Recently,
someone hacked my Gmail account, deleted all my email, and changed the password
so I couldn’t log in. This has been a terrific hassle. The folks at Google
helped me recover my account, but I lost all my emails and I don’t want this to
happen again. What can I do?
We’re so sorry for your hassles,
and wish the world wasn’t so full of bad people who want nothing more than to
make your life miserable. Unfortunately, it is, there are, and they do.
Obviously, using a strong password (made up of upper and lower-case letters,
numbers, and keyboard symbols, longer than 8 characters) will help a lot.
Unfortunately, even a strong password can’t keep a dedicated hacker from
getting into your account if they want to get in there.
The real problem comes when someone
breaks into your email, and given that “golden key,” starts resetting passwords
on your other accounts by sending password reset emails to your email account,
which they now own. This is what’s really scary: Lose your email access, and
you can lose everything. Clearly, it’s imperative that your email account is as
well protected as possible. If we can make one suggestion louder than any
other, this is it: Use a strong password for your email account that you use
for no other account. That way, should someone find out your Target password
(for example), they couldn’t use that to hack your email.
The fact is, however, that all
passwords are breakable. No matter how strong a password you use, it’s possible
that a dedicated hacker will figure it out, using a computer to generate
millions of passwords per minute until they break into your account. In order
to be completely secure, you need something more than just a password: This is
where two-factor authentication steps in.
Think of it this way: When you use
just a password to protect a site, your protection is based solely on something
you know (your password). If someone else finds or guesses that password, they
also have the one thing that is required to access the site. If you could add
something you have (that no one else has) to the mix, so that anyone accessing
the site needed both “the thing you know” and “the thing you have” to access
the site, just knowing your password wouldn’t be enough. Two-factor
authentication provides this second level of security, by requiring you to
specify both a password, and a randomly generated number that changes
regularly, in order to get into a protected site.
The trick is, of course, getting
that randomly generated number so that both you and the site know what it is,
but no one else. You can find several different authenticators available, but
most two-factor authentication relies on Google Authenticator, an app that runs
on a mobile device that provides the regularly changing random number. You
install Google Authenticator on your mobile device, tell it what site you’re
trying to protect, and then, when you attempt to log into the site, you supply
both your password and the number that Google Authenticator (http://goo.gl/Rbi71v) provides. You can cache
your credentials for some sites, so that you only have to provide the
two-factor authentication once a month, for example. There’s no doubt that
using two-factor authentication is a lot more effort, but it’s totally worth
it.
It’s important that you take an
extra step: You must save the “I lost my mobile device but I still need to log
in” emergency values that the authenticator provides, so that you won’t lock
yourself out of your account, if you happen to lose your device. Don’t skip
this step!
For a mostly up-to-date listing of
all the sites that support two-factor authentication, check out this article: http://goo.gl/78GPM7. Here you’ll find useful
documentation on two-factor authentication, and a list of many of the sites
that support it, including Gmail (which is where this discussion all started).
It’s well worth the hassles imposed by two-factor authentication to minimize
the risks involved in using password authentication.
No comments:
Post a Comment