Let’s Talk About Your Passwords

 

This is going to be a mix of personal opinion and mathy stuff, all of which is likely to be correct.

For the too-long-to-read crowd, here’s the bottom line: if you’re using the same password(s) all over the place, stop doing that.


The hacking of a major energy pipeline company this past week is much in the news, and that has me thinking about cybersecurity.

Most of us face two significant threats, in terms of cybersecurity. One is that we’ll fall victim to a virus, like the ransomware attack that crippled Colonial Pipeline last week. I don’t worry about that because I run a good anti-virus product (Bitdefender, which I’ve used for many years and like because it’s cheap, effective, and unobtrusive), use its ransomware protection, and have a firewall that tries to keep unwanted guests off of my network. I also back up my work fairly often; I feel my own data is reasonably safe.

The other threat we face has to do with our online passwords. Unless your current way of managing your passwords is cumbersome and annoying, you’re probably doing it wrong and really should consider making your own life less convenient. Let me explain.

Most of us have lots of passwords for personal and work computers, online services, and the occasional devices around our homes. I don’t know how many you have (because I’m not the NSA), but my list currently contains more than 600 entries. I’m probably an outlier, since I work in the computer industry and have a lot of client passwords, etc., tucked away. My own personal passwords number in the several dozens, considering all of the banking and online services, entertainment, vendor, etc. sites that I visit. You’re probably similar.

You probably count on your browsers to remember most of your passwords for you. I certainly do. I couldn’t tell you my Ricochet password, my Facebook password, my MeWe password, nor any of my vendor passwords, because I don’t know them. I know how to log into my bank and into Gmail, but not into any of my routers or devices, nor most of my accounts on my clients’ servers.

I keep all those passwords in an encrypted database and pull them up when I need them. (The password to that database is one password I do remember, and it’s pretty long.) I need to do that because my passwords are all different, every single one of them. Each is a little absurd, a combination of two “words” at least one of which isn’t a real word, each of which contains a capital letter (though not always the first), the words separated by a non-alphabetic, non-numeric symbol, the entire sequence beginning and ending with another non-alphabetic symbol one of which is a digit and one of which is not. Their average length is 18 characters.

I don’t worry about the fact that my browser knows my passwords. I don’t worry about having them all in one file; a file that could, conceivably, be hacked by some cyber-villain. I don’t worry about that because the greatest risk I face, in terms of my online security, isn’t that someone will break into my computer and steal my passwords. Rather, it’s that someone will break into a poorly maintained online server and steal all of the passwords on that server, mine included. And that’s the greatest risk you face, as well.

How Companies Store Passwords

They don’t. Oh, a few might, but no competent online company actually stores your password anymore. What they do is take your password and hash it. That means they run it through a mathematical algorithm that changes it from plain old text into something numerical and random-looking. Then they store that hashed value.

For example, if your password was

Lucy021900

a hash of that might be

372302a0e9f8eb81d7fe7166552b10334c04b1458ac7dd76c0912f7c9cc16ce3

That’s what’s called an SHA-256 hash, a mathematical transformation of, in this case, my daughter’s dog’s name and my daughter’s birthday, into a long string of hexadecimal digits (actually, 256 bits of binary data).

Why would anyone do that, instead of just storing your password the way you typed it in? More importantly, how will they know that it’s you, the next time you log in if they don’t store your actual password?

The answer to the last question is pretty simple: when you enter your password the next time you log in, they’ll run it through that same hashing algorithm and come up with the same great big number. One of the special things about these hash algorithms is that they produce very random-looking output for any input, but they always produce exactly the same output for any given input. And, in addition, that output looks very different even if the input is almost exactly the same.

For example, if I change a single character of my example password, say changing my daughter’s birthday by a single digit, to

Lucy021800

the subsequent hash comes out like this

c52304ed9900ab26d60b173395b8d6782af424076df1ce14701fc4cd87dbe5ba

That single-digit change to the password produced a hash of the same length, 64 hexadecimal digits, only nine of which happen to match the previous hash value. (That’s actually about twice the number of matching digits as one would expect from a purely random sequence. I ran another hash with Lucy021700 and got only two matches, half what I’d expect from a purely random sequence. The thing about random is that, well, it’s hard to predict.)

Since hashes tend to change very quickly when even a small change is made to a password, the likelihood that someone else will make up a different password that just happens to have exactly the same hash value is… well, it’s small. It’s not likely to happen.

