Having a strong, unique password for each of your online accounts is a great starting point for keeping your online presence safe. However even with a strong password it is possible for an attacker to gain access to your accounts.
When signing into a website, the password you enter is turned into a ‘hash’. A hashed version of your password is also knows as a fingerprint. This fingerprint is stored in the websites database. Only when the password you enter, matches the stored fingerprint, are you logged in. Hashes of passwords are created using algorithms. This is to help protect the password if there is a data breach. If a website suffers a data breach and hashes are stolen, the attacker can potentially ‘crack’ the hashes to view the plain text password. This allows the attacker to sign into your account. Short passwords and websites that use old hashing algorithms (or no hashing at all) make it easier for an attacker to crack your password. Because many people use the same password for all of their online accounts, by cracking only one password, cybercriminals may be able to access multiple accounts. Often usernames and passwords are shared or sold on to other cybercriminals. This is why it is important to have strong password hygiene and a different password for each account.
Even with a strong password there are several ways cybercriminals can steal passwords; tricking you into installing malware or phishing your password via a malicious email or website are common. In these cases a strong password will not offer protection. This is where two-factor authentication is necessary.
Two-factor authentication increases the security of your login by requiring two factors when logging into an account. Usually the factors are your password plus another piece of information such as a onetime code. These onetime codes are most commonly provided by SMS.
SMS is the default for receiving a onetime code as most users have a mobile phone with them at all times. SMS can be an inconvenient form of delivery if you live in a black spot as you won’t receive the code required to log in to the online service.
Authenticator apps such as Google Authenticator or Authy can be setup in place of SMS and allows you to manage multiple services. The App is very easy to manage and allows a code to be generated even without network access. In addition codes are accessible instantly. The downside is you need a smart phone or tablet to install the authenticator app. If you choose to install an app like this you should ensure you have a strong passcode locking your device. If your device is lost or stolen and you do not have a passcode, it may be possible for an attacker to reset your account passwords using your phone and authenticator app. Authy allows you to backup your authentication codes so you can easily reinstall the app to a new device without having to reset your accounts.
Some services will provide a token that can be kept secure at home and which generates a onetime code. These are great for people who do not have a smartphone or tablet. The disadvantage is that the token only works for one account so multiple tokens may be required for multiple services. Tokens are often provided by financial institutions.
Two-factor authentication can seem complicated at first. I recommend trying two-factor authentication for your online banking and email address. Once you are comfortable with these two services, you should consider using it on all accounts. It is only one extra step each log in, however it offers much greater protection than passwords alone. Many online services support two-factor authentication. Some of the services include online banking, email hosted with Gmail and Outlook, Facebook and Dropbox. Online services regularly add support for two-factor authentication.
If you would like assistance in protecting your accounts with two-factor authentication or have any other questions relating to password security feel free to Contact Us.