Geek secrets: How to get better security than passwords alone

Brainy geekTake a long, hard look at your friends, loved ones and colleagues.

Do some of them not seem to struggle as much with computer security issues as you do? Do you find that *you're* the one who gets hacked, and they seem to get away scot free?

Well, it may be that they know a geek secret.

Fortunately, you don't have to be a geek to know a geek secret. But you do have to keep a close eye on how geeks protect their systems, and learn lessons about how you might do the same.

With that in mind, here is a tip that the geeks know about - but of which, sadly, many computer users are still clueless.

How to get better security for your online accounts than with passwords alone.

Find out below, or watch my latest video to learn more:

Two factor authentication (2FA), also sometimes referred to as two step verification or login verification, is an extra layer of security that you can enable on a long, long list of websites.

You see, normally you access your online accounts by proving that you know something: your password. That's all very well, but people get careless with passwords, perhaps because they get phished, or share it with a colleague, re-use it on multiple websites, or simply make it easy to guess or crack.

What 2FA does is take security one step further. Rather than simply asking you to prove what you know (your password), they also want you to prove what you have in your physical possession.

Twitter 2FA

The idea is that although a hacker might be able to steal or crack your password from the other side of the world, chances are that they will find it a heck lot harder to gain physical access to one of your possessions. And, when it comes to protecting against hackers, anything which makes their lives more difficult increases the chance that they will simply move on and look for an easier target.

So, a website account which has 2FA enabled doesn't just ask you for your password, it also asks you to prove that you have a device in your physical possession by - for instance - entering a randomly generated number that has been sent to your mobile phone, or displayed by a smartphone app. With some sites, such as some banks, you may even have been given a hardware token that will generate the number.

This makes life much trickier for the bad guys trying to break into your account, because even if they have determined your password they won't know the magic number that changes every 30 seconds or so.

Google authenticator

2FA isn't entirely foolproof. There are sophisticated attacks that determined attackers can use to try to crack into even the accounts which are protected with two-factor authentication. But it does make it so much more difficult for attackers to successfully compromise your online accounts, that the vast majority simply will not bother.

And that has to be good news.

For a great list of websites that support 2FA in various forms visit twofactorauth.org.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

5 Responses

  1. Bob

    February 15, 2016 at 8:06 pm #

    Sorry to point this out but 2FA is not the same as 2SV.

    "The difference between two-factor and two-step authentication."
    https://paul.reviews/the-difference-between-two-factor-and-two-step-authentication/

    • Graham Cluley in reply to Bob.

      February 15, 2016 at 10:26 pm #

      Thanks Bob. I feel that the difference between 2SV and 2FA gets into a level of geekiness that isn't the province of this article – which was to encourage non-geeks to have an additional level of protection than just a mere password!

      The important thing is – whether it's technically 2SV or 2FA – turn it on!!! As if you do, chances are that your account will be better defended from the bad guys.

      Thanks again.

  2. Tom

    February 17, 2016 at 1:01 pm #

    I wish there was an option for those of us who do not have smartphones

    • Frank in reply to Tom.

      February 17, 2016 at 6:25 pm #

      Use WinAuth (https://winauth.com/) for Windows, and OTP Manager (http://www.stickybit.nl/apps/otpmanager.html) for Mac.

      • Bob in reply to Frank.

        February 18, 2016 at 12:25 pm #

        There are also Chrome-based plugins for Linux that allow TOTP.

        Plenty of other ways Tom to increase your security:

        You can use 'dumb' 2SV – e.g. get Google to call your landline/mobile with an authentication code; i.e. automated voice calls you with a OTP.

        Use something like the YubiKey.

        Some websites support printable grid matrices.

        (Other methods are available).

Leave a Reply