Securing Your Accounts
We use our computers to do many things, we send e-mail, chat with friends or family, and even manage our finances. You would not want someone to be able to do these things on your behalf without your permission, and so it is important to ensure that your accounts for these services are difficult to access for other people. This may make it slightly more difficult to access your own accounts, but this is a necessary evil.
Authentication Methods
The different sites and services that you access will use some combination of systems to verify that you are you.
These systems are called authentication methods and generally fall into one of the below three categories (shown below with examples):
Authentication Method | Example |
---|---|
Something you know | Passwords |
Something you have | A key, a proximity card, or a phone with an authentication app |
Something you are | A fingerprint, facial recognition, retinal scan |
Multi-Factor Authentication
When you access something secure, such as a website, you will be asked for at least one of these authentication methods, one of these factors. Traditionally the only factor a website has required has been a password (usernames are not kept secret, and are not considered a factor). Passwords however have some serious disadvantages:
- If someone else learns your password, you may not even know
- Passwords can be forgotten
- Computers have gotten very good at guessing passwords
- Because computers can guess passwords, passwords have to be more complex. This makes them harder to remember
- People often have a lot of accounts, and it is difficult to remember so many passwords
- The only reasonable way to have a strong password for dozens of accounts is to re-use the same password
- This means if someone guesses your password, or if one of the services you log in to fails to protect it properly, all of your accounts are compromised
- this is a common issue, in fact there is a whole website dedicated to finding out if your accounts were compromised in this way
Using a different method to login can be more secure, but the best security comes from combining two factors from the different categories. The most common is to combine a password (something you know) with a code generated by an app on your phone (something you have). These codes are called TOTP (Time-based One Time Password) codes, they were popularized by an app called Google Authenticator, so they are often also called Authenticator or Google Authenticator codes.
This strategy, called Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA), does make logging in less convenient, though you are usually only required to use the second factor the first time you login on a device. This strategy also makes it exceptionally more difficult (nearly impossible) for someone unauthorized to access your account.
Setting up TOTP Multi-Factor Authentication
This section will walk you through setting up Authy on your device. We recommend Authy because its sync feature makes it easy to use multiple devices, and also means you won't permanently lose access to all of your TOTP codes (and all of your accounts) if you lose your device. There are many solutions available for TOTP apps, but when choosing one it is critical that you choose one that allows you to back up your codes, and that those backups are done regularly.
For this process you will need a smart phone or tablet. It will need an Internet connection to install the TOTP app, but it will not need an Internet connection to work once the app is installed.
Android (Samsung, HTC, LG, Motorola)
- Open up the Play store
- In the search bar search for
Authy
- Tap Install
- Once the install has completed, tap Open
IOS (iPhone, iPad)
- Open up the App store
- Search for
Authy
- Tap Get
- Once the install has completed, tap Open
Managing Passwords
A password is the simplest and oldest way for computers to verify your identity. The idea is simple: you know a secret word, phrase, or combination of letters and numbers, and by providing that to the computer it can verify that you are the person who knows this.
There are however serious flaws with password based systems: These issues don't mean that passwords can't be effective, a lot of these issues are caused by the limitations of the human brain. There is however good news, except for that first item all of these issues can be solved.
The solution doesn't require more brain power, in fact less. I don't know most of my passwords. I have well over a hundred, none of them are the same, and they are all very long and complex. The solution is a password manager. A password manager is a tool that you use to save all of your passwords securely. Password managers can be accessed from all of your devices, will auto-fill your username and password, and include an option for auto-generating secure passwords. Currently we recommend Bitwarden: https://bitwarden.com
When you start using a password manager you will need to remember the password to log in to it, but that's it. It is important to use a secure password for the password manager. Length is the most important component of a password, so the best strategy is usually to choose a few random words to make up a passphrase.
Mark read and return to article list