Hello! If a friend linked you here, it’s because they care about your online accounts from getting seriously steamrolled. While there’s always a degree of risk, these steps will cut that risk significantly. Where at worse, if one account becomes compromised, it doesn’t give the keys to everything else you have.
Update: Crash Override Network’s tool C.O.A.C.H. is a great step-by-step guide you can also use.
There are two parts to how I protect my online accounts. One is free but available for a few services. The other is buying a piece of software. Together they do change the philosophy of how you create and manage online accounts, but you’ll be much more secure by doing it.
Part 1: Two Factor Authentication (TFA)
The idea is having not only a fixed password to log in (one factor), but a code which is either given to you or using a secret algorithm to generate a one-time code (second factor).
When enabled, your login process will be something like this:
- Log in with your username & password.
- Site asks for your TFA code.
- Most will allow you to use an authenticator program on your phone.
- Some websites may text or e-mail you this code.
- A few gaming services (Steam and Battle.net) require using their own app.
- Enter in this code.
- Access!
As it’s nature, this is a per-service feature. The main services (Google, Facebook, Twitter) have TFA, but more and more services are incorporating this type of security. To make it all easy on you, TwoFacgtorAuth.org tracks what services implimented TFA and how to enable the feature:
Authenticator Apps
Some services require texting you, e-mailing you, or use a custom application to download to your phone. Most others use a set of standards that allow you to pick your own application. For that, you have two apps you can use on your phone:
I use Authy as it’s more robust and a better interface. Most sites will only mention Google Authenticator, but Authy will support all that support Google’s app. Either way, you’ll be asked to scan a QR code to enable TFA. It’s a standard protocol between them, so you have a choice on which app works for you!
Part 2: Get a good Password Manager
I use 1Password. It’s great, well supported, and you’re buying an off-line software. You can use Dropbox, iCloud, or whatever for cross-device file system to move the data between. The PC/Mac license is $50 and free for iOS & Android. The mobile apps have paid Pro features, but the free offering will fit your standard needs.
While that is ~$50 between your phone and computers, it’s one-time fee. This is the best solution in protecting all accounts that don’t do two-factor authentication.
I also recommend buying from them directly (not though the Mac App Store) for desktop. It’s the only way to get the cross-platform license now or to upgrade to the cross-platform license later. They’re also super good at free upgrades.
There’s also LastPass if you want a completely cloud based turn-key solution, but I’m going to explain 1Password as that’s what I use. AgileBites didn’t pay me, I just recommend what I’m using to great success.
Step 0: What am I doing?
You will be changing every password in every service to complex passwords. Each account will be unique and no one service will have the same password as the other.
You won’t need to remember them but rely on 1Password to store and use them. You will have one password to unlock 1Password’s vault. A PASSWORD YOU SHOULD ONLY USE FOR 1PASSWORD.
Step 1: Install 1Password
Install the software, then install all the browser extensions on every browser you have installed on your computer. 1Password supports Chrome, IE, Firefox, Opera, and Safari.
Do this for every computer you intend to use.
Step 2: Change them passwords!
This is a step you’ll constantly do. At first it will be a bit time-consuming to update all of your commonly used accounts. Once you go over the hump, then it will be apart of your regular use.
When you go to a site, this will be the workflow:
- Login to the site and 1Password will ask to save that login. Do so.
- Go directly to the change your password function for the service.
- Instead of making up a new password, use 1Password’s browser extension to randomly generate a password! It will even copy the new password into the form twice.
- Submit the change password form.
- 1Password will ask to confirm the update to the account.
That’s it! You’ll keep doing that a lot, but you’ll eventually have a unique password for every account you have.
Final Notes
There will always be the looming threat of an account’s password getting leaked or discovered. Ultimately a leak of passwords will happen from some company stupid to store them in cleartext. But using these tips will prevent access to your other accounts just because one compromised account.
Changelog
When I make an update, I’ll note them here.
- Aug 21, 2014: Initial Post
- Oct 17, 2013
- Changed pricing info for 1Password on mobile.