Founder and CEO of KeepSolid, a company that builds modern security and productivity solutions
There’s a growing need for better online security, with strong passwords and two-factor authentication. As more of our daily life moves online, more of our personal information is also being stored on the web, along with access details for our personal bank accounts and confidential work data. With cyberattacks on the rise, all of this information needs to be protected from unauthorized access by hackers.
Passwords and Their Problems
One of the oldest and simplest access control systems is a password. Assuming a hacker doesn’t know your password, the system is reliable and information is secure.
Unfortunately, though, passwords have many problems:
- A password that is short, or contains common words, maybe easy for you to remember, but is generally considered weak and unreliable.
- A password that is long and contains random upper- and lower-case letters, as well as numbers and special characters, may be strong and hard for hackers to crack but also difficult to remember.
- Complex passwords tend to be written down on paper or in a text file, or reused for different services. These files can easily fall into the hands of hackers. And if you reuse passwords, a successful hack of one of your accounts can easily lead hackers to all of your other accounts.
For example, let’s say you use the same 16-character random password for your bank account and for your gardening email group. If the group’s email software was implemented poorly and hasn’t been updated for five years, your emails about planting season aren’t the only information that’s at risk. If hackers gain access to your group email account, they can now also access your money.
For this reason, it’s essential to create different passwords for each online service you use. They should always be long, and preferably include special characters.
Password managers offer a compromise between security and convenience, allowing you to generate and store multiple passwords. But they also rely on a single Master Password and if that Master Password is hacked, you’ll encounter all of the same problems. For that reason, you have to make sure that your Master Password is as secure as possible.
How to Pick Your Password
One solution to the password problem, which relies on “something you know”, is to add a method of authentication that uses “something you have” or “something you are”. For financial services, for example, “something you have” can be a credit card. Before the era of Apple Pay and Google Pay, a credit card combined with “something you know” (your PIN code) proved your ability to access your credit account.
Increasingly, to protect your accounts from hackers who are trying to intercept your password (for example, through a phishing site), methods like two-factor authentication (also known as 2FA), are used. 2FA adds a layer of identity confirmation that’s independent of your password, usually in the form of a code sent to you by email, SMS, or messenger app. Here’s a quick rundown of how those options work:
The easiest form of 2FA is to send a code or link to a user’s email account. This process assumes that if you have access to your email inbox, you are who you claim to be.
- easy to implement
- easy to reach users: almost every online service collects users’ email addresses
- users’ email accounts can be compromised
- users can use the same password for their email account and an online service, making that password less secure
- data in the 2FA email is transmitted without encryption and is also usually stored in the public domain. A hacker who has access to a network or an email server can intercept the 2FA link/code.
Another common way to confirm your identity is to enter a code that you’ve received via SMS. In this scenario, each time you want to log in to an online service, you’ll need to enter a unique code, valid only for the current session, that you receive via text message on your device.
- Many services use this method, so most people are familiar with it.
- SMS messages aren’t completely secure: they can be intercepted and “spoofed” by third parties
- services that don’t require a phone but ask users for their phone number are collecting personal data unnecessarily.
2FA via Messenger App
A step above the previous option is sending 2FA messages to a Messenger app, like Facebook Messenger, WhatsApp, Viber, Telegram, or Signal. This option is as user-friendly as SMS, but typically more secure.
- most messenger apps offer better data protection than SMS; some provide end to end encryption of transmitted data
- most users of online services have at least one messenger app installed on their cell phone
- some messenger apps authenticate users via SMS, or through password authentication, creating the same security risks as passwords themselves
These apps are mainly used on mobile platforms as a universal tool for 2FA, across multiple services. During app setup, you get a primary key (most often in the form of a QR code), which uses cryptographic algorithms to generate one-time passwords (OTPs) with a validity period of 30 to 60 seconds. Even if hackers are able to intercept 10, 100 or even 1,000 passwords, they have limited ability to predict what the next password will be.
