Get posts like this one in your inbox by signing up for our newsletter.
Keeping your online accounts secure is one of those important things that no one likes to do. But, it’s a necessity in today’s day and age, so here are a few tips on how to keep your accounts secure.
Use Common Sense
There’s not much you can do if a website implements poor security standards. Unfortunately, there’s not really a good way to judge how secure a website is. For example, the website may use HTTPS, but protect their servers with a really weak password. In this case, it appears as if the website looks secure, and your browser won’t give you any warnings. However, the server may be compromised along with all of its data. This is just a depressing fact that you should know, but there’s nothing you can really do. Well, there is one thing: use common sense. Don’t give a website any information you don’t think it needs. Also, don’t use websites that look like they might be a scam without doing some research before.
Pro tip: when in doubt, you can always use something like Google’s Safe Browsing to look up websites.
Use Strong Passwords
The first and most obvious tip is to use strong passwords for each of your accounts. Not only should each password be secure, but each website should have its own password. Re-using passwords is a common mistake that can severely compromise your security. If just one website stores passwords incorrectly, and there’s a leak, every account that uses the same password can be compromised.
This is where a good password manager can help. As its name suggests, a password manager takes the burden of managing passwords away from you and onto some program. The simplest password manager would basically be a database of websites and your usernames and passwords. You’d still be responsible for generating them and looking up the correct credentials. Luckily, we have much more advanced password managers available.
A good password manager actually makes having different passwords for each website easier than reusing the same one. For example, both LastPass and Dashlane offer browser extensions that can automatically fill out login forms. They can also easily generate secure passwords for you to copy and paste when signing up for websites. The best part is that LastPass is free, so there’s no reason not to use it.
Even if you decide to not use a password manager for some reason, at least use the one built-in to your browser or operating system. A good example of this is Keychain on Apple devices. It automatically sync across all of your devices and also has autofill. It even automatically generates and enters secure passwords for you when you create a new account. Other browsers like Chrome also offer integrated password management with similar features.
Use Two Factor Authentication
More and more websites are adopting something called two factor authentication. Basically, it adds a token you need in addition to your password to sign in. This ensures that even in the event that your password is compromised, no one can log in. However, it does come at the cost of convenience. Each time you want to log in, you’ll need to basically enter two passwords. This usually isn’t too bad, and most websites will keep you logged in for long enough that the few extra seconds it takes are worth it.
Many websites offer two factor authentication by sending you a text message with the token. While this is better than nothing, it’s not as good as using an offline method, like an app. If an attacker were to somehow route your phone number to them (which does happen), SMS based two factor is pretty much useless. What’s the point of two factor authentication if the second factor is send to the attacker?
A more secure option is to use an app like Google Authenticator (or LastPass Authenticator, if you’re already using LastPass), which works by using TOTP or HOTP. These algorithms generate the second factor of authentication offline. To set them up, you typically scan a QR code that contains the information required to begin generating the tokens. For TOTP, a new code gets generated every 30 seconds, so even if someone sees you typing in the code it’s probably too late to use it. Additionally, it also protects you in situations where your phone number gets stolen since the second factor is tied to your phone, not your phone number.
Some password managers, like Dashlane and 1Password integrate two factor authentication into the same interface as your passwords. In this case, you only need to open one app to sign in. Not only that, but your two factor codes are now also protected by your master password.
Sign In With Google
Many websites will let you log in with Google or another service instead of registering with your email and a password. This solves the problem of needing a secure and unique password for each account while still being secure. The website isn’t given your Google password, so that’s one less password that can get leaked. Additionally, it’s much easier to keep just your Google account secure, and use that to log in everywhere else than it is to keep all of your logins secure.
However, this does come at the cost of consolidating your online presence. If someone were to compromise your Google account, they can now also log in to every account you use log in with Google for. That being said, if you use a strong password and two factor authentication for Google, it’s probably at least as secure as the alternative. Additionally, Google has a lot more to lose if they mess up, so I’m willing to bet they implement very stringent security policies. There are also privacy concerns with letting Google know which services you use, but they probably already know that.
Secure Your Email Account
As most online passwords can be reset by clicking a link sent to you via email, it’s important that your email account is as secure as possible. If you’re using Gmail or other web-based email services, just apply the rest of this post to your email account as well. Otherwise, you just need to use a really long, secure password and hope for the best.