Recently, someone hacked my Gmail account, deleted all my email, and changed the password so I couldn’t log in. This has been a terrific hassle. The folks at Google helped me recover my account, but I lost all my emails and I don’t want this to happen again. What can I do?
We’re so sorry for your hassles, and wish the world wasn’t so full of bad people who want nothing more than to make your life miserable. Unfortunately, it is, there are, and they do. Obviously, using a strong password (made up of upper and lower-case letters, numbers, and keyboard symbols, longer than 8 characters) will help a lot. Unfortunately, even a strong password can’t keep a dedicated hacker from getting into your account if they want to get in there.
The real problem comes when someone breaks into your email, and given that “golden key,” starts resetting passwords on your other accounts by sending password reset emails to your email account, which they now own. This is what’s really scary: Lose your email access, and you can lose everything. Clearly, it’s imperative that your email account is as well protected as possible. If we can make one suggestion louder than any other, this is it: Use a strong password for your email account that you use for no other account. That way, should someone find out your Target password (for example), they couldn’t use that to hack your email.
The fact is, however, that all passwords are breakable. No matter how strong a password you use, it’s possible that a dedicated hacker will figure it out, using a computer to generate millions of passwords per minute until they break into your account. In order to be completely secure, you need something more than just a password: This is where two-factor authentication steps in.
Think of it this way: When you use just a password to protect a site, your protection is based solely on something you know (your password). If someone else finds or guesses that password, they also have the one thing that is required to access the site. If you could add something you have (that no one else has) to the mix, so that anyone accessing the site needed both “the thing you know” and “the thing you have” to access the site, just knowing your password wouldn’t be enough. Two-factor authentication provides this second level of security, by requiring you to specify both a password, and a randomly generated number that changes regularly, in order to get into a protected site.
The trick is, of course, getting that randomly generated number so that both you and the site know what it is, but no one else. You can find several different authenticators available, but most two-factor authentication relies on Google Authenticator, an app that runs on a mobile device that provides the regularly changing random number. You install Google Authenticator on your mobile device, tell it what site you’re trying to protect, and then, when you attempt to log into the site, you supply both your password and the number that Google Authenticator (http://goo.gl/Rbi71v) provides. You can cache your credentials for some sites, so that you only have to provide the two-factor authentication once a month, for example. There’s no doubt that using two-factor authentication is a lot more effort, but it’s totally worth it.
It’s important that you take an extra step: You must save the “I lost my mobile device but I still need to log in” emergency values that the authenticator provides, so that you won’t lock yourself out of your account, if you happen to lose your device. Don’t skip this step!
For a mostly up-to-date listing of all the sites that support two-factor authentication, check out this article: http://goo.gl/78GPM7. Here you’ll find useful documentation on two-factor authentication, and a list of many of the sites that support it, including Gmail (which is where this discussion all started). It’s well worth the hassles imposed by two-factor authentication to minimize the risks involved in using password authentication.