(How unlikely is it, to find two different text strings that create the same hash value? If every single human being generated a billion hashes per second, every second, and started when the universe began, and did that until the universe faded into tepid entropic grayness, the chances are vanishingly small that they’d find any two sequences of characters that hashed to the same value. It’s just pretty darned unlikely.)

So that answers the second question: they can log you in without knowing your password because they know the hash of your password, and nobody is likely to figure out some other password that has the same hash. If you have such a password, you’re probably really you.

But that leaves the first question: why do this? Why not just store your password, and skip all the fancy math?

That’s easy: they save the hash because they care about you. More specifically, they care that you don’t sue them or otherwise compromise their financial integrity in the event that someone steals their password lists. By saving the hash of your password rather than the password itself, they can be confident that, if someone does break in and steal their password database, they won’t get your real password.

They won’t get your real password because of the other great things about hashes: you can’t reverse them. You can’t turn that 64 character number thing back into my daughter’s dog’s name and my daughter’s birthday. The process of hashing either loses information or so scrambles it that no one knows how to unscramble it — no one is even sure that it can, in theory, be unscrambled. (And yes, there are some really interesting questions here that we’ll completely ignore, because they really don’t matter for this discussion and, frankly, I don’t understand the math.)

Why does this matter, that the thieves are not able to reconstruct your password? It matters because a lot of people use just a few passwords all over the place, on Netflix and at the bank and at Match dot com and Hulu and Amazon and everywhere else. So if someone can steal a big database full of hundreds of thousands of email addresses and passwords, they can then try all those email addresses and passwords at banks and shopping sites, hoping to luck out and find someone who reused his or her password. Then they rob you.

But that only works if the online company was foolish enough to store your password, right? I mean, if they stored just the hash of your password, everything’s okay. Right?

Well, not exactly.

Hash, Hold the Salt

Two facts make hashed passwords less secure than they could be. One is that people tend not to be very creative in their password choices. (In 2020, one survey of almost 300 million passwords revealed that the most commonly used password was “123456,” which was used for about one percent of all passwords. The password “password” ranked fourth on that list.) The other is that, as mentioned above, people tend to reuse their passwords.

Cybercriminals aren’t stupid. They know that people like to make up easy passwords that they’ll remember. So the cybercriminals create their own big lists of common passwords and variations on those passwords. They include “password,” and “Password,” and “Passw0rd” (which replaces the oh with a zero), and “Password123,” and things like that. They throw in a few hundred of the most obvious password choices, and then they hash that list themselves.

Now, equipped with a list of the hashed codes for the most common passwords, they can scan the stolen password table for matching hash values. If they find one, say 008c70392e3abfbd0fa47bbc2ed96aa99bd49e159727fcba0f2e6abeb3a9d601, they can safely conclude that the password that created that hash was Password123. Then they can try the stored email address and that password at online banking sites, Amazon, etc., and hope they find a match.

The Salt

Online companies aren’t sitting idle while the bad guys come up with all the cool ideas. They’ve worked out a way to make it much harder to perform the attack described above. They’ve added “salt” to the hashed codes. This gets kind of complicated, but what’s important is that it makes the hash values for any given password different from company to company. Trust me, it just works. So even if the bad guys get a list of hashed passwords, their own list of hashed passwords won’t match the one they stole, because the “salt” added to the hash will be different. And even if they know the salt values (which they will, because the salt is stored with the hash of the password in the file they stole), they’ll have to regenerate all of their hash values over and over again for every salt value in the stolen database. And that takes a long time.

As I said, it’s complicated. But it works, and it effectively means that these big tables of pre-computed hash values are worthless, if an online company uses salted hashes. Not all do, but it’s now the standard for password security, and most companies are salting their hashes.

So What’s the Problem? Your Lame Passwords, Probably

So if online companies aren’t storing your passwords, and if they’re salting their hashes like good online citizens, what’s the problem?

The problem is that many people use mediocre passwords, and hashing has gotten very fast. You can thank Bitcoin for some of that. Bitcoin uses the SHA-256 hash algorithm for its proof of work metric (the thing that earns Bitcoin miners their Bitcoins) and, thanks to the market for Bitcoin mining hardware, the average home computer hobbyist can now generate billions of hashes per second using the same kinds of PCs computer gamers use.

You’re probably thinking, “So what? What about that age-of-the-universe stuff? Who cares how fast they generate hashes, it won’t be fast enough, right?”

