The founder and CEO of a KeepSolid, a company that builds modern security and productivity solutions
There's a growing need for better online security, with strong passwords and two-factor authentication. As more of our daily life moves online, more of our personal information is also being stored on the web, along with access details for our personal bank accounts and confidential work data. With cyberattacks on the rise, all of this information needs to be protected from unauthorized access by hackers.
One of the oldest and simplest access control systems is a password. Assuming a hacker doesn’t know your password, the system is reliable and information is secure.
Unfortunately, though, passwords have many problems:
For example, let’s say you use the same 16-character random password for your bank account and for your gardening email group. If the group’s email software was implemented poorly and hasn’t been updated for five years, your emails about planting season aren’t the only information that’s at risk. If hackers gain access to your group email account, they can now also access your money.
For this reason, it’s essential to create different passwords for each online service you use. They should always be long, and preferably include special characters.
Password managers offer a compromise between security and convenience, allowing you to generate and store multiple passwords. But they also rely on a single Master Password and if that Master Password is hacked, you’ll encounter all of the same problems. For that reason, you have to make sure that your Master Password is as secure as possible.
How to Pick Your Password
One solution to the password problem, which relies on "something you know", is to add a method of authentication that uses "something you have" or "something you are". For financial services, for example, “something you have” can be a credit card. Before the era of Apple Pay and Google Pay, a credit card combined with “something you know” (your PIN code) proved your ability to access your credit account.
Increasingly, to protect your accounts from hackers who are trying to intercept your password (for example, through a phishing site), methods like two-factor authentication (also known as 2FA), are used. 2FA adds a layer of identity confirmation that’s independent of your password, usually in the form of a code sent to you by email, SMS, or messenger app. Here’s a quick rundown of how those options work:
The easiest form of 2FA is to send a code or link to a user's email account. This process assumes that if you have access to your email inbox, you are who you claim to be.
Another common way to confirm your identity is to enter a code that you’ve received via SMS. In this scenario, each time you want to log in to an online service, you’ll need to enter a unique code, valid only for the current session, that you receive via text message on your device.
2FA via Messenger App
A step above the previous option is sending 2FA messages to a Messenger app, like Facebook Messenger, WhatsApp, Viber, Telegram, or Signal. This option is as user-friendly as SMS, but typically more secure.
These apps are mainly used on mobile platforms as a universal tool for 2FA, across multiple services. During app setup, you get a primary key (most often in the form of a QR code), which uses cryptographic algorithms to generate one-time passwords (OTPs) with a validity period of 30 to 60 seconds. Even if hackers are able to intercept 10, 100 or even 1,000 passwords, they have limited ability to predict what the next password will be.
Yes/No Authentication On Another Device
This is a convenient method for 2FA if a service is used on multiple devices and there’s an option to log in from another trusted device.
This type of 2FA is essentially a combination of all previous methods. In this case, instead of requesting codes or one-time passwords, you confirm your login from your mobile device that has the service application installed. A private key is then stored on your device and checked every time you log in.
You may have used this for Twitter, Snapchat, or online games. For example, when you log in to your Twitter account on a laptop or tablet, you enter your username and password, and then your phone receives a notification with a request to log in, after which the browser will open your feed. Usually, you’ll see a request to "allow access from a new device" displayed on a trusted device, with identifying data about the browser/OS/country.
Hardware Tokens and U2F/FIDO2/WebAuthn
For the highest level of account security, hardware authentication tokens are the best option. As completely separate devices, hardware tokens never lose their two-factor component under any circumstances--unlike all the 2FA methods described above. Most often, hardware tokens take the form of USB key fobs with their own processor that generates cryptographic keys (or numeric codes) that are automatically entered when the key fob is connected to a computer. There are also models for mobile devices that transfer data via NFC/Bluetooth.
Whichever 2FA method you use, you’ll typically get several backup keys for use in emergency situations, for example, if your smartphone is lost or stolen. With these keys, you can log into your account, restrict access for the lost or stolen device, and add a new one in its place. These keys should be stored in a safe place, not as a screenshot on your smartphone or a text file on your computer.
Use a unique password
Think of different passwords for each of your accounts, especially for the accounts that are extremely important to protect, like your email and online bank accounts. It's risky to use the same password for more than one important account. If a hacker learns the password for one account, they’ll be able to log in to other accounts easily, accessing your email, your money, or information about where you live.
Create a long password that only you can remember
The longer your password is, the more secure it is. We recommend creating a password that is at least eight characters long. Here are some variants of long passwords that will be easy to remember:
Avoid personal data and common words
Do not use passwords that are easy to guess if a person knows you, or that use publicly available information about you (for example, information that’s visible on social networks).
By following these tips, you can easily create the best possible passwords and protect your personal information, securely.
Create your free account to unlock your custom reading experience.