Secure on the web: use MFA and a Password Manager!

This is also a blog I’ve been wanting to write for quite some time now. Especially in this day and age of the continuous danger of hacks and data breaches all over the web. I’m not even talking of malware here, that’s something for a different story some other time, but just the simple case of using secure passwords and login methods.

Update [may 2020]

Bill Hess of pixelprivacy.com contacted me after finding this blog about security and asked me if I would like to link to his very comprehensive article as well. No problemo, so here you go Bill:

Two-Factor Authentication: What Is It and Why You Should Use It – Pixel Privacy

Two-Factor Authentication: What Is It and Why You Should Use It – Pixel Privacy

Two-Factor Authentication​What Is It and Why You Should Use It As the always-online world has continued to become an ever more dangerous place, the need for user authentication methods other than the old, not-so-reliable username/password combo has become evident. Logins via the long-accepted username and password method have grown increasingly insecure. Unfortunately, many users make use … Read more

Two-Factor Authentication: What Is It and Why You Should Use It – Pixel Privacy

 

My initial blog continues here…

How does one get hacked?

First, lets get the widespread misconception out of the way that most hackers are sophisticated coders, knowing more about computing than your average rocket-scientist. Most widespread data breaches or hacks aren’t done by brute force nor cunning algorithms where lots of computing power is being used to crack codes or just guess them, by millions a second… More likely is the fact that your credentials have showed up in some data breach circulating on the (dark)webs and ‘hackers’ just trying these credentials against any service you’re using.
Or the so-called hackers get into your accounts by means of what’s called social enginering; fooling people into giving their credentials to you by (for instance) spoofing to be their telephone company. In a way that’s the same thing as phishing, and most people will know this from the infamous Microsoft servicedesk-scammers.

Here’s an example of how this may work:

Unfortunately most everyday computer users make it far too easy for these ‘hackers’ by using the same password over and over again on all services they use. And very often these “guess one, get all” passwords look something like this: “welcome01”, “secret”, “xxx” or “1234567”. Needless to say: yes, these are easy to guess…!

And then there’s of course the genuine hacks that do require computer knowledge and sometimes also sophisticated equipment. When hacks like these compromise a big services’ user-databases resulting in lots of username/password combinations ending up “on the streets”, it doesn’t take a lot of imagination to oversee how many doors a perpetrator could potentially open by simply using these against popular websites you might be on (or even you bank account!). Unfortunately hacks like these happen several times a year and there’s very little you can do about that (in one of my previous blogposts you can check credentials against a database of known breaches and check if any of your usernames or email-addresses lights up).

There are however a few things you CAN do to at least make it a bit harder to get in, and more importantly; things you shouldn’t do if you don’t want to open all doors to all of your online stuff!

Use unique strong passwords!

Of course, whilst reading this, you must think: “this is an obvious no-brainer”, but then I guess you have really no idea how many actual people recycle their passwords for use with social media, banking accounts and mail accounts. Guess one, and a hacker is in.
Make sure you come up with something that’s hard enough to crack and the rule of thumb here is: the more characters the better. Avoid traceable stuff like you birthday worked into the password, or names of children or pets. A password with a combination of digits, letters (both upp, a sentecner and lower case) and symbols might seem the most hard to crack code, but if it still  only comprises just 6 positions, a single pronounceable word like “fluxcapacitor” would still be infinitely better since it has over double the positions and therefore harbours a number of possible character combinations that is mathematically many times bigger than one of just 6 positions, even if these characters are more exotic and of differing properties.
So, in theory, a full sentence without spaces should be a very strong password.

If you have trouble devising passwords that are unique, safely constructed (ie refraining from data that might be ‘guessable’ or identifiable to your person) and not impossible to remember, make sure to have a look at the last part of this blogpost; using a Password Manager. A must-have these days unless you have an elephants memory! 😉

I could go on and on about passwords, but I think my message is clear enough: make them looooong and unique please!

