Many years ago, my wife and I wrote a book about online security.
In case you’re thinking of doing the same thing, allow me to gently counsel you against it: DON’T BLOODY DO IT! Things in the technology space move so quickly, the information in the book went out of date during the milliseconds while the “Publish” button was being clicked. This is not the topic on which to write a timeless classic and have future generations of your family live pretty off the royalties.
Anyway, commercial disaster aside, I’ve maintained an interest in the online security space. It’s the perfect intersection of two of my main interests: technology and distrust of my fellow humans.
Happily, I can report that the security measures that come “baked in” to consumer tech have got a lot better over the years. For example, almost every website you use will now have a little padlock symbol next to its name in the browser bar. That means your connection to the site is encrypted, so nobody can intercept the information (like credit card details) that pass between your device and the server the site sits on. Before this became the norm a couple of years ago, you needed to be aware of the potential problem and install your own piece of software to encrypt your connection.
So with that taken care of for you, the main security problem you’re likely to face these days is having your passwords stolen. There are two main ways in which this can happen.
- Someone specifically wants YOUR password: you’ve upset a tech-savvy ex, or word’s got out that you’re one wealthy so-and-so. They crack it by brute force (trying every possible combination until they find it) or use “social engineering” to guess it, which is easy because you use mrsquawks65 (the name of your first budgie and your year of birth) on every site.
- A website gets hacked, and the passwords of all registered users of that site are exposed. You’ve not been targeted personally, but the hackers will try your username/password combo on all the sites they can think of just in case they can get into anything interesting. They’ll sell this same data to other hackers and it will circulate on “the dark web” for ever more.
Either of these events can be an annoyance at best, or a total catastrophe at worst. If hackers manage to use your password to get into one of your investment accounts, that’s not good. If they get into your email account, from which they can reset passwords for all your other accounts and gather endless information about the details of your life…that’s really not good.
Luckily, you only need to do two simple things to make your accounts almost 100% safe.
1: Use a different strong password on every website
By using a different password on every site, it means even if one site gets hacked and your password is leaked, it won’t compromise your security on any other site.
The ideal password looks something like this: MuPmolQa4tc$IyxCl6eoBYj^5
That’s a combination of uppercase and lowercase letters, numbers and symbols that doesn’t contain any dictionary words and is at least 16 characters long.
And remember: you need a different one for every single site you interact with. Hope you’ve got a good memory!
Actually, you don’t need that at all: all you need is a password manager.
A password manager is a piece of software that sits in your browser and remembers all your passwords for you. All you need to do is…remember your password for the password manager itself.
(This is not the same as when some browsers offer to remember passwords for you, which isn’t secure and doesn’t help you when you switch between devices.)
So you can set a separate, ludicrously strong password for every site you use, yet you only end up with just one password to remember. This isn’t just more secure – it’s more convenient too, because the software will auto-insert the password when it notices you’re on a site it has the login details for so you don’t even have to do any typing.
It’s actually much more convenient than what appears to be the lazy option: using the same “mrsquawks65” password on every site. When you attempt to use the same password, many times you won’t be able to: some sites will insist on a password of a certain length, or using a certain combination of characters, or will insist on there being symbols (or there not being symbols). These rules mean you’ll need different versions of your “one password” that you’ll then need to somehow remember when you don’t have the password criteria in front of you anymore, which defeats the object of convenience while still not being secure.
At this point, I’d be disappointed if you weren’t thinking “errr but what if the password manager gets hacked and all my passwords get stolen?” This is a good point. However, these services use a “zero knowledge” cryptographic system that means neither your “master password” nor your many individual passwords are stored on their servers in a form that would mean anything to a hacker.
Basically, given that the entire point of their business is to keep passwords safe and their reputation would be ruined if they failed, I have far more faith in their security than that of random other sites. Nevertheless, it’s always theoretically possible.
All password managers are much of a muchness, and cost a small annual amount. The most popular ones are:
- LastPass (which I use, although it’s not necessarily the best as I haven’t tried the others)
Get one of those set up, and you’re ready to move on to the second and final step…
2: Enable two-factor authentication
Now you’re making optimal use of passwords, there’s no risk of a breach of one website exposing your password on every site you use. But there’s still the risk of a password for a single, important site being compromised.
A strong password makes it almost impossible for a malicious person to crack it by brute force, but if they know a few details about you (maybe you’ve been binning bank statements without shredding them…) they could call your bank and persuade them to reset that beautiful 30-character beast of a password of yours.
And remember when you’re setting up an account and it gets you to set “backup” questions like the city you were born in and the name of your first pet? Do you think it’d be impossible for a sufficiently motivated person to figure those out?
The solution to avoiding this (or any other) kind of attack is two-factor authentication (2FA) – which, as the name implies, introduces a second factor:
- Something you know (your password)
- Something you have (a device)
Suddenly, an attack becomes exponentially more difficulty: a malicious person would need to obtain your password and get access to your chosen device at the same time. It’s not impossible, but it’s far less likely. And if a website gets hacked and exposes everyone’s password, no biggie: if they try to get into yours, they’ll fail because they don’t have the device.
For this reason, it’s actually more secure to have a weak password plus 2FA than to just have a strong password alone.
The best type of 2FA
You probably already have 2FA set up for certain sites already, because they insist on it – online banking being the most common. When logging in, after you put in your password they’ll send an SMS to your phone with a code you need to enter.
This is better than nothing, but not perfect for a few reasons:
- If you lose your phone, you lose access to all sites you have 2FA set up for until your network ports your phone number to your new device and you can receive text messages again (which could take days).