- stronger security, through cryptographically stable algorithms
- many free apps are available on multiple platforms (examples include Google Authenticator, Cisco Duo, Authy, and others)
- no need for Internet access on your device to generate codes; web access is only required for initial setup
- no personal information is transmitted to the service
- works concurrently with an unlimited number of services
- if the phone that has the authenticator app is lost, and no backup exists, access to services will also be lost If hackers get access to the primary key on your device, or if they hack into the app’s server, they will be able to generate future passwords.
- hackers can still replace the sites where you use the app with fake proxy sites. In this case, like all methods listed above, there is no proof that you’ve entered your authentication code on the real site or app, instead of the spoofed one.
- if you use an authenticator app on the same device you use to log in to a service, the option for two-factor authentication is lost.
Yes/No Authentication On Another Device
This is a convenient method for 2FA if a service is used on multiple devices and there’s an option to log in from another trusted device.
This type of 2FA is essentially a combination of all previous methods. In this case, instead of requesting codes or one-time passwords, you confirm your login from your mobile device that has the service application installed. A private key is then stored on your device and checked every time you log in.
You may have used this for Twitter, Snapchat, or online games. For example, when you log in to your Twitter account on a laptop or tablet, you enter your username and password, and then your phone receives a notification with a request to log in, after which the browser will open your feed. Usually, you’ll see a request to “allow access from a new device” displayed on a trusted device, with identifying data about the browser/OS/country.
- very easy to use: there’s no need to remember or copy codes
- if the application is implemented correctly, it’s difficult to intercept or substitute data
- it can’t work as a standalone 2FA option, because it needs a successful initial login with no trusted applications identified.
Hardware Tokens and U2F/FIDO2/WebAuthn
For the highest level of account security, hardware authentication tokens are the best option. As completely separate devices, hardware tokens never lose their two-factor component under any circumstances–unlike all the 2FA methods described above. Most often, hardware tokens take the form of USB key fobs with their own processor that generates cryptographic keys (or numeric codes) that are automatically entered when the key fob is connected to a computer. There are also models for mobile devices that transfer data via NFC/Bluetooth.
- maximum security: it’s almost impossible for hackers to replicate the codes that are on a token.
- strong protection against phishing and proxy sites, when used in conjunction with the WebAuth standard in browsers.
- increasingly available from a growing number of companies, such as Yubico, Feitian, Thetis, and HyperFido, which use USB/NFC/Bluetooth options.
- doesn’t require a mobile device or an external power source.
- a minimum of two hardware devices is recommended, to avoid losing account access if one token goes missing.
- tokens must always be kept on hand: No token, no service access.
- tokens aren’t supported for all services.
Whichever 2FA method you use, you’ll typically get several backup keys for use in emergency situations, for example, if your smartphone is lost or stolen. With these keys, you can log into your account, restrict access for the lost or stolen device, and add a new one in its place. These keys should be stored in a safe place, not as a screenshot on your smartphone or a text file on your computer.
Tips for Creating a Strong Password
Use a unique password
Think of different passwords for each of your accounts, especially for the accounts that are extremely important to protect, like your email and online bank accounts. It’s risky to use the same password for more than one important account. If a hacker learns the password for one account, they’ll be able to log in to other accounts easily, accessing your email, your money, or information about where you live.
Create a long password that only you can remember
The longer your password is, the more secure it is. We recommend creating a password that is at least eight characters long. Here are some variants of long passwords that will be easy to remember:
- a line from a song or a poem;
- a quote from a movie or a speech by a famous person;
- a quote from a book;
- a phrase that is meaningful to you;
- an abbreviation (for example, from the first letters of each word in a sentence).
Avoid personal data and common words
Do not use passwords that are easy to guess if a person knows you, or that use publicly available information about you (for example, information that’s visible on social networks).
- your nickname or initials;
- your child’s or pet’s name;
- birthdays or other dates that are important to you;
- your street name;
- the numbers in your address.
- Do not use words that are in common use
- Do not use simple words, phrases or character sets that are easy for others to guess. Examples include:
- Obvious words and phrases, such as “password” or “mypassword”
- Natural character sequences. such as “abcd” or “1234”
- Character sequences on a keyboard, for example, “qwerty” or “asdfg”
By following these tips, you can easily create the best possible passwords and protect your personal information, securely.