Use MFA (Multi Factor Authentication)

Because security is becoming a bigger issue everyday, more and more services on the web have started offering Multi Factor Authentication. This is an extra layer of security added to the login process based on the principle of ‘what you know, and what you have’. The ‘what you know’ part is the strong password that we just talked about, and the ‘what you have’ part means your smartphone. Or in the case of banking, where this principle is being used already for a much longer time, by means of an ‘identifier’.
When you setup MFA on any of your accounts, it means you will have to go through another login step after submitting your regular password (the thing you know) by entering an extra verification code that will be sent to the smartphone (the thing you have) that you have setup with MFA for this account. This code can be sent to you by means of a text SMS or (much more secure) a dedicated MFA app such as Microsoft Authenticator. The latter option being used mostly in corporate environments.

It takes a one-time setup only and makes it very hard to get in, since it’s highly unlikely that some hacker gets access to both you smartphone and your passwords at the same time. Most popular websites like Twitter and Instagram already offer this extra MFA step, but you have to set it up yourself because it’s not activated by default (which I think it should be!). Many of my friends already got hacked on Insta and Twitter, so make sure you set this up when available!

UPDATE: You can check right here by categorie what services support MFA.

Password Managers (I recommend: Enpass)

Since we use so many websites and services that require a user account these days, it has become virtually impossible to record all these inside our own skull. Especially the ones which you have to change every other month due to enforced policies (ie again you bank). To help you out with this, there have been some Password Managers for quite some years now. I started using one already back in the Windows Mobile 6 days (somewhere around 2007) but in recent years I had switched platforms so many times that I had to revaluate my options and build a new database from scratch almost.

But first: what IS a Password Manager? A Password Manager is an application that can store all your precious strong passwords in a single database that is strongly encrypted (AES 256bit level) and protected by one single password (so you better make this your best one! 😛 ). Without the master password you won’t be able to get back in, so also make sure you don’t forget this one.
This Password Manager application is a safe vault for all your passwords, but usually it can do more: like generate strong passwords for you, tell you whether you’ve got duplicates, have very old passwords and analyse whether your password is considered strong enough.
Usually these apps also have a browser extension that taps into your passwords database to directly login to websites using your Password Manager, and they usually offer mobile apps and a means of syncing the database between installs and devices.

Have a look at this video review of Enpass to get a clearer picture of such an app:

My personal Password Manager of choice is Enpass, and that’s mainly because of three reasons:

  1. It is by far the most cross-platform app I have seen up till now, with apps available on virtually any platform (Windows, Linux, MacOS, iOS, Android, etc) and browser extensions for all major browsers.
  2. It’s FREE on the desktop (with a item limit of 25) 🙂
  3. It uses your own cloud of choice to sync your database across platforms, without Enpass storing the database on any of it’s own servers. There’s support for Onedrive, Google Drive and Dropbox among others.

Update [may 2020]

Since writing this blog Enpass has of course evolved, and one of the things that changed is the licensing/pricing. It’s still free on the desktop (up to 25 items), but for unlocking more platforms and more features, they have switched to a subscription model since the start of 2020. The upside of this model is that one subscription works on ALL platforms, so you don’t have to buy it on both Windows and your phone anymore. They also still offer a one-time full license, which now gives you full access on all of your devices for one single purchase. As of writing this update, they are offering a 33% discount on that (may 2020).

And here’s another news-bit: Enpass is now also available as Enpass Portable, so you can run it of a secure USB stick (especially convenient for system admins who have to switch devices often).


Of course there are many alternatives like the most well known ones of LastPass or 1Password. Feel free to choose any of these, but keep in mind that none of these offer all three advantages at once that I mentioned above. For anyone who wants to follow my recommendation of Enpass I have accumulated most popular app Store links below to go get your download.
On top is the Windows 10 Store link for the completely free desktop app (up to 25 items) and if you’re using an older version of Windows make sure to get the ‘Traditional Win32’ version from their downloads page (and you will also find MacOS and Linux versions there).

Anyway, do yourself a favour and download it now and take the time to fill it with all your password data. It’ll take some time to setup, but once you have your database setup, you’ll thank me and wonder how you could ever do without… 😉

Windows 10 Desktop app

Google Android

Apple iOS