How To Protect All Your Online Accounts

How To Protect All Your Online Accounts

How To Protect All Your Online Accounts

1. Create “high entropy” passwords.

Use a password manager that creates long and random passwords for you such as LastPass, or make a set of rules for yourself that will allow you to generate your own random passwords.

Brett McDowell, executive director of the FIDO (Fast Identity Online) Alliance, a group of 250 companies worldwide working on industry standards for stronger authentication, says, “Most people think ‘have a strong password’ means, choose a password that people can’t guess in the seven or eight attempts before you get logged out. No no no. That’s not the only reason.” If the company’s database gets hacked (which you should expect), even if the passwords in it are encrypted, the hacker will have unlimited tries to crack your password. “The encryption process that’s used is harder to crack if the original password has a higher entropy,” says McDowell.

A trick to doing this, if you’re not using a password manager, is to create a high-entropy password of random numbers, upper and lower case letters and special characters. Memorize this. Then come up with a rule that will create a unique password for every website you use.

For instance, if you are creating a new password for United.com, maybe your rule is to take out all the vowels and then take the consonants but shift them all to two letters later in the alphabet. So if your gobbledygook password is 1A@0z# (it really should be longer), then you add WPVF (all two letters later in the alphabet than UNTD) to the middle of it, so your password is now 1A@WPVF0z#.

If applying the same rule to shopbop.com, then it would become 1A@UJRDR0z# (with the middle letters all two letters later in the alphabet than SHPBP). But don't use the rule I just outlined here -- make up your own.

2. Don’t answer security questions truthfully or the same across all sites.

When hackers take a company’s database, they don’t just get the passwords. They also obtain the answers to security questions. Plus, as Chris Hadnagy, chief human hacker of Social-Engineer, pointed out in my article on the phone hijackings, they don’t even need to hack anything to get this information. You probably put a lot of it out on social media yourself.

However, if your answers differ slightly from site to site, that makes it harder for the hacker to get access to any other site. You could use a similar rule to the email one to create unique answers for each site.

3. Do NOT connect your main phone number, the one you protected via the steps above (unless it is managed by Google Voice), to any sensitive accounts.

If you’ve ported your main number to Google Voice and secured that email account, then this likely isn’t necessary since your number is pretty safe from being hijacked. However, if your main number is still at a telco and not managed by Google Voice, then you’ll want to completely divorce your phone number from all sensitive accounts.

Create a brand new Gmail email account. Do not connect it to any of your existing email accounts. (When signing up for a new Gmail, you don’t need to enter a phone number or current email, although there are fields for you to do so. Leave them blank.) Once you’ve created the new island-unto-itself email address, create a new Google Voice number. I would even select a random area code.

Secure this email account with a long, high-entropy password and one of the two methods outlined below — a one-time passcode generator such as Google Authenticator or a FIDO security key.

Then, enter this phone number for any of your online banks or any other sensitive account such as Facebook, Twitter, Dropbox, Evernote, Slack, etc., that have you enter a phone number either for 2FA via SMS or password recovery.

That way, if your regular phone number is hijacked, the hacker can’t get into any of these accounts and reset the password. But you must secure that email address — otherwise, that Google Voice number can be compromised, and then the whole point of this process becomes moot.

4. Use one-time passcode generators.

Passwords can easily be stolen through phishing attacks in which the hacker poses as a legitimate service and asks the user to enter their password on a website doctored to look like that company’s website or via key loggers, in which the target is unwittingly persuaded to download malware onto their computer that then records every keystroke, giving away the passwords to the hacker.

For that reason, time-based one-time passcode (TOTP) generators such as Google Authenticator, in which you have a device with the app generating new codes every 30, 60 or 90 seconds, can be a strong additional second factor. The only way you can enter the correct temporary code is if you have the device that created it. Many services, including Google, Facebook, Twitter, Dropbox, Evernote and others offer this option for security in addition to the password and as a more secure choice than 2FA via SMS.

However, McDowell notes that these are increasingly compromised because they still operate on the same “shared secret” model as passwords. “I still have to give that secret away to use it,” he says. “I still have to type that number into some application, and if I’ve been tricked into typing it into the wrong application, I’ve just given that code to someone else. The thinking used to be, well, so what because it expires quickly, but the attackers are sophisticated. They’re doing real-time attacks and they collect that code and get into that account while you sit there looking at an error message wondering, what did I do 
wrong?”

A Google executive, in fact, said, at the Cloud Identity Summit in 2015, “A phisher can pretty successfully phish for an OTP just about as easily as they can a password."

5. Use a security key.

These devices, which are relatively inexpensive, operate on a new FIDO industry standard protocol called universal second factor, or U2F. Again, it starts with the first factor — your password (what you know). The second factor is a what-you-have factor: a physical security key device such as a Yubikey. Some of these devices are USB ones that are inserted into a USB port, and others are Bluetooth or NFC-enabled so you simply hold it near the login screen.

Such a device uses something called public key cryptography where the public key and private key differ. The private key is on your device, and it never goes to the server. It always stays on your device, but when you want to sign in, the server sends a challenge to the device, which in turn challenges the user. You simply have to touch it so that the service knows a human is present and not a bot trying to attack the account, accomplishing the same purpose as CAPTCHA tests online.

It is “not vulnerable to social engineering, never gives away the secret,” says McDowell. “Not only do you not give the private key away, but malware can’t get the private key off the device, so with FIDO authentication with these security keys, I have to physically steal your security key device, in order to compromise your authentication credentials — I can’t do it remotely. I can’t trick you into doing it for me, can’t trick you into getting me into your account.”

6. Use a device that uses biometric authentication.

The public key cryptography method can also be designed for a passwordless experience, set to what’s called the FIDO UAF (universal authentication framework) standard, which requires multiple authentication factors, typically a what-you-have (a device with the private key) and a what-you-are authentication factor such as fingerprint or iris or voice scan via biometric sensors.

However, this doesn’t require the private key to be placed on a separate device such as a Yubikey. The what-you-have factor is your computer or tablet or mobile phone itself, so when you log in this way, it seems to you that there’s only one gesture required — swiping your fingerprint or looking at the camera.

“I touch something, I look at something, maybe I talk to it — it couldn’t be easier from a usability perspective, and it’s an un-phishable, not attackable remotely, an unscalable attack,” says McDowell. “In order to attack a FIDO credential, in the case of multiple credentials, I have to steal your phone then compromise your biometric sensor.” Although this can actually be done, it’s a difficult, time-consuming process (and also probably not very profitable since it’s expensive and labor-intensive and can’t be done at scale), and McDowell says, “in the meantime, you’ve just reported a stolen phone and it’s de-provisioned on the server side, and they can’t get in anyway.”

A few devices out in the market now use this FIDO UAF method, including including Samsung Galaxy S6 and S7, S6 and S7 Edge, Note 5 and Note Edge, as well as some devices by Sony, Sharp, LG Fujitsu and more. And although FIDO is not built into Apple devices, TouchID is open to third party applications, so iOS apps can employ FIDO authentication. For instance, Bank of America offers FIDO on Apple and Android devices.In conclusion, while these steps may seem time-consuming, they can be accomplished in a few days and can save you the huge hassle, headache and potential losses of having your phone hijacked, your email account compromised, or your financial accounts and other sensitive information hacked.