Well, yes and no. Yes, if people used good passwords, then the bad guys would be out of luck: they’d never guess the right ones. But people don’t use good passwords.

So here’s what the bad guys do. They take the stolen password file, they pick a password hash, and they go to work on it. They take the salt that’s associated with the hash — because that’s one of the things stored in the file — and they use that salt to start generating their own hashes.

What do they hash? They has everything. Hardware is so fast that they can hash every word in the dictionary, and then tack on a digit or two and do it again, and they can just keep pounding away at it until they find a match. But they’re smart enough not to really use every single word. They can use just the words most people might know, and common names, names of bands, things like that. When your desktop PC is generating fifty billion (that’s 50,000,000,000) hashes per second, you can try an awful lot of words.

They aren’t trying to find a different sequence of characters that hashes to the same thing your password hashed to. We’ve already said that that’s simply too hard. They’re trying to find your actual password. And if your password is in the top few tens of thousands of common passwords, they will find it. Then they’ll start visiting the banks and online stores, etc.

What Can You Do?

Most importantly, more important even than having really good passwords, is to have different passwords on each online account. Don’t use the same password for your bank accounts as you do for Netflix or the place you buy your shoes. Don’t use small variations of the same password, like changing the last digit, on multiple sites.

If you share passwords across sites, you’re trusting that (a) every one of those sites is responsible enough to use good, well-salted hashing algorithms, and (b) that your passwords are so cryptic and unusual that the brute force attacks made possible by ever faster hardware won’t stumble upon them. That first assumption is growing safer every day: online companies increasingly take password security seriously. But the second assumption, that your passwords are sufficiently clever to avoid the formidable hardware and techniques used by hackers, grows less sound every year as technology advances, driven in part by the market forces of the cryptocurrency industry.

If you share your passwords across accounts, stop doing it. I know it’s a pain in the neck to have a bunch of different passwords, and it probably seems like writing them all down in one place is a security risk. And it is, maybe, a small one. But it’s essential to your online security.

Published in Technology
This post was promoted to the Main Feed by a Ricochet Editor at the recommendation of Ricochet members. Like this post? Want to comment? Join Ricochet’s community of conservatives and be part of the conversation. Join Ricochet for Free.

There are 51 comments.

Become a member to join the conversation. Or sign in if you're already a member.
  1. Headedwest Coolidge
    Headedwest
    @Headedwest

    I mentioned that text messages for 2-factor authentication are not as secure as you might think. If you want to know more about why that is so, here’s an article that describes the weakness. One popular way to attack it for a time was to bribe an employee in a cell phone store to get the required information.

    That said, all of my retirement accounts and some credit cards and bank accounts use it, and it’s the only 2FA they offer, so I don’t have much of a choice. 

    This article recommends using an authentication app, which is more secure — but your institution has to offer it.

    Ultimately, a password manager and complex passwords are you best friend. If you have a Mac, keychain is built in and free (but not as user-friendly as it might be). 

    • #31
  2. Hoyacon Member
    Hoyacon
    @Hoyacon

    Henry Racette (View Comment):

    Hoyacon (View Comment):

    Who or what is responsible for the pop ups I occasionally receive informing me that my password has been “exposed” (presumably in a data hack) and encouraging me to change it?

    I assume you’re using the Google Chrome browser. (Aside: I dislike the Chrome browser because it comes from Google, which I think is an evil company — in the more dramatic sense of evil, rather than merely the casual epithetic sense.)

    I’m all over the place on browsers–mostly Safari since I use a Mac or DuckDuckGo in Windows.  It’s possible Chrome is a default in something.  I’l have to pay more attention the next time one appears.

    • #32
  3. Skyler Coolidge
    Skyler
    @Skyler

    Henry Racette (View Comment):
    Microsoft seems the least socially conscious of the bunch, always had an IBM feel to it

    Wow.  I have to say we differ 100% on those perceptions.

    • #33
  4. EJHill Podcaster
    EJHill
    @EJHill

    The password is…

     

    • #34
  5. Hoyacon Member
    Hoyacon
    @Hoyacon

    EJHill (View Comment):

    The password is…

    Looks like Gene Kelly.  Having trouble with the woman, but it’s probably someone fungible like Ruta Lee

     

    • #35
  6. OmegaPaladin Moderator
    OmegaPaladin
    @OmegaPaladin

    Here is the problem, @henryracette

    I have dozens of accounts, probably well over 100.  This includes video game clients, telnet / FTP passwords, computer login passwords, WiFi apps, etc.  Some of them require regular changes, so they change as soon as I remember them.

