Two pieces of software can help stop your accounts being hacked and your online identity being stolen. One is a password vault and the other is an authenticator. It’s time to secure your online accounts if you haven’t already. And here is a way forward.
The leaking of details of 530 million Facebook users shows yet again there is a dire need for all of us to create a safer online presence.
If you want to check if you have a problem, Microsoft web security consultant Troy Hunt’s site Have I Been Pwned is a good place to start. Plug in your email address or phone number and you’ll see whether you are at risk. That should motivate you into action.
Managing and updating passwords can be a pain if you don’t do it systematically. A password manager or vault will help you maintain and update passwords for each site you visit, so that the hackers’ data is out-of-date.
Beware of using your browser to maintain your passwords. It can be a dangerous practice as a savvy hacker can use a browser’s own tools to unscramble passwords, depending on the browser.
Decent password vaults encrypt your passwords; they can only be accessed with a master password that only you know. It’s the only password you need to remember, so make it complicated. Write it down but never store it digitally or online. I usually only need to enter it once a day on my desktop. On my phone, I access it with fingerprint authentication.
Vaults typically prompt you to periodically change passwords and offer secure replacements using a password generator. They autofill usernames and passwords when you visit websites, making logins easy.
Vaults have other features. They can include digital wallets which store credit card details for when you shop online, and your name and address details for when you fill in forms. (I never store CVV or PINs. They remain in my head.)
Password vaults either store password data in the cloud or on the device. A passwords vault in the cloud could be hacked but is safe as long as the data is encrypted and unreadable without your master password. Lastpass suffered an incident in 2015 but says the data was unreadable due to encryption.
The advantage of cloud storage is that if you change a password while using one of your devices, the change is available in your vaults on your other devices. Vaults that store passwords on a device are arguably more secure but you have to update passwords for each device.
Vaults may look complicated, but they make password management simple. Each of the sites you access have unique, strong passwords which, hopefully, you don’t need to remember or type in full – just cut and paste or let the vault auto-fill login details.
Going passwordless may be an option in the future but currently there are questions about reliance on biometrics and whether enough users have the equipment to make a password-free experience viable. So we are mainly stuck with passwords for now.
Here are popular password vault options.
Lastpass offers free, paid, family and business versions. There are Lastpass apps for desktops, laptops, phones, tablets and smart watches, and browser plug-ins. The premium version monitors your accounts for suspicious behaviour and tells you if your information is compromised on the dark web. It offers multi-factor authentication and there’s a dashboard for improving your password security. There has been some angst at Lastpass’s decision to roll back some features in the free version and add them to the paid version. But it remains a great choice. (Free or $4.50 per month premium and $6.00 family). I used Lastpass for years.
Dashlane’s free version is limited to storing a maximum of 50 passwords on one device. However its paid version is feature rich with dark web monitoring and alerts, and a VPN service thrown in. You need the even more expensive family version for two-factor authentication which should be part of its more basic offering. (Free, $4.33 per month premium and $6.55 family)
The popular 1password has many of the same options but includes ‘watchtower’, which keeps track of password breaches and other security issues, alerts you to weak and compromised passwords, and sites missing two-factor authentication. You can print a copy of your passwords for safekeeping. ($3.93 or $6.55 monthly for families)
The free version offers ample functionality and has an attractive, compact user interface. The premium version costs just $US10 per year ($13.13) and is a bargain. It supports two-step logins with Yubikey, U2F and Duo as well as time-based one-time passwords (TOTP), and offers you vault health reports. I currently use Bitwarden. (Free, $13.13 per year premium, $52.51 per year family)
I include Myki because it stores your encrypted password vault on your phone rather than in the cloud like the rest here. You get around repeating password changes on each device by syncing changes device-to-device, or syncing to Myki browser plugins. Myki is different in other ways. There is no master password, rather fingerprint recognition or a PIN. It also supports two-factor authentication. Myki, like other vaults, stores payment cards, secure notes, and identity details. With no cloud to support, Myki is free unless you want to use Myki for Teams ($6.56 monthly) or more.
Many of us are familiar with two-factor authentication at workplaces. After typing a password, you verify your login by entering a code sent by SMS, or by fingerprint recognition or another means. You might get a phone message to confirm your login.
Two-factor authentication wants to make sure it is indeed you logging in, rather than a hacker from across the net who has your password. Only you know the verification code and even if hackers know your password, they still can’t access that site.
Some see two-factor authentication as a curse and time consuming. With care, you can make it less intrusive.
But first, a word about phone number authentication where you are sent a code. Hackers globally and in Australia have used SIM-swapping to hijack mobile numbers and get access to your mobile number and verification codes. That could mean access to your bank accounts as Australia’s banks widely use SMS verification.
Phone numbers are often part of these major leaks. The recent leak of 530 million Facebook user details included phone numbers, an item Facebook demands that you provide for security reasons (it also quietly uses phone numbers for advertising tracking).
Australia has enacted law that offers some safeguards. If you go to a store for a new SIM, the shop attendant is supposed to call you on your old SIM to ensure you’re not a scammer.
There are better forms of two-factor authentication. You can use an authenticator app which provides a code you enter into the application requesting it.
There are dozens of authenticators to choose from, including Microsoft Authenticator, Google Authenticator, and Duo by Cisco. Authy by Twilio is a popular choice.
You need to set-this up for each site you visit. For example with Facebook, you go to security and login settings. The two-factor authentication setting will show you how to pair the authenticator app with the site, so that the authenticator flashes the correct numbers.
An authenticator is the second piece of software that I recommend.
However, you can probably get away with one piece of software, because the password vaults listed above include in-built authenticators. Be aware you may need to pay for premium versions of the vaults to use them.
So for me, to set up two-factor authentication for Facebook, I open the Facebook record in my Bitwarden vault and insert a code that Facebook offers into the Bitwarden app
Whenever I want to use Facebook, the Bitwarden password app not only enters the username and password, but offers up the authentication code as well. It’s an all in one solution.
I can also verify my login by tapping my Apple Watch. Other watches may provide a similar option.
This makes two-factor authentication simple once you have it set up.
There is yet another option – a Yubico key which you leave in a USB drive. When you need to authenticate, you press the button on the Yubico.
Some sites will register your computer or phone as a trusted device, so you only go through authentication periodically. The assumption is that no one else will access that device, so make sure your phone has a secure 6-digit PIN.
With a little thought, you can make your online life more secure and access sites with minimal effort once things are set up.