look at two-step verification!
You should have this enabled on all of your accounts:
So what is two-step verification and how does it work?
Two step verification is essentially adding a second layer of security on top of your password to protect your accounts. In short, after entering your username & password, before letting you into your account, the website or service in question would then text you a code for you to enter before it let you in. The thought behind this is that IF your password has been compromised, then the hacker, wherever they are in the world, still can't access your account because they would need your mobile phone to get the verification code for that login. Verification codes are a one-time only deal, so every time you want to get into your account, you get a new code sent to your phone, and most verification codes expire in a matter of minutes, too, providing that extra level of security for you.
Here's step-by-step how you would log in to a Google account with two-factor authentication enabled
- Enter your username
- Enter your password
- Google then asks you for your verification code
- Instantly you get a text on your phone from Google with a six-digit code you need to enter that lets you into your account
- You enter the code and you're in your account
*It's worth noting that Google lets you disable the two-step verification code for your home computers so if this is a hassle for you, then you can at least turn this off for your personal device.
In short, this is it. Simple.
Two-step verification makes sure that anyone trying to log into your account requires the verification code sent to your mobile device.
What if I lose my phone?
As part of most two-step verification set-ups, you can set-up backup telephone numbers and email addresses so you'll never find yourself locked out of your account. Google even lets you print out a set of single use only verification codes to keep in a safe place as a further backup.
Google explain more here:
There's also an app for that!
The next step up from using text messages to get your authentication codes is to use an app. Without getting too technical, what the apps do is generate an encryption key between your device and the service in question that allows them both to generate the same code independently of each other. This means that even if you don't have mobile service to receive a text message, you can still get your authentication code.
The popular Lifehacker blog has listed the best authentication apps for both iPhone and Android devices here, personally I use the Google authenticator app, it allows me to generate codes for all of my online accounts, Facebook, AWS, Google, etc etc
One of the best resources I could find was Google two-factor authentication page, it describes really well what it is and how it works.
You can enable two-factor authentication for your Facebook account, click the link here and find out more, go to "Login Approvals". I've got it set up in my authenticator app so it all works very well for me.
Find out more on using two step verification for Microsoft services here. Microsoft have their own code generator app for their services.
If you want to enable two-factor authentication for your Paypal account, you can enable it quite easily, but only text messaging is supported at the time of writing this blog.
Enable two-factor authentication on all of your online accounts now!