    Add in the fact that I have to type them on most sites without being able to see the letters and know if I am making a mistake.

    I need to be able to log in on multiple devices, so any password manager needs to be on my phone, home desktop, home laptop, home video center computer, and work laptop.  Alternatively, I get to copy down a string of nonsense from my phone every time I log in.  That’s guaranteed to increase frustration.  Besides, a password manager is a single point of failure.   That’s something we avoid in safety

    So no, I don’t use a different password for every site.  I’m not insane.  High-security sites do tend to get their own passwords, like my workplace or Ricochet (I’m a moderator, remember)  and I try to keep them long.  Long passwords can be very easy to remember:  SenikstoletheGiraffe or better $en1k$toletheG1raffe is very easy to remember, since it uses English structure and a narrative.  Your average forum or website?  It gets one of a library of good passwords I remember.

    • #36
  7. Headedwest Coolidge
    Headedwest
    @Headedwest

    OmegaPaladin (View Comment):

    Here is the problem, @ henryracette

    I have dozens of accounts, probably well over 100. This includes video game clients, telnet / FTP passwords, computer login passwords, WiFi apps, etc. Some of them require regular changes, so they change as soon as I remember them.

    Add in the fact that I have to type them on most sites without being able to see the letters and know if I am making a mistake.

    Check out the sites 1password.com and lastpass.com — they run as apps or in a browser extension. Made for your situation.

     

    • #37
  8. Michael Brehm Lincoln
    Michael Brehm
    @MichaelBrehm

    Overall, I’ve been happy with Lastpass. I remember that password, then I generate new passwords using its password generation tool, which creates a random string using whatever parameters you care to set.

    • #38
  9. The Reticulator Member
    The Reticulator
    @TheReticulator

    Michael Brehm (View Comment):

    Overall, I’ve been happy with Lastpass. I remember that password, then I generate new passwords using its password generation tool, which creates a random string using whatever parameters you care to set.

    I said I wouldn’t talk about it, but I’ve been using Lastpass for several years. Last time it came up for renewal the process was stupid and I considered switching to a competitor. But then they fixed it so I decided not to go through with the change. But there are certain passwords that I won’t entrust to it. As someone mentioned, it is a single point of failure.  There is a password that I used to use for a lot of sites years ago — mostly sites that didn’t involve payments or anything.  That one got hacked long ago, after I quit using it, and every now and then I get an e-mail trying to extort money out of me because the sender has that password.  I think my spam-catcher now catches those e-mails. 

    • #39
  10. kedavis Coolidge
    kedavis
    @kedavis

    Henry Racette (View Comment):

    Skyler (View Comment):

    Henry Racette (View Comment):
    And I actively dislike Apple.

    You’re missing out.

    I bought my first Mac in 1984, and have done a fair amount of development on the platform. (Try programming on a 128K machine in C++, when you have to swap 3 1/2″ disks between the compile and link phases. ;) ) I use iPhones, because they’re what my kids discard when they upgrade theirs. I just don’t like big tech companies. Microsoft seems the least socially conscious of the bunch, always had an IBM feel to it, “we just American business to give us its money,” that kind of thing. I’d switch entirely to Linux if my customers could use it on their machines, but they can’t.

    I’ve long been amused by the amount of time and effort (and swearing, etc.) people invest in Linux to get it to look and work like Windows.  I’ve never met anyone who wanted their Windows system to look and work like Linux.

     

    (Been programming since 1973.  All glory to the PDP-8!)

     

     

     

     

     

     

     

     

     

     

     

    • #40
  11. Bartholomew Xerxes Ogilvie, Jr. Coolidge
    Bartholomew Xerxes Ogilvie, Jr.
    @BartholomewXerxesOgilvieJr

    I use LastPass, and I let it generate random passwords for everything. I also let it generate random “passwords” that I provide as answers to security questions (so, for example, the name of my first pet was 1NcvIOgFuS07), so nobody is going to get into my account that way either.

    I do have to take issue with one statement in the OP:

    Most of us face two significant threats, in terms of cybersecurity. One is that we’ll fall victim to a virus, like the ransomware attack that crippled Colonial Pipeline last week….

    The other threat we face has to do with our online passwords.

