Checklist 213: New Year Security Resolutions
The New Year is the perfect time to make positive changes in your life, so this week we’re bringing you two cybersecurity-themed New Year’s resolutions that will help keep you safe through 2021 and beyond.
Resolution #1: Get a password manager
If you’ve been listening to The Checklist for a while, you probably know that you should get a password manager … but maybe you haven’t gotten around it yet. Maybe you’ve just been putting it off. Or maybe, like a lot of people who have never used one before, you’re a little freaked out by the thought of it! What if it’s hard to use? What if you lose all of your passwords?
We get it — and we’ve been there, too. But here’s the thing: Password managers are essential in today’s world. Most people have an overwhelming number of accounts, websites, apps, and services. All of those have passwords. And if you don’t have a password manager, you’re probably doing one of two things. You’re either using simplistic passwords, which are very easy for bad actors to guess or to hack. Or you’re reusing passwords across multiple sites, which is arguably even worse, since if someone gets hold of just one of those passwords, they’ll be able to access lots of your accounts. Sadly, the bad guys do manage to get hold of people’s passwords all the time, through data breaches, poor app security, or phishing attacks.
Password managers let you create individual, ultra-secure passwords for each and every account you own, and they do all the work of remembering those passwords for you. In addition, once you get over the initial adjustment period, they’re actually really easy to use. You only have to keep track of one password: the master password for your password manager app. Some password managers even let you use Face ID (on an iPhone) or Touch ID (on a Mac), making things even easier.
So which password manager should you get?
If you’re entirely within the Apple ecosystem, you’ve already got one: Keychain. This will work across all of your devices, and also contains some “password manager-like” features such as Secure Notes.
If you’re a multi-platform user, though, you’re going to want to go for a fully featured password manager app. You’ve got plenty of good options here. If you can afford to spend a little bit of money on it, you can’t go wrong with 1Password. Some popular free options include LastPass and Dashlane (we’ve actually got a walkthrough that explains how to install Dashlane on a Mac if you want some help).
If you decide to take the plunge and get yourself a password manager, what then? Do you really have to go through every single account and add it to the app right away, or change every password on day one?
Absolutely not. In fact, for many people, that would be such a daunting task that it might put them off even trying a password manager, let alone using it regularly. So here’s what we recommend: Just use your new password manager a little bit every day. Learn how it works. Explore the menu options. Get used to it. Add one account on Monday, change a password on Tuesday, and so on. Before you know it, using your new password manager will be second nature, and by this time next year, you’ll wonder why you ever waited so long to get one!
Resolution #2: Turn on 2FA
Password managers are great, and they can help you create strong, unique passwords for all of your accounts. But there’s one problem. What happens if a hacker gets their hands on one of those strong, unique passwords? Well, then you’re out of luck: They’re into your account. This happens more than you might think, unfortunately, but there’s an easy way to protect yourself: two-factor authentication, or 2FA.
Passwords are just authentication factors: you go to log into your account, you’re asked to authenticate yourself by providing the password, i.e. to show that you really do have permission to access the account, and as long as you can enter the password correctly, you’re in. A standard account, then, has what we might call “one-factor” authentication!
With two-factor authentication, there’s an additional step: you also have to provide a second authentication factor at login in order to prove that you should be allowed to access the account. In terms of security, this means that if a bad guy has your password, they can enter it all day long, but if they don’t have that crucial second authentication factor, then they’re out of luck: They won’t be allowed to access your account.
With the amount of data breaches and phishing attacks out there, 2FA should be considered a security essential at this point — it’s not really extra security as much as it is basic security these days! So if you haven’t turned on 2FA yet, then let 2021 be the year you do it. Like password managers, two-factor authentication can seem somewhat intimidating or even confusing if you haven’t used it before … but also like password managers, you’ll get over that weirdness factor very quickly, and before you know it, 2FA will be just another part of your daily routine.
You may be wondering what that second authentication factor in 2FA actually is. The answer is: It depends! There are lots of different ways to do two-factor authentication. But broadly speaking, your second authentication factor is going to fall into one of three categories: something you have, something you know, or something you are.
Something you have
This literally means something that you physically possess.
