We all have dozens of online accounts. All of them require a password. Complex and unique. Password re-use is a huge problem with large data breaches becoming more and more common these days, with billions of data records lost or stolen since 2013.
Earlier this year hackers were passing around a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords.
With such a huge number of data breaches, do you think that there’s a slight chance at least one of your accounts was among them?
If anybody tried to log in to your account before you had a chance to change your password, the only thing that would save you would be two factor authentication ( 2FA ).
2FA simply adds an extra layer of verification to the login process. So, instead of just typing in your username and password to sign in, you will also have to provide some sort of 2FA credential before you can access your account. Using 2FA, even if a data breach compromised the password, the account would still be safe.
Common types of 2FA:
- One time use code sent to your phone via SMS or to your email address. If you have a choice, I’d recommend you to skip this type of 2FA. Even if this options is better than not having 2FA enabled at all, it’s still vulnerable to phishing or SIM swapping. As for the codes sent to you via email…. email is probably the less secure form of communication. If you need to use email, consider using encryption. However, no service ( at least as far as I know ) will send you the codes in form of encrypted emails.
- Security questions , such as your mother’s maiden name, first concert you attended, who was the best man at your wedding, where were you born etc. ( TIP: If this is the only option, look for an alternative service. This option blows. But IF this is your only option and you absolutely need to use this particular service, your answers should be as abstract as possible and have nothing to do with the question(s). Usually these questions are basic, and the correct answer(s) would be easy to guess or find in a quick OSINT research )
- TOTP – a time-based, one-time password generated by an authenticator app ( best option for most users, in almost all cases )
- Hardware authentication device , such as a YubiKey ( currently the most secure option, but few services support it )
- Biometric info , such as fingerprint or iris scan ( Not that common. Also, not recommended. You could be forced, by law or by force, to unlock your account. Same rule apply to your phone. If possible use a strong alphanumeric password and disable the fingerprint or face scanners such as TouchID and FaceID )
Most sites offering 2FA options allow you to set it up by scanning a QR code with a code-generating app and offer recovery or backup codes, just in case you loose the ability to provide your second factor of authentication ( i.e you loose your phone or YubiKey, restore your phone etc ). This way you won’t have to reset your account. Keep those recovery codes safe and backed up. I’d recommend to store them in an encrypted container backed up to multiple locations ( Physical and in the cloud. Always encrypt your stuff before uploading to the cloud. ANY cloud storage solution. ). For that you can use VeraCrypt or Cryptomator.
Even if you enable 2FA for your account(s), you still need to be vigilent. Hackers can bypass 2FA with super accurate phishing pages. So be on the look out, especially with Black Friday/Cyber Monday deals.
More useful tips…
- DO NOT use the same username for multiple online accounts.
- DO NOT use the same password for multiple online accounts. Use a different password for all of your accounts. Long, complex and randomly generated passwords.
- Use a password manager that will help you create and store your usernames and passwords. I’d recommend KeePass or BitWarden.
- This should go without saying, but at the risk of repeating myself, ENABLE 2FA on all important accounts.
- When looking for an online service, do some research and see which one offers 2FA. Here’s a good place to start.
- Try to use open-source and peer reviewed authenticator apps. I’m not going to recommend any apps, there’s a ton of them. Do your research, choose the one most appealing to you.
- For accounts that don’t matter, DO NOT use your own email. Use a 10-minute email service to create the account. Once you confirm your email, you can store your account login credentials in your password manager.
- DO NOT share too much info with an online account. Unless it’s an online store, no online service needs your photo, real name, home address, birth date and so on to function properly. IF those fields are mandatory for the account creation, provide fake info. For online stores, you can choose not to remember and store your shipping address and payment option for faster checkout. Fuck them and their fast checkout. You can easily autofill that info with your password manager in some cases, and if you can’t or they don’t offer the option not to remember, just try to delete that info after you’ve placed your order and re-enter it when you place your next order.
- Use Have I been pwned? to your advantage. First check if any of your existing accounts have been breached. Next, use their RSS feed to stay up to date with the latest breaches. If you see that a service you’re using was breached, get on top of things immediately.
- Delete all accounts that you don’t use anymore. I’m pretty sure you have at least one account you didn’t use in at least, let’s say, 3 to 6 months. Just delete them. If you don’t remember all of your accounts, you can use Have I been pwned? and check all the email addresses you’ve ever had. Next, use Sherlock. When deleting an account, first try to change your login username if possible, change your email to a 10-minute email address discussed above, and change your password. Then delete your account. Reason for this is that some services will only delete your account after an X amount of days.
- Last but not least, when you create an account it’s probably a good idea to first check if they allow you to delete it at any time and how easy it is to do it. Some services will not allow you to delete your account and others are making it nearly impossible to delete it. If that’s the case, it might be a good idea to look for an alternative. To do that, you can either check this website, read the FAQ or create a fake account first and have a look around, usually in account settings.