    This is true, as far as it goes. But a more significant threat than either of these is “social engineering”: somebody tricks you into voluntarily giving them access to your account or installing something malicious. Someone calls you pretending to be from the IT department, or sends you a bogus e-mail with a link you really should not have clicked. We don’t know the details of the Colonial Pipeline cyberattack, but I wouldn’t be at all surprised if it was something like this.

    Good password practice is essential. But having the strongest lock in the world doesn’t do you any good if someone tricks you into opening the door.

    • #41
  12. OmegaPaladin Moderator
    OmegaPaladin
    @OmegaPaladin

    I’ve long been amused by the amount of time and effort (and swearing, etc.) people invest in Linux to get it to look and work like Windows. I’ve never met anyone who wanted their Windows system to look and work like Linux.

    Well, it’s more that people want to make Linux look like the Windows UI they liked before MS decided to “improve” it.

    Linux Mint has a really slick UI reminiscent of WinXP with a dash of Win7.  Plus, if you don’t like the interface, you can install another UI like KDE or GNOME.

    • #42
  13. kedavis Coolidge
    kedavis
    @kedavis

    Bartholomew Xerxes Ogilvie, Jr. (View Comment):

    I use LastPass, and I let it generate random passwords for everything. I also let it generate random “passwords” that I provide as answers to security questions (so, for example, the name of my first pet was 1NcvIOgFuS07), so nobody is going to get into my account that way either.

    I do have to take issue with one statement in the OP:

    Most of us face two significant threats, in terms of cybersecurity. One is that we’ll fall victim to a virus, like the ransomware attack that crippled Colonial Pipeline last week….

    The other threat we face has to do with our online passwords.

    This is true, as far as it goes. But a more significant threat than either of these is “social engineering”: somebody tricks you into voluntarily giving them access to your account or installing something malicious. Someone calls you pretending to be from the IT department, or sends you a bogus e-mail with a link you really should not have clicked. We don’t know the details of the Colonial Pipeline cyberattack, but I wouldn’t be at all surprised if it was something like this.

    Good password practice is essential. But having the strongest lock in the world doesn’t do you any good if someone tricks you into opening the door.

    I seem to remember a story not terribly long ago, where hackers got control of something, maybe a bank system I don’t remember, because some bank employee opened an email from a “Nigerian Prince” or something.

    • #43
  14. W Bob Member
    W Bob
    @WBob

    When I get around to changing my passwords, I’ve decided a good method would be to memorize a bunch of bible verses, or lines from famous books, making sure to know the version of the text if there are different ones. Highlight the verses or other texts, or write them down somewhere. Then make passwords for example of the first letter of each word of the verse or text. You could do variations on this to make it more complex.

    On a related note, does anyone know when important infrastructure like pipelines were hooked up to the internet? And why that was done, and the reasons the geniuses who did it had for doing it? I mean I know it makes certain aspects of operation more convenient. But give me a break. Is that what it comes down to? Convenience? It worked before the internet, right?

    • #44
  15. kedavis Coolidge
    kedavis
    @kedavis

    W Bob (View Comment):

    When I get around to changing my passwords, I’ve decided a good method would be to memorize a bunch of bible verses, or lines from famous books, making sure to know the version of the text if there are different ones. Highlight the verses or other texts, or write them down somewhere. Then make passwords for example of the first letter of each word of the verse or text. You could do variations on this to make it more complex.

    On a related note, does anyone know when important infrastructure like pipelines were hooked up to the internet? And why that was done, and the reasons the geniuses who did it had for doing it? I mean I know it makes certain aspects of operation more convenient. But give me a break. Is that what it comes down to? Convenience? It worked before the internet, right?

    The whole fascination with this “Internet of Things” BS baffles me.  Why do I want the deadbolt to my front door to be “online?”

    • #45
  16. JustmeinAZ Member
    JustmeinAZ
    @JustmeinAZ

    kedavis (View Comment):

    W Bob (View Comment):

    When I get around to changing my passwords, I’ve decided a good method would be to memorize a bunch of bible verses, or lines from famous books, making sure to know the version of the text if there are different ones. Highlight the verses or other texts, or write them down somewhere. Then make passwords for example of the first letter of each word of the verse or text. You could do variations on this to make it more complex.

    On a related note, does anyone know when important infrastructure like pipelines were hooked up to the internet? And why that was done, and the reasons the geniuses who did it had for doing it? I mean I know it makes certain aspects of operation more convenient. But give me a break. Is that what it comes down to? Convenience? It worked before the internet, right?