In some cases, this could be a physical hardware key, which is an increasingly popular (and extremely secure) version of 2FA. Key-based 2FA, however, is still not very common, and not all websites and apps support it.
For most people, the “something they have” is just going to be their mobile device. More specifically, it’s going to be an app on their mobile device: something called an “authenticator app”. There are a few options here, but probably the two most widely used ones are Authy and Google Authenticator. Don’t let the name Google put you off. Yes, the company has definitely had its share of issues around user privacy. But in this case, Google Authenticator is just a simple tool that lives on your phone, and it won’t share any of your data with Google! The app just displays a six-digit authentication code that changes every minute or so. When you go to log in to an account, you’ll be asked for the current code, and you just enter whatever number you see in the app in order to access your account.
One-time codes sent to your phone by SMS are another option, although these can’t be considered completely secure, since it’s possible that bad actors could intercept 2FA codes sent by SMS. Of course, given the choice between 2FA using SMS or nothing at all, you should definitely opt for the text message version of 2FA. It’s not perfect, but it’s way safer than just using a single authentication factor to access your accounts.
Something you know
There are also implementations of 2FA where the second authentication factor is something that you know, which usually takes the form of an answer to a security question (e.g. what street did you grow up on; who was your favorite teacher, etc.).
This is definitely better than nothing, but it’s far from ideal. The problem is that there is so much publicly available information on the Internet that bad guys can find out a lot about us by doing a simple web search, and thus might be able to guess the answer to some of these questions.
In general, this type of 2FA should be avoided if possible. If you’re really stuck with it, one way to make things safer is to provide memorable “nonsense” answers to the security questions — in other words, something that isn’t a true answer to the question, but that you will remember and that a hacker would be very unlikely to guess. For example, if you’re asked who your favorite teacher in high school was, enter your favorite TV teacher instead; if you’re asked for the name of your favorite band, enter the name of your favorite painter instead. The problem with this method, however, is that it’s fairly easy to forget one of your “clever” fake answers, at which point you’d be locked out of your account.
Something you are
The final type of authentication factor is called an “inherence factor”, which is another way of saying that it’s something that you are. In the context of secure authentication, this refers to biometrics: things like Face ID or Touch ID.
Face ID is technically just a single authentication factor, but since it is only ever used in conjunction with an iPhone (i.e. something you have), it’s basically 2FA by default. After all, a bad guy can get your phone, but they won’t have your face!
So how do you actually go about setting up two-factor authentication?
Well, as with password managers, remember that you don’t have to do this all at once. You can start with one or two of your most sensitive or frequently used accounts — maybe your email or PayPal account and a social media account — and slowly build from there. A gradual approach is recommended, because the mechanics of turning on 2FA vary from account to account. If you have 50 different accounts, this isn’t something you’re going to want to set up all at once!
Generally speaking, you can find the option to enable 2FA somewhere in the “login” or “security” area of your account settings. We have a simple walkthrough that will show you how to set up 2FA on a Twitter account if you’d like an example. And if you get stuck, remember that most big websites or apps have user guides or even video tutorials intended to help people set up two-factor authentication. Just do a quick web search for “<website or app name> how to set up 2FA” and you should be able to find some help.
There’s one other thing to think about when you set up 2FA: If you lose your second authentication factor, you’re going to need a way back into your account. Websites and services usually have some kind of user support process to help you accomplish this, but these recovery procedures can be difficult, time consuming, and, frankly, frustrating. This is why it’s important to print out your own “recovery codes” ahead of time, so you’ll have a way to access your account in case you ever get locked out.
Recovery codes are basically just single-use codes that can be used to get you back into your account in an emergency. You can typically generate them in the same account settings area where you turned on two-factor authentication in the first place (if you don’t see it, just do a web search for something like “<website or app name> generate recovery codes”). Print these out — yes, as hard copies — and keep them somewhere very secure: A bank safety deposit box or a home safe is your best bet. If a site or service doesn’t allow you to print out recovery codes, then you may want to forgo 2FA for that particular account!
That brings us to the end of this Checklist. If you decide to follow through with either (or both) of these resolutions, drop us a line and let us know how it’s going! And as always, if you have questions or want to suggest a topic for a future episode, we’d love to hear from you.