Not so long ago, we read news about leaked celebrity private photos. Sources said the private photos were obtained from iCloud. Yet Apple made their statement that no hacking was made to Apple servers. Someone got the photos because they can figure out the weak password used by the account owners. Next we have another news that someone posted millions of Google accounts’ username and password. Then again, Google made announcement that no hacking was made to Google servers. Those passwords are leaked because some people use the same password in multiple sites. When a site with weak security is hacked and some users use the same passwords for their Google accounts, naturally the hackers also get a hand on their Google passwords.
It takes efforts from both sides to protect our online accounts. Service providers like Google, Apple, Facebook etc would do their best to secure their servers from any attack. However, all their efforts will go to waste if we don’t do our part to protect our own account.
There are few general tips to increase the security of our account:
1. Use good passwords.
A good password should not contain any part of date of birth (of ourselves, of our spouse, of our children, of anyone close to us); it should not contain our driver’s license or social security number; it should not contain our phone numbers or zip codes or home numbers; it should not contain our name or nickname or the name of anyone close to us; it is recommended not to use a word that is listed in English dictionary. Another criteria of good password is having the combination of alphabetical characters in uppercase and lowercase, numeric and symbols. Replacing some characters with numbers of similar shape is a good practice, but don’t do it consistently for each occurrence in the password. For example, pancake can be twisted as p4ncak3. However, notice that only the first letter “a” is replaced with “4”. The second occurrence of letter “a” stays unchanged. If we use p4nc4k3 as the password, some automated scripts to “guess” password will figure it out a lot easier. There is no “fixed” rule on the minimum length of a good password, but I generally believe that any password shorter than 8 characters is too short and making it easier for hacking script.
2. Use different password for every site.
I know this sounds like a difficult task, but believe me it’s actually doable. Yes we probably can’t remember 100 different passwords. But we can certainly set up a pattern for ourselves. We can set up 3 password for different purposes. Password 1 is for crucial stuff like Internet banking (for example: p4nCak3). Password 2 is for important accounts (for example: raspb3rry). Password 3 is for “not-so-important” accounts (for example: jup1ter). Then we add few more characters at the password to differentiate one site from another. So the password for site ABC (crucial) would be p4nCak3ABC, password for site DEF (crucial) would be p4nCak3DEF and password for site XYZ (important) would be XYZraspb3rry.
3. Do not write down the passwords in any digital form. If you really have to write them down, do it old-fashioned way, using pen and paper, and securely lock them in a safe at home.
4. Always log out after using shared computer.
5. Activate two-step verification.
The last tip is probably the most important improvement on personal accounts’ security. Previously we rely on one password to access one particular site/service. With this two-step verification, we need to provide at least 2 out of 3 security codes.
The 3 security codes are:
a. our own password (it still have to be a good password)
b. security code generated by server for every login, then sent to our phones or our devices
c. backup codes generated once by server that we need to keep super secure
So every-time we need to login, we usually need our password PLUS our phones (to receive the server-generated code). Even if someone manages to guess our password, or hack the password from weak server, he can’t access our account because he won’t know the code being sent to our phones.
What about the third code (backup code). The third code is not needed most of the time. Remember that the concept of two-step verification is that we only need to provide 2 out of 3. The third code might be needed in special situation where we lost all our phones.
Internet service companies might implement two-step verification differently. Google offers to send the server-generated code to our mobile phones via text messages, or using an app called Google Authenticator. Apple uses push notifications to iPhone/iPad or sends text messages to our mobile phones.
It would probably be annoying if we need to do this extra step everyday. So many services allow us to define trusted device. If we login from our trusted device (like personal home computer), only our password is needed. But if we (or someone else) tries to login from a different computer, then server-generated code will be sent to our phones. If we lose our trusted device, usually we can login from another machine and revoke the “trusted” status from that device.
To activate two-step verification for Google account, open any Google service like Gmail or Google+, then click on our avatar on the upper-right corner. Click on Account link and choose Security tab. You will find the option to activate two-step verification there. Just follow their step by step guide. Google also allow us to set up special access codes for apps. So when I set up Gmail account in my iPhone, I use the special-generated codes instead of my Gmail password.
To activate two-step verification for Apple ID, go to http://appleid.apple.com and login using your username and password. Choose Security menu, and activate two-step verification there. It will automatically detect our iPad or iPhones as long as we have “Find My iPhone” feature activated in those devices, or we can opt to receive normal text messages in our mobile phones.
Different services might have different methods to activate two-step verification. Unfortunately it’s not possible for me to list them all here. However, I believe they generally follow the same pattern and basic concepts. I personally won’t activate two-step verification in all my accounts. I only had it activated in accounts that I consider as important.