- There might be times when you have a data connection (like wifi) but no phone reception to receive an SMS.
- There’s something called a “SIM swap” attack, where an attacker convinces your phone network to port your number to a different device that they control so they receive the SMS code. Sneaky.
For these reasons, it’s safer and more convenient to use an authenticator app. This is an app you install that generates a security code (usually six digits) on the device itself without a reliance on SMS. This overcomes the risk of a SIM swap attack, and has you covered even when you don’t have mobile phone reception.
You only need to download a single app once: once you’ve got it, you can set it up to receive codes for an unlimited number of sites you have accounts with.
The best authenticator app, in my opinion, is Authy. The main reason is that it allows you to sync your sites between devices – so you could have it simultaneously set up on your phone, an iPad and a laptop, and if you add a site on one it magically appears on the others.
This is important not just for convenience, but also to keep access if you lose your phone.
For example, say you only had an authenticator app set up on one mobile phone. If you lost it or had it stolen…then what? You’re locked out of everything, and even getting your phone number back doesn’t help because the app is linked to the device itself rather than your number.
(In practice, most sites give you a few backup codes that will get you back in if you don’t have access to your phone. But then you have to store those safely, and it’s all a bit of a faff.)
But with Authy synced across more than one device, you’re fine. If you lose your phone, you can get access to your sites from the version you have installed on your laptop or tablet until you get a new phone. Then when you do, you can install Authy again and sync it up with your account. No problem at all.
The app you’ll most commonly see referenced – Google Authenticator – doesn’t allow this synchronisation (at the time of writing, at least), so for me Authy is clearly a better choice.
Oh, and it’s free.
Setting up Authy
1: Install Authy on one of your devices
Just go to authy.com and follow the download instructions from there.
It doesn’t matter whether you start with your phone, laptop, or tablet – just pick one to get started with, and we’ll add it on the others in a moment.
(If you only ever use one device – like conducting all your internet activity through a mobile phone and not owning a laptop – then I don’t fully understand the way you choose to live your life. But in any case, it’s fine to just install Authy on one device: you just lose the benefit of being able to sync across devices for easy recovery if you lose or change it.)
2: Install Authy on your other devices
First, you have to enable the multi-device setting by following the instructions here.
Then, go ahead and install Authy on your other devices and link them up to the same account.
3: Turn off multi-device mode
This just involves undoing the setting you enabled in the previous step. Your existing devices stay connected, but it prevents anyone else from attempting to maliciously connect another device to your account.
Of course, if you get a new device in the future and you want to link it up, you can just turn the setting back on again.
4: Enable backups and sync
This is an easy but important step that involves following the instructions here.
You’ll be asked to set a “backups password”, which you’ll need to enter on every device in order to sync between devices. This password isn’t recoverable: for security reasons there’s no “oops I’ve forgotten my password” feature, so if you lose it That.Is.It. Authy doesn’t store it anywhere either, so even if you phone up and beg them it won’t help.
Because it’s so important, I’d recommend either storing the password in your password manager (which of course you’re using now, aren’t you?) or keeping it in a safe on a piece of paper.
5: Create your first “token”
A “token” is what Authy calls a website or service that you want to use 2FA for.
The basic process is the same for every website: the website will show you a QR code which you can scan with the Authy app (or type in a code if you’re using a non-mobile version), and that will link your installation of Authy to your account on the site.
Authy will then give you a six digit access code to enter into the website, which is basically a dry run for logging in to make sure it works.
That’s it! You’re set up.
Important note: The underlying technology of Google Authenticator and Authy is based on the same technology standard, so even if you see Google Authenticator referenced by name on a particular site, you can still go ahead and use Authy. It’ll work in exactly the same way.
Most financial or business-focused websites do offer 2FA if you look hard enough. Some restrict it to SMS only, which is annoying because it means you’re stuck with all the limitations we listed earlier. If it doesn’t offer 2FA at all, send them an email suggesting they do.
6: Repeat for all other important websites
Maybe it’s just me, but I found it strangely satisfying going through all my important accounts beefing up their security, imagining thwarting some nefarious future attacker.
The only tricky part sometimes is digging around on the website trying to find where to enable 2FA. It’s normally hiding in a “Settings” or “Profile” menu, in a section called something like “Privacy” or “Security”.
Which sites to enable 2FA for
I can’t deny it: 2FA is a minor pain. It slows down the process of logging into sites, and (in my case, at least) sends me off on a hunt across the house to find where I left my phone.
So you need to find a balance of convenience and security that works for you, by just using 2FA for the sites that would be most devastating if someone else got access.
For example, if someone got access to your Tesco account and started ordering groceries, it’d be annoying but not the end of the world. However, if they got into your email account, that would be a total disaster: from there, they could reset passwords for all your other sites.
So I’d start with the following list:
- Email accounts (Gmail, Hotmail etc)
- Bank accounts, investment accounts etc
- Cloud storage accounts like Dropbox
- Anything business-critical if you run your own business, like web hosting or CRM systems
Once you’ve got those in place, you can relax for a while and assess how much of an inconvenience it really is. If you enjoy the peace of mind and don’t find all the code-typing too much of an imposition, you can gradually expand the number of sites you protect.
Welcome to your slightly less convenient but vastly more secure new life
This all got a bit out of hand: I only set out to write a quick post to say you should use Authy, yet here we are after a whole screed about online security in general.
Setting up a password manager plus Authy will take an hour, tops – and it’ll save your bacon in the event of a hack, as well as giving you peace of mind every day. Almost nobody follows the two simple steps I’ve described, but I know you’re different – so do it, then leave a comment so I can give you a virtual high-five.