Authentication
Most reported data breaches are caused by the use of weak, repeated, or default passwords. Following the advice in this section will teach you how to stay on top of breaches and secure access to your accounts.
0 out of 20 (0%) complete, 0 ignored
| Done? | Advice | Level | Details |
|---|---|---|---|
Essential | If your password is too short or contains dictionary words, places, or names, it can be easily cracked through brute force or guessed by someone. The easiest way to make a strong password is to make it long (15+ characters). Consider using a 'passphrase' of multiple words, or use a password generator to create a long, strong, random password. Try this tool to see how quickly your passwords can be cracked. | ||
Essential | If someone reuses a password and a site they have an account with suffers a leak, a criminal can easily gain unauthorized access to their other accounts. This is often done through large-scale automated login attempts, known as Credential Stuffing. Files with email addresses and their passwords having millions of records are available online. It’s easy to prevent—just use a unique password for each account. | ||
Essential | It is impossible for human to remember hundreds of strong and unique passwords. A password manager is an application that generates, stores, and auto-fills your login credentials. All your passwords are encrypted with one master passphrase, which you must remember and keep strong. Most password managers have browser extensions and mobile apps, so your passwords can be auto-filled on any device. 1Password is recommended by EF, and as a member you would get 1Password Families subscription. | ||
Essential | While there may be times when you need to share access to an account with another person, you should generally avoid doing so, as it makes the account more vulnerable. If you must share a password—such as when working on a team—it should be done using features built into a password manager. By creating a vault in 1Password, you can share credentials only with those you choose, rather than exposing them to the entire internet. | ||
Essential | 2FA is where you must provide both something you know (a password) and something you have (such as a code from your device) to log in. This means that if anyone has your password, they still will not be able to access your account. It's easy to get started. Download an authenticator app onto your phone, then follow the steps for each account to enable 2FA and add it to the authenticator. Next time you log in on a new device, you will be prompted for the code displayed in the app on your phone (it works without internet, and the code usually changes every 30 seconds). | ||
Essential | When enabling multi-factor authentication, opt for app-based codes or a hardware token (Yubikey). SMS is susceptible to a number of common threats, such as SIM-swapping and interception. Your phone number is a public identifier and should not be used for authentication purposes. From a practical point of view, SMS only works when you have a signal and can be unreliable. If a bank website or payment service requires using an SMS number, consider purchasing a second prepaid secret phone number only used for account recovery in these instances. | ||
Essential | The most secure way to authenticate is a U2F/FIDO2 security key such as Yubikey. This is a device that you connect while logging in to an online service to verify your identity. It brings several security benefits, since the browser communicates directly with the device and cannot be fooled as to which host is requesting authentication. Please follow the EF Hardware Security Keys Guidelines to proceed with getting and setting up your security keys. Read more opinion why this is so important. | ||
Essential | When you enable multi-factor authentication, you will usually be given several codes that you can use if your 2FA method is lost, broken, or unavailable. Keep these codes somewhere safe to prevent loss or unauthorized access. You should store them on always offline device, paper, or in an encrypted file. Don't store them in your primary password manager, as 2FA and passwords must be kept separate. By merging them you defeat the entire purpose of second factor in the authentication process. | ||
Optional | After any website suffers a significant data breach, the leaked data often ends up on the internet. There are several websites that collect these leaked records and allow you to search your email address to check if you are in any of their lists. Firefox Monitor and Have I Been Pwned let you sign up for monitoring, where they will notify you if your email address appears in any new data sets. It is useful to know as soon as possible when this happens, so you can change your passwords for the affected accounts. | ||
Optional | When typing your password in public places, ensure you are not in direct line of site of a CCTV camera and that no one is able to see over your shoulder. Cover your password or PIN code while you type, and do not reveal any plain text passwords on screen. | ||
Optional | Browsers offer to save your credentials when you log into a site. Don’t allow this, as they are not always encrypted, hence could allow someone to gain access into your accounts. Example toolkit. Instead use a dedicated password manager to store (and auto-fill) your passwords. Password manager extension in browser will provide great user experience in a secure way. | ||
Optional | Avoid logging in on other people's computers, as you can't be sure their system is clean. Be especially cautious of public machines in hotels and airports, as malware and tracking are more common here. Using someone else's device is particularly dangerous for critical accounts like email or online finance. When using someone else's machine, ensure that you're in a private/incognito session (use File menu in browser to open it). This will request the browser not to save your credentials, cookies, and browsing history. | ||
Optional | Some sites allow you to set password hints. Often, it is very easy to guess the answers. In cases where password hints are mandatory, use random answers and record them in a password manager (e.g., | ||
Optional | If a site asks security questions (such as place of birth, mother's maiden name, or first car, etc.), don't provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead, create a fictitious answer and store it inside your password manager. Make sure that your fake answers aren't autogenerated nonsense like "N_9bKTC_i94". Many password reset flows involve communicating a security answer over the phone, and it's easy enough for an attacker to guess "oh, it's just a bunch of random characters" and for the customer support to just shrug and let the person in. | ||
Optional | Don't use a short PIN to access your smartphone or computer. Instead, use a text password or PIN code of undefined length. Numeric passphrases are easy to crack - a 4-digit PIN has only 10,000 combinations, compared to billions of possibilities when an attacker doesn't know the length and has to check every possible case. | ||
Advanced | Most password managers are also able to generate 2FA OTP codes. It is best not to use your primary password manager as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a dedicated authenticator app on your phone or laptop, with separate encryption and authentication. | ||
Advanced | Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot of your face with a stored model. It may be very convenient, but there are numerous ways to fool it and gain access to the device, if it's implemented incorrectly. An example of good implementation is Apple TrueDepth camera system which uses infrared dot projector to build a 3D map of your face. It requires a realistic 3D facial model or an identical twin to attempt to bypass (which is relatively rare). But general Android phone can be fooled by photo of your face from the Internet, or from videos recorded by surveillance cameras. | ||
Advanced | A hardware keylogger is a physical device planted between your keyboard and the USB port, which intercepts all key strokes, and sometimes can type in malicious commands. It gives a hacker access to everything typed, including passwords. It is also possible for keyloggers to be planted inside the cable, so look for any signs that the cables or connectors have been tampered with. Data pasted from the clipboard or auto-filled by a password manager can not be intercepted by a hardware keylogger. | ||
Advanced | For increased security, an offline password manager will give you full control over your most sensitive data, such as backup codes, seed phrases, PGP revocation certificates, and backups of your primary password manager. KeePass is a popular choice, and it has many community forks with additional compatibility and functionality for every operating system. Running it on a device that never connects to the network is required to achieve ultimate security. | ||
Advanced | Having different passwords for each account is a first step, but if you also use a unique username, email or phone number during registration, then it will be significantly harder for anyone trying to gain access. The easiest method for multiple emails, is using mail forwarding. This is where [random]@service.com will arrive in your inbox, allowing you to make your real email address private. Firefox Relay and DuckDuckGo Email Protection are examples of email forwarders. Usernames are easier, since you can use your password manager to generate, store and auto-fill these. |