Securing your Online Identity in the 21st Century
There is one thing that websites design to keep you in and the bad guys out:
Your password.
A string of numbers, letters, and characters; maybe it’s your favorite place to eat or your pet’s name, or a combination of the two. It’s the weak and fallible link that is the key to your personal information.
The problem is that we see again and again websites getting hacked:
- MySpace suffered a data breach that exposed almost 360 million accounts
- LinkedIn had 164 million email addresses and passwords exposed
- Over 150 million breached records from Adobe hack have surfaced
Some of these hacks revealed no password information, which is fine, but you should definitely be more careful with sharing you personal information with that website.
Types of Hacks
Some revealed password hashes, which are not exactly your password, but are the encrypted keys to your password. Hackers can then try brute forcing their way into your passwords and eventually all of your other accounts (if you reuse passwords).
Also, if you find using unique passwords is too hard — try using a password manager, like LastPass, 1Password, or Dashlane. You can even split passwords on multiple platforms if you fear that one of these managers could be hacked (but in reality, it’s near impossible to do so).
However, the worst cases involve hacked passwords in plain text, which means that your password is just out there in the open. No brute forcing required. That’s why it’s imperative you have different passwords for each site — sometimes, hacks like these can go unnoticed for a few years.
Checking Breaches
To see if any of the websites you use has been hacked, go to https://haveibeenpwned.com, which allows you to track and see what websites have reported breaches and what they said was breached.
It’s certainly not perfect, but a good first step.
However, there are 1 way that can dramatically increase your security online:
2 Factor Authentication!
By adding 2 factor authentication (or 2FA) to your account, rather than just typing in your password to sign in, you will have to type in a dynamically changing code that is only known to you. Here’s how it works.
For example, we will use Google’s authentication system as an example. Google does have some built in security features for signing in — it checks if you are signing in from an unusual location or time for instance. However, not all websites build in this protection.
Setting up 2 factor authentication is easy. You first provide a mobile phone number to Google, and Google texts a code to it. You enter a code, and you’re all set! Or so you think.
The problem is that SMS 2FA is inherently insecure. SMS messages can be intercepted, phone numbers can be hacked and spoofed, and honestly, having 2FA by text can be even more insecure than not having it at all (think of what happens when someone compromises your phone and tries to reset your password).
So, what should you do instead?
App-Based Authentication
Rather than sending codes via text to your phone, app based authentication relies on a QR code an a special authentication app. By scanning a QR code provided by the website, the app will be able to generate codes that auto-destruct every 30 seconds or so.
One of the most popular apps is Authy. It can house all of your tokens and you can easily access them via a tap. But, there is an even easier way that is supported by many major tech companies.
Code-less App Authentication
Rather than having to enter a code every time, many tech companies (like Google, Apple, and Microsoft) allow you to simply log in via a tap from their apps. It’s pretty simple, and Microsoft is even betting on this as they push for a password-less future.
But, of course, there is an even more secure way to log in (but not perfect)
Physical Security Keys
Physical security keys, such as YubiKeys, can be used if you want the most security, without any need to use your phone. Just plug one of these in to your PC or phone (or use Bluetooth, but that is generally less secure) and it logs you in.
Can these be stolen? Yes. Are they worth it for the average consumer? Probably not. App based authentication should be fine for most.
And that’s how you can try to stay secure online? Are any of these methods perfect? No. If you are a public figure, you should probably be taking even more extreme steps to protect your identity.
But, for the average consumer, using unique passwords, changing those passwords regularly, and using 2 factor authentication should keep you nice and secure.
