News of this week’s so-called MEGA BREACH might deeply trouble you. If so, that means it’s a perfect time to take control of your personal security. Yes, every company should be held responsible.
News of this week’s so-called “mega breach” might deeply trouble you. If so, that means it’s a perfect time to take control of your personal security. Yes, every company should be held responsible for practicing sloppy security, allowing your sensitive data to get into the wrong hands. But at this point, there’s really no reason to trust the bastards to do the right thing.
Roughly 21 million unique passwords were dumped online this week. The users who have little to worry about are the ones who, at the very least, have enabled some type of multi-factor authentication, the simplest being two-factor authentication or “2FA.” Even better off are those who’ve also adopted a reliable password manager, which allows them to create very long, complex, and unique passwords for each site they log into. Add in a physical security key, and you can sleep easy tonight.
Here’s a quick(ish) rundown of the three most important pieces of crafting a healthy security routine and never sweating another password leak.
Step 1: Enable 2FA
While 2FA isn’t perfect, it’s been widely adopted, and it’s also very easy to use.
2FA works like this: You go to login to, say, your email account, and after entering your password, it prompts you to enter a code that’s been sent to your phone by text. (We’ll get into better alternatives than text in a moment.) What this does, theoretically, is prevent anyone from accessing your account doesn’t (a) know your password and (b) have physical access to your phone. So if your password gets leaked, it becomes not so big of a deal, and if you miss the news about a breach that may impact you, you’re pretty much covered.
Nowadays, even my technologically challenged grandmother, whose online footprint is next to nil, knows that she can’t log into her email account, or her bank account, or anything else really, without inputting that little code sent to her phone. If an 85-year-old who still pays her bills with a paper check every month can grasp this concept, then dammit, so can you!
Nearly every major online service offers 2FA. I’ll leave it to you to figure out where the option is located for whichever service you’re trying to lock down (try ‘security’ under ‘preferences’ or ‘settings’), but I’ll add this: If you’re using a service that requires you to volunteer sensitive information, and the only security it offers is a password, then you should definitely stop using it. Bottom line: This is obviously a company that doesn’t give a shit about your security and is likely taking too few steps to protect you.
The reason “breaches” like this week’s get so much attention is that they appear to leave tens of millions of people exposed. It’s easy to feel outrage at the companies that should’ve safeguarded this information better. But the mindset that users bear no responsibility to protect themselves is both dangerous and lazy. There’s a term everyone in 2019 should come to understand, and that’s “security hygiene.”
I said that 2FA isn’t perfect, so I’ll elaborate: Most 2FA services involve sending security codes, typically 5-6 digits, via a text message (SMS). It’s been demonstrated repeatedly that, while saf-er, this method of receiving the code is far from foolproof. One way to improve 2FA is to use an authenticator app on your phone. (You can download Google Authenticator, for instance, on the Apple App Store and Google Play Store.) These apps will spit out time-sensitive security codes instead of sending one by text message. Many services, but unfortunately not all, will offer you the option of using an authenticator app instead of SMS for 2FA.
Step 2: Get a password manager
Password managers are the second line of defense in these situations. You’ve probably been told repeatedly not to reuse passwords, and if you aren’t using a password manager, there’s a good chance you’ve broken this rule once or twice or always. It’s near impossible, without some mnemonic device, to generate unique, complex passwords for every online service you use and remember them at all times. The best way to ensure you’re always using strong passwords, therefore, is to install a password manager, which does the hard parts for you. There are several, but LastPass and 1password both work fine.
Password managers allow you to create very long and complex passwords, and then basically forget they exist. The only password you’ll need to remember is the one that lets you access the manager itself. Obviously, make it a good one (and here’s a guide for how to do that). A lengthy, complex password is pivotal in situations where passwords are leaked (unless they’re leaked in plain text). In many cases, a leak will involve passwords that are scrambled using a weak or antiquated encryption protocol, such as MD5. This requires an attacker to crack (or decrypt) these “hashed” passwords. The longer and more complex a password is, the more difficult this becomes.
Password managers might seem risky at first, basically like you’re betting everything on this one password, hoping it doesn’t get stolen or cracked. But any worthy password manager will also allow you to enable some form of multi-factor authentication. Here’s a list, for example, of 2FA services offered by LastPass: