This is a boring post about a mostly boring thing that I feel compelled to write. It’s aimed at those of you who haven’t thought much about Internet security, find websites increasing security demands obnoxious and just want to go about your life with minimal hassle. Like my Mom. Or Jonah. I find that I’m often giving this advice to people after it’s too late and individually, but now I can just link to this.

I know you’ve probably seen articles that are like “use a password manager,” and those are well-intentioned and have reasonable advice. And you know it’s a thing you should do, but it’s hard and you’ve got better things to do. And really, you probably figure that someone accessing your email account isn’t the worst thing the world.

So I’d like to start by explaining the way actual attacks work and why you don’t want it to happen to you. Hopefully coming from me in my own words means something more to you than some rando journalist.

A common thing that happens now is that someone (maybe you!) uses the same password everywhere. There are a ton of websites that require you to come up with a username and password for no good reason (like online shopping). So you buy some widget online from some little online outfit that runs a store with poor security. Someone targets their website and steals their entire customer database. This means that now they have your email address and your password for that store.

At first, maybe you think this is no big deal. But if the password to your email account is the same password that you used at this store–you’re probably screwed. One of the first things someone is going to do is try to log in to your email account with your password. They’re also probably on to the fact that you think you’re clever by using “secur3passw0rdWidget” for the widget store and “secur3passw0rdGmail” for your gmail. So now they have access to your email, and once they get in, you’re going to have a really bad time.

First, they’re going log into your gmail account and change your gmail password so you can’t access it anymore, but they can. Then they’ll read your email to see what banks you use. They’ll do “forgot my password” at your bank/paypal/whatever, which will send “you” an email to make sure you are who say you are.

The bank might ask for some other identifying information about you. Like your phone number, maybe your date of birth. Which, probably, can be found trivially by searching through your email. Once they get in, they’ll then change the phone number and contact information that your bank has on you to make it even harder for you to get your accounts back.

Chances are good that by the time you figure out what’s going on, they’ve stolen your account information, possibly your money. Maybe they’ve had one of your credit cards reported as lost and shipped directly to them. Possibly they’ve logged onto your Facebook and sent messages to some of your friends to explain that you’re stuck in a city far away from home, lost your wallet, and really need them to send some money to help you out of a jam.

So, here’s the things you should do to keep this from happening, and I’ll list them in the likelihood that you’ll actually do them:

(1) Make sure your email password is truly unique. I don’t care if you write it down on a sticky note and put it on your monitor or carry it with you. It’s not ideal, but this attack vector is unlikely compared to someone stealing it from another site.

(2) Pick an actually secure password for your email. Do what works for you, but it should not be a dictionary word, and doing common letter substitutions doesn’t count. It doesn’t need to be random to be secure. Correct battery horse staple passwords are pretty good as long as you avoid the 5,000ish most common words. (Munroe’s math in the comic involves cracking character-by-character, but a sophisticated attack will build rainbow tables with common words. If someone knows you’re using a battery horse staple password, they’re actually easy to crack if you use common words. Weird, uncommon but memorable words are best.)

(3) Go to Have I Been Pwned and see if the common password you’re using everywhere is in their database. It probably is. Stop using it for anything important, but seriously don’t use it for your email.

(4) Use a password manager! I know you don’t want to. It seems hard. It’s really not. The hassle is just in setting it up, but the good ones have browser extensions and apps for all browsers and phones. Once you go through the hassle of setting it up, it’s going to make your life much easier! You just click “generate random password” in your browser, it’ll generate it and remember it goes with that site. Your random, secure password will be auto-filled way faster than you can type your common password. It’ll then be synced to all your devices magically.

(5) Turn on two factor authentication for your email. There are 3 basic options now:

  • SMS – you get a text message with a code
  • Authenticator App – You use an app (like Google Authenticator) to generate a code
  • Hardware Key – a thumb-drive like device that you stick in a USB port and push a button when you want to log in.

The SIM card in your phone can be trivially cloned by any teenager who works for your wireless phone provider. Then they’ll stick the SIM in their own phone and get your code texted directly to them. SMS-based two factor is way better than not having two-factor, but it’s the worst choice and you should pick one of the others if you can.

Authenticator apps are a better choice, but they leave you vulnerable to phishing attacks where you think you’re logging into your email account, but you’re not. While you type in your password and your authenticator code, an attacker is logging into your account for you.

Hardware keys are the best answer, but can be a bit of a pain. If you want to go this route, Yubikey is the standard choice. You actually need to buy at least 2 of them because you won’t be able to access your account if you lose/break it. The way it works is that you log in to your email with your password, but then it’ll ask you to tap your hardware key. You don’t have to type They are awesome because when used correctly, they cannot be phished or stolen remotely.

The hassle is somewhat mitigated by the fact that you can check “remember this device” so you effectively only have to use the key to log in from a new device.

(6) Ideally you’ll turn on Google’s Advanced Protection! It looks like you can now do this with a modern phone, and you don’t even need to buy a security key to do it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.