Few guidelines to secure your log-in credentials of a ton of web-services you use.
- Use different (strong) passwords for different web-services.
- Use password managers.
- Use Multi-Factor Authentication (MFA).
- Keep your account recovery information up-to-date.
Do you know how many digital services you use? Take a guess! Chances are that you’re using 100+ web-services & apps. Most of the web-services will ask you to create an account on their web-site. It’s not practical to remember the log-in credentials of all web-services you use. What do you do?
You use the same combination of username and password for most (if not all) of the web-services. You are an informed digital user and hence you create and use a strong password. You generally create a password which starts with a capital letter, contains special characters in between and ends with a number. You use special characters by substituting “$” for “s”, “@” for “a,” and so on. Perfect! What could go wrong?
Well, let’s start with the practice of using the same combination of username and password for all the web-services. Companies such as Google, Microsoft, Facebook etc. build strong security infrastructure, employ top-notch security professionals and lead the efforts in standardizing and implementing security best practices. Unfortunately, not all web-services employ the same security standards. Chances are that some of the web-services you use, are vulnerable to data-breaches. Remember the 2012 LinkedIn data breach?
Sounds scary? Try this! Head over to this website and check if your e-mail address can be found in one of the known data breaches. Check if the password you currently use has been leaked in one of the known data-breaches. Got some red results? Time to change your password!
Hackers know the fact that people generally use the same log-in credentials for most of the web-services. They don’t have to hack the well-built, secure web-services. All they need to do is to break into the weakest of the web-services and they have the keys to get into the well defended web-services. They also know that if people don’t use the same password for all the web-services, they generally use a slight modification of their password in different web-services.
What to do then? This brings us to Rule #1.
Use different (strong) passwords for different web-services.
I’ll not go into the details of what a strong password is. However, I can offer my two-cents. Passwords shouldn’t be predictable and they must be long enough (10 characters or more) to prevent a brute force attack. Examples of good passwords: lWhZo9inVos0, D0Ra8MD5mM24 etc. Tools are available that can help you generate strong passwords.
Okay, but we can’t possibly remember (such complex) log-in details of all web-services. Yes, we can log-in using our Google, Facebook, Twitter account on web-services which do provide this feature but some of them don’t. This brings us to Rule #2.
Use password managers.
Password managers are web-services and apps that help you to store and manage your log-in credentials for different web-services. Apart from helping you to create and store strong passwords, they expedite the web-service authentication process. They’re available as Ad-Ons for popular web-browsers and as apps for Android & iOS. For example, I have been using LastPass for the past couple of years and the experience has been great. However, you can do your own research and choose the password manager of your choice.
Okay, great! But we’re putting all our eggs in one basket. What if the password manager gets hacked? The hackers would have access to all the web-services we use. That is a valid concern. We can’t rule out this possibility. However, since it’s the bread and butter of password managers to secure their customer’s data, it’s highly likely that they’re putting their best efforts in employing the security best practices. Nevertheless, how to mitigate this risk? Rule #3.
Use Multi-Factor Authentication (MFA).
MFA adds an extra layer of security to your web-service accounts. MFA can be in the form of a one-time password (OTP) being sent to your mobile number or using apps such as Authenticator.
This is all good! But what if I loose my MFA device (mobile-phone)? Rule #4.
Keep your account-recovery info up-to-date.
Make sure that your web-service account recovery details are up-to-date and correct. When setting up the MFA using the Authenticator app, you are provided with the recovery codes. Please store them securely in a place where no-one except you can access them. Don’t forget where you kept them.
Keeping your digital identification information secure is the responsibility of both, you and the web-service providers. If both the parties employ security best practices and guidelines, it will enable the safe and secure use of digital services, helping our society move forward.
Interesting articles to read: