News of this week’s so-called “mega breach” might deeply trouble you. If so, that means it’s a perfect time to take control of your personal security. Yes, every company should be held responsible for practicing sloppy security, allowing your sensitive data to get into the wrong hands. But at this point, there’s really no reason to trust the bastards to do the right thing.
Roughly 21 million unique passwords were dumped online this week. The users who have little to worry about are the ones who, at the very least, have enabled some type of multi-factor authentication, the simplest being two-factor authentication or “2FA.” Even better off are those who’ve also adopted a reliable password manager, which allows them to create very long, complex, and unique passwords for each site they log into. Add in a physical security key, and you can sleep easy tonight.
Here’s a quick(ish) rundown of the three most important pieces of crafting a healthy security routine and never sweating another password leak.
Step 1: Enable 2FA
While 2FA isn’t perfect, it’s been widely adopted, and it’s also very easy to use.
2FA works like this: You go to login to, say, your email account, and after entering your password, it prompts you to enter a code that’s been sent to your phone by text. (We’ll get into better alternatives than text in a moment.) What this does, theoretically, is prevent anyone from accessing your account doesn’t (a) know your password and (b) have physical access to your phone. So if your password gets leaked, it becomes not so big of a deal, and if you miss the news about a breach that may impact you, you’re pretty much covered.
Nowadays, even my technologically challenged grandmother, whose online footprint is next to nil, knows that she can’t log into her email account, or her bank account, or anything else really, without inputting that little code sent to her phone. If an 85-year-old who still pays her bills with a paper check every month can grasp this concept, then dammit, so can you!
Nearly every major online service offers 2FA. I’ll leave it to you to figure out where the option is located for whichever service you’re trying to lock down (try ‘security’ under ‘preferences’ or ‘settings’), but I’ll add this: If you’re using a service that requires you to volunteer sensitive information, and the only security it offers is a password, then you should definitely stop using it. Bottom line: This is obviously a company that doesn’t give a shit about your security and is likely taking too few steps to protect you.
The reason “breaches” like this week’s get so much attention is that they appear to leave tens of millions of people exposed. It’s easy to feel outrage at the companies that should’ve safeguarded this information better. But the mindset that users bear no responsibility to protect themselves is both dangerous and lazy. There’s a term everyone in 2019 should come to understand, and that’s “security hygiene.”
I said that 2FA isn’t perfect, so I’ll elaborate: Most 2FA services involve sending security codes, typically 5-6 digits, via a text message (SMS). It’s been demonstrated repeatedly that, while saf-er, this method of receiving the code is far from foolproof. One way to improve 2FA is to use an authenticator app on your phone. (You can download Google Authenticator, for instance, on the Apple App Store and Google Play Store.) These apps will spit out time-sensitive security codes instead of sending one by text message. Many services, but unfortunately not all, will offer you the option of using an authenticator app instead of SMS for 2FA.
Step 2: Get a password manager
Password managers are the second line of defense in these situations. You’ve probably been told repeatedly not to reuse passwords, and if you aren’t using a password manager, there’s a good chance you’ve broken this rule once or twice or always. It’s near impossible, without some mnemonic device, to generate unique, complex passwords for every online service you use and remember them at all times. The best way to ensure you’re always using strong passwords, therefore, is to install a password manager, which does the hard parts for you. There are several, but LastPass and 1password both work fine.
Password managers allow you to create very long and complex passwords, and then basically forget they exist. The only password you’ll need to remember is the one that lets you access the manager itself. Obviously, make it a good one (and here’s a guide for how to do that). A lengthy, complex password is pivotal in situations where passwords are leaked (unless they’re leaked in plain text). In many cases, a leak will involve passwords that are scrambled using a weak or antiquated encryption protocol, such as MD5. This requires an attacker to crack (or decrypt) these “hashed” passwords. The longer and more complex a password is, the more difficult this becomes.
Password managers might seem risky at first, basically like you’re betting everything on this one password, hoping it doesn’t get stolen or cracked. But any worthy password manager will also allow you to enable some form of multi-factor authentication. Here’s a list, for example, of 2FA services offered by LastPass:
One thing I’ll add, since I’ve mentioned the LastPass password manager in particular several times, is that in order to use a physical token, you’ll need to have the paid version. And that’ll cost you, at the time of writing, a whopping $2 per month.
This may sound like a hassle, but password managers are actually incredibly convenient. Once logged in, it will automatically input passwords for you. Password manager phone apps are particularly convenient because typing long, complex passwords on tiny keyboards can be infuriating. What’s more, in lieu of a password, which you’ll still use in your browser, you can use Touch or Face ID to unlock your password manager on your phone.
Step 3: Buy physical security tokens
If relying on a password manager still frightens you, you’re in luck. There’s another step you can take to protect yourself while using one, and this is also what I would recommend doing personally: Buy a Yubikey or a Google Titan Security Key. Actually, buy two.
Yubikey and Titan are “physical security tokens,” each of which contains a private encryption key. When you enable the physical security key option with your password manager, neither you—nor anyone else—will be able to access your account without it. This means that in order to hack your account, an attacker would require (a) your password, (b) access to your unlocked phone, and (c) your Yubikey.
This also means you can’t afford to lose your security key (and that’s why it’s best to buy them in pairs.)
If you’re buying a security key for the first time (or looking to upgrade), pick up either the Yubikey Series 5 or the Google Titan key. Unlike older Yubikeys, the Series 5 version includes NFC as well as USB, while the Titan includes a Bluetooth dongle and a USB dongle. Why do you need both? Because those options make it so you can use them with any phone.
Your email account is the one thing you really can’t afford to have breached. Not only does it likely contain a slew of private communications, it opens up the possibility of other accounts being breached through password recovery. A physical security token will basically reduce this threat to a nonexistent level. Notably, both Yubikeys and Google’s Titan key can also be used to secure your social media accounts—requiring someone to have that physical token before they can log into your Facebook or Twitter accounts.
Step 4: Enjoy
If all of this is new to you, it probably seems like... a lot. But once you’re set, it’ll take no longer than a couple of days before your new security routine is second nature.
If news of this morning’s breach left you shook, and you’re worried someone might at this moment be accessing something deeply personal to you, a photo, a letter, or possibly some artful nudes, then it’s time to come into the fold. Educate yourself, take your security into your own hands, and stop relying on faceless, mostly unaccountable corporations to do the work for you.
The Electronic Frontier Foundation, one of the nation’s premier digital rights organizations, has an incredible library of useful security tips and tutorials, which cover topics from how to make super-secure passwords using dice (fun!) and how to create a security plan, to more in-depth explanations about how encryption really works, and a variety of security tool guides.
Take an hour to pursue some of this helpful literature and save yourself a headache next time you hear a quadrillion passwords just got leaked.