In the past months of using digital platforms to replace physical interactions, it has become even more important to properly secure online accounts. Here are three tips for better online security.
First, and most importantly, is to use a secure password. There are a couple steps to this, related to the two major types of password cracking methods. The first method is brute force, which is the reason that websites have minimum password lengths. A modern computer can generate every possible password with eight letters in a mere couple hours. The more characters added to the password, the longer it will take to generate all possible passwords of that length. The second method is the dictionary attack. This works by using a dictionary of passwords found in previous hacking attacks supplemented with common words and trying to use those as passwords. This type of attack can almost instantly crack any variation of the most common passwords, like “password1” or “123456.”
This is why it is so important to use a unique password everywhere. If one website gets hacked, then every password used on that site is added to password dictionaries. Reusing a password means that it is more likely to occur in one such dictionary. The human brain has limited space to remember passwords, however, so most people are unable to remember unique passwords for each website. The current solution is to use a program called a password manager. This generates unique and secure passwords for every website for which the user needs one. When logging into a website, instead of entering a standard password, the user would enter their manager’s password, which would then fill in the username and password boxes on the website. Since there is only one password to be remembered, the password for the password manager can be longer and more secure.
Second, be aware of how a website stores passwords. If clicking the button to indicate a forgotten password triggers an email that has the password written in the email, be extra certain to use a unique password for that website. A website sending the password plainly written in an email is a sign that they have the password stored plainly, which shows that if a malicious actor gains access to their database, that hacker can get a list of usernames with associated passwords, instead of the list of usernames with jumbled data a properly stored system would have. If properly programmed, a website does not save your actual password, but rather a hashed version of it. This means that the website takes the submitted password and runs it through a hashing algorithm, which outputs a fixed length set of ones and zeros, which is then stored as the “password.” The algorithm works in such a way that each input should generate a unique output, and the input cannot be deciphered from the output. Additionally, regardless of the password’s length, every output should be of the same length.
Third, use two-factor authentication. Also known as two-step verification, this means that it requires an extra step to log in to your accounts, beyond just a password. There are three possible authentication factors to log into accounts. The most common factor is defined as “something you know.” This is implemented by using unique username and password combinations. Since you are the only person who should know both your username and the associated password, you are theoretically the only one who should be able to enter your account. Another factor is defined as “something you have.” This is mostly implemented in one of two ways, the first being a security key, which is a device that usually plugs into a computer’s USB ports. If set up correctly, an account can’t be entered unless it is plugged into the computer. The second and more common method is using an authenticator app on a connected phone, or a text message that sends a code to a connected phone number. The final authentication factor is defined as “something you are.” This is the least commonly used factor for online accounts, but has gained use in smartphones. This uses biometric information, such as a fingerprint or a retinal scan, to verify that the person logging in is who they claim they are. Two-factor authentication is usually implemented using something you know with something you have, requiring first a password followed by a verification code, and is available on many websites.
