Want to skip ahead – you can now enable Two-Factor Authentication on your account!
Every day, it seems the world is getting more security conscious – and that can only be a good thing!
So much of our lives are conducted online, and a lot of these rely on identifying you, as an individual, and proving that it’s you, and not someone else.
We hear stories regularly of people being “hacked” – but what exactly does this mean in terms of me and you – regular Joe.
We see “hackers” in TV & movies as a stereotypical basement dwelling, socially inept “geek”, sitting in a darkened room, surrounded by screens, furiously tapping away at the keyboard, when a few seconds later, they exclaim (often to no one) “I’m IN!”
In reality, though, most “hacks” we hear of are much simpler than that – someone has combined your username (or email address) with a password – and have simply logged in.
So, how does this happen?
Rather simply, actually. We humans are terrible at coming up with passwords. So, we tend to use something simple, like a favourite pet’s name, or the street name where you grew up. Sometimes, the website requires something a little more complex, so we add a number to the end, we might captilise the first letter, we may add an exclaimation mark after it, but generally, most people probably use a small variety of the same root password.
Does this ring a bell with you as being something like your password?
There’s then (generally) two things that can happen here…
We’ve all seen the Facebook posts… “Your stripper name is your pet’s name and the street you grew up on” – as we’ve already seen above, these are common pieces of information which are used in passwords (or, make up your “personal information” which is used for “password recovery” purposes)
The next (and slightly more complex) is the following hypothetical scenario… A few years ago, a relative was ill, or had lost a loved one, and you decide to send her flowers. You decide to not use a large national company, but to support a local business in her village, so you place an order for a beautiful bouquet from Bob & Sue’s Flower Shop (this name is ficticious, and made up purely for the purposes of this example – if you run a business with this name, I’m sorry, it’s purely coincidental!) via their website. Your relative sends you her thanks for the lovely flowers, and you think nothing more of it.
But, Bob & Sue had their website made by a friend’s teenage daughter who was “just getting into computers, and wants to be a web designer when they grow up” – they put together the site, and, because it just works, it’s not really been touched.
Unfortunately, most software for websites (just like our own) eventually have some kind of security vulnerability discovered, which is reported to the developers of that product, who then fix the vulnerability, and provide an update. This happens regularly – our own site has security updates to its various components on a regular basis – but since Bob & Sue had their website created, it’s never been updated, and there’s a few known exploits available for their specific version.
This allows unsavoury people to use these exploits – and sometimes they’re after things like credit card details – but they’re more difficult to use directly – so, usually, they’re after something that’s equally as valid – usernames (or email addresses) and passwords.
But – the passwords aren’t (we hope!) just stored as plain text – there’s methods in place to do a one way hash of the password. What does this mean? If we apply a set of actions to an input provided by the user – do we get the same result. So, we store the result of performing those steps in the system as the your “password” – then when you want to log in again, we perform the same steps on your input, and compare it with what we stored earlier. If it’s a match, then you must have typed your password, so you’re let in.
For example, our website runs on a software called WordPress. WordPress has a defined set of steps it performs when creating this “hash” of your password. This is well known, and well documented. This, in itself, is not a problem. However, someone creates, using these steps, the result of every single combination of letters, numbers and characters – we have a “lookup” or “rainbow” table of “passwords”.
So – our nefarious ne’er-do-well in this story has access to this rainbow table, and they have the result of your password being hashed from Bob & Sue’s website. They don’t directly get your password, but by comparing the two, they can take a good guess at what your password for Bob & Sue’s site is.
Now, here comes the fun part – they now take this password, and your username/email address – and simply try this on various other sites. And there’ll be a very good opportunity they’ll be let in, because, many people reuse the same passwords!
And then there’s the best one of all – you receive a phone call, or an email, with a threat that your account will be closed if you don’t confirm some information – with a link to a website that looks just like the one you think it is – but, it’s actually a fake site, and all they are looking for is for you to type in your email address and password (or, if it’s a phone call, saying they’re “from your IT department” – and you give it to them over the phone) – and now you’ve willingly given them your information!
These are some of the more common methods of “hacking” – but it’s very rarely the movie-esque “hacker in a basement”.
So – what can I do?
The first, and most important thing, is use a unique password for everything.
If you have a unique password, then the first couple of methods fall over (unless your “uniqueness” is changing one digit – they’ll probably try those simple variations).
Having a “strong” password is also useful – but what is a “strong” password. There’s a comic which explains this perfectly:
But this sounds complicated – I can’t remember all those passwords.
The good thing is that you don’t have to.
There are a variety of password managers out there which can help with this – they can store all your usernames and passwords in their vault, and some will even be able to auto-fill these into websites when you visit.
And, most of them are free.
All you need to do is remember one password – your “master password” – this should have never ever been used elsewhere, and is only used for this.
Make this password something like “correcthorsebatterystaple” (but obviously not that!)
Some examples of password managers include (but are not limited to)
Also – writing them down on a piece of paper (or in a notebook) is also fine, especially in a home environment. If someone is in your house, in front of your computer, having your passwords on a piece of paper is one of the lesser things to be worrying about! (If you work for a big company, or government, and have work-related stuf written down, this is less ideal – you’ll have to check with your employer about this!)
I now have a good password, anything else I can do?
How very good of you to ask – yes, there is often more that you can do!
Multi-Factor Authentication or Two Factor Authentication (often abbreviated to MFA or 2FA) adds another step to the login process.
Who you are – your username/email address
What you know – your password
What you have – an extra piece of information
It’s this final part, the extra piece of information, that improves security further. Not only does someone have to know who you are, and have your password, they also need an extra piece of information.
This could be a code generated and shown to you on another device, a code generated and sent via text message or an email, or something like a fingerprint or retinal scan.
We’re concentrating on the first – a code generated on a device you own.
This uses an industry standard “TOTP” (Time-based One Time Passcode). These codes can be generated by a variety of applications, such as:
- Authy
- FreeOTP
- Google Authenticator
- Microsoft Authenticator
These apps all, at heart, do the same thing – create an OTP (One Time Passcodes), which you then enter, when requested, when you try to log in.
Now the main reason for this post!
We have now enabled the ability for you to further secure your account here on our site, requiring an OTP for your account. We haven’t required that it’s set up – but we do strongly recommend you do so, as well as, if necessary, changing your password to a strong, unique one, that isn’t used elsewhere.
To enable 2FA on your account, you can go to the Two-Factor Authentication section under My Account and follow the steps to set it up!
This doesn’t only apply to our site – but to every site you visit, if you remember these simple things!
- Create a unique, strong password
- Set up 2 factor authentication if it’s offered
- Don’t share personal details, such as via silly questions on Facebook
- Legitimate places won’t email or call you threatening you if you don’t complete a form or give them details