    The whole fascination with this “Internet of Things” BS baffles me. Why do I want the deadbolt to my front door to be “online?”

    Yeah, I don’t get it either. My lymphatic massage therapist is all excited because she can control her Roomba from her phone to start cleaning while she’s not home.

    • #46
  17. Skyler Coolidge
    Skyler
    @Skyler

    kedavis (View Comment):
    The whole fascination with this “Internet of Things” BS baffles me.  Why do I want the deadbolt to my front door to be “online?”

    You have to look hard to find a garage door opener that doesn’t connect to the internet.  I won’t buy one like that.

    • #47
  18. W Bob Member
    W Bob
    @WBob

    kedavis (View Comment):

    W Bob (View Comment):

    When I get around to changing my passwords, I’ve decided a good method would be to memorize a bunch of bible verses, or lines from famous books, making sure to know the version of the text if there are different ones. Highlight the verses or other texts, or write them down somewhere. Then make passwords for example of the first letter of each word of the verse or text. You could do variations on this to make it more complex.

    On a related note, does anyone know when important infrastructure like pipelines were hooked up to the internet? And why that was done, and the reasons the geniuses who did it had for doing it? I mean I know it makes certain aspects of operation more convenient. But give me a break. Is that what it comes down to? Convenience? It worked before the internet, right?

    The whole fascination with this “Internet of Things” BS baffles me. Why do I want the deadbolt to my front door to be “online?”

    It’s amazing. And how in the world does that make your life easier? I guess it’s for OCD sufferers who always need to remind themselves whether they locked their door?

    • #48
  19. kedavis Coolidge
    kedavis
    @kedavis

    Skyler (View Comment):

    kedavis (View Comment):
    The whole fascination with this “Internet of Things” BS baffles me. Why do I want the deadbolt to my front door to be “online?”

    You have to look hard to find a garage door opener that doesn’t connect to the internet. I won’t buy one like that.

    That would most likely be wifi, which means it could be defeated/disabled.  But most people probably don’t bother, or actually think it’s a feature, not a bug.

    • #49
  20. kedavis Coolidge
    kedavis
    @kedavis

    W Bob (View Comment):

    kedavis (View Comment):

    W Bob (View Comment):

    When I get around to changing my passwords, I’ve decided a good method would be to memorize a bunch of bible verses, or lines from famous books, making sure to know the version of the text if there are different ones. Highlight the verses or other texts, or write them down somewhere. Then make passwords for example of the first letter of each word of the verse or text. You could do variations on this to make it more complex.

    On a related note, does anyone know when important infrastructure like pipelines were hooked up to the internet? And why that was done, and the reasons the geniuses who did it had for doing it? I mean I know it makes certain aspects of operation more convenient. But give me a break. Is that what it comes down to? Convenience? It worked before the internet, right?

    The whole fascination with this “Internet of Things” BS baffles me. Why do I want the deadbolt to my front door to be “online?”

    It’s amazing. And how in the world does that make your life easier? I guess it’s for OCD sufferers who always need to remind themselves whether they locked their door?

    Would OCD people believe what their phone tells them, or would they still have to get up and go check for themselves?

    • #50
  21. Al Sparks Coolidge
    Al Sparks
    @AlSparks

    Two factor authentication (2FA) has been mentioned in some of these posts.  The most common form of 2FA involves using your phone.  That has a couple of weaknesses.  First the texting protocol, SMS, is insecure, though that can be exaggerated.  Usually the codes sent last for only a short time.  If someone is interested in you enough to monitor your texting, then that kind of prominence suggests you should be using something else.  A second weakness is if you lose your phone, or worse, your phone number is hijacked, then you may have significant disruption in your online life until you resolve the issue.

    There are 2FA apps out there.  One is called Google Authenticator, another is called Authy.  Those apps work only with sites that support them.  Amazon’s AWS uses Authy for its 2FA authentication.  But then, if you work for or support a company that uses cloud based services, then the stakes are much higher, and the reason someone might want to monitor your text messages become more relevant.  After all, you have your resume on LinkedIn, don’t you?  They’ll know who you work for.

    My preference for 2FA is email.  But if you use email for 2FA, make sure you have it protected with a strong password.  Lose your email account, and you have the same problem as above if you lose your phone.  But if you have it well protected, email provides a more mobile solution than a phone.

    One thing about email.  It’s intrinsically insecure.  Don’t send plaintext passwords in email.

    • #51
Become a member to join the conversation. Or sign in if you're already a member.