Pardon me for being verbose here, but we need to talk. It’s about your passwords.
It’s official. There is no longer any excuse for any of us to not be using multi-factor authentication with our sensitive accounts. There is also no longer any excuse for any of us to not be using complex and unique passwords for every site we visit. None.
It’s all over the blogosphere. Everywhere. Online businesses and services are being compromised. Accounts are being stolen. It does not take a PhD to have a secure online identity, but sadly, some people still don’t take this seriously.
The resources are out there, and they’re mostly free. Yes, 100% gratis.
I’m going to talk about two components: password security, and multi-factor-authentication (MFA), (aka, two-step verification).
Most everyone has heard the mantra: “the only secure password is the one which you do not remember“. This falls into the realm of plausible deniability. You can’t accidentally lose something which you don’t have, right? Likewise, when online, the very worst thing that you can do is to use the same memorized password on multiple websites.
(Did you know some of the most common passwords include: 1234, password?)
Think about your personal keychain. You have your house key, your car key, your mailbox key, your bicycle lock key, etc. Each key is different. If you lose your house key, you only need to change the locks on your house, nothing else. It would be silly for one key to open everything. Lose that master key, and everything you own is at risk.
The same theory applies to your online passwords. If a poor, unsuspecting online store gets whamboozled and has all of its account data stolen, you want to make sure that your exposure is minimized. That means having a unique password for each online store/service.
How can anyone remember all of these passwords?
Easy. You don’t. Let any one of a handful of free password management services do it for you.
LastPass, my personal favorite, is a simple cloud-based, cross-platform, cross-browser plug-in. It works on Windows, OSX, in Firefox, Chrome, Opera, IE, you name it. When you log in to a particular site (or go to change that password), it recognizes this and says “Hey! I see you have a password for this. Let me remember it for you.”
Your credentials are tied to the URL of the site and saved in your personal, online, uber-encrypted password vault. The next time you go to that site and try to log in, it populates the fields for you with the password it remembered last time. This is similar to the built-in features in many browsers, but unlike those features, LastPass is fully encrypted and cloud-based. The passwords never get saved on your computer.
The benefit of this is that now you have the power to use LastPass to create randomly-generated, complex passwords for every site. Who cares if you can’t remember it? LastPass remembers it for you. And because the plug-in syncs with the LastPass servers, your data is synced up with every browser you use it with, so you don’t have to worry about taking them with you. Just bought a new laptop? Just install the LastPass plug-in, authenticate with your “Master password” (and other authentication, see below), and your passwords for every site you visit are ready to go.
Beyond password managers
Many have already seen the insightful article by Wired contributor Mat Honan. Honan describes, in illuminating detail, how poor security practices on the part of Apple, Amazon, and himself, combined with his connections to major IT news site Gizmodo, resulted in the perfect storm to allow hackers to destroy his accounts and data. He also elaborates on how much of the damage could have been prevented if he had just been using Google’s implementation of MFA (they call it 2-step verification).
Typically, most secure websites require a single form of authentication (a password) to access your account. With MFA, that’s not enough. You need a combination of something you know (such as a password or code), along with something you have (such as a token or smartcard) and/or something you are (such as a biometric).
In the case of Google, they use a token from an app called Google Authenticator. This app runs on your smartphone and, once verified and attached to your account, provides a randomly generated code which you need to log in. No code, no access. No smartphone? It can send you a text message.
LastPass provides several choices for MFA, including a token called Yubikey. This is a tiny USB device, sort of like a miniature flash drive, which you plug in to your computer when you need to install/access your LastPass password vault. Without that device, your vault is absolutely inaccessible.
Many banks also feature MFA now. Mine uses the Symantec “VIP Access” app, which functions like the Google Authenticator.
I won’t go into the magic which makes all this work, as it is outside of the scope of this post. My point here is that this is easy. It takes so little effort to implement MFA. Not only do I rest easy knowing that my passwords for my sensitive accounts (such as Google, my bank, my password vault, Amazon…) are super-complex and unique, minimizing my exposure to identity theft, but even if the password to my bank were to be stolen, it still wouldn’t be enough to get in without my personal token.
Now, of course, if I were to lose my smartphone or my Yubikey, there are methods for each of my accounts to disable them and regain access to my account. This varies based on the specific service. Google, for instance, generates for you a card with a list of 10 codes on it. Type the code that it asks for, combined with your external recovery address, and you’re good to go. Lose the card? Generate a new one and the old one becomes invalid.
Do the homework. Spend the half an hour it takes to implement this stuff. The amount of effort it takes to implement strong security practices with your online identity is minuscule compared to the effort it takes to rebuild it.
Learn more about multi-factor authentication by watching our Matrix Minute!