Public Service Announcement: Don’t forget to enable two-factor authentication on your e-mail accounts!
A co-worker of mine got his GMail hacked. I doubt anyone guessed the password — it was not easily “guessable.” There was probably some malware running on a machine he used to log in at some point. Who knows?
Why is a hacked GMail or Yahoo Mail account a big deal? Because once they get into your e-mail account, they have access to EVERYTHING.
Think about it… if someone has access to your e-mail account, they can launch any number of frauds against you. They can read through your email and see that you’re on vacation in Hawaii. Then, when you’re asleep, they can email your contacts asking them to send money via PayPal using credible details about your travel (“I twisted my ankle on the beach — please send cash!”). They can also reset the passwords on your bank accounts, Facebook, etc. Access to your e-mail account is, to a hacker, like a kid in a candy store.
For a number of years I’ve been using Two-Factor Authentication on my GMail account. Each time I log in, you can set it up to send you a text with an additional code that’s only valid for a short period of time. Alternatively, they make an app (called Google Authenticator) that gives you the code even if you aren’t in wireless range. Using two-factor authentication makes it MUCH harder for someone (other than you) to access your GMail account.
If you don’t always (or ever?) carry around a smartphone and would rather have a physical device, you can use an “electronic key” that you plug into your computer. I’ve used a Yubico security key (the cheap one — there are more expensive versions) and can recommend it. It’s a little device that hooks to your keychain. It almost looks like a USB thumb drive, and while it does get inserted in a USB port, it is much more rugged that a standard thumb drive. You can set it up so that the key has to be plugged into your computer in order to log in to your account.
I found the security key to be easy to carry around, it’s cheap ($18 on Amazon – not an affiliate link), and waterproof. The key can be used to provide an extra layer of security not only for GMail, but also WordPress (via 3rd party plugin), Lastpass, and more. One downside, however, is that it only works with the Google Chrome browser at the moment. I would imagine as more browsers adopt the FIDO U2F standard specification, more options will be available.
Whether you choose to use one of the two free options, or pony up for a physical device like the security key, the only thing that matters is that you do SOMETHING. If you use GMail, watch the video above to learn step-by-step how to do it. Please do it now and avoid waking up some morning to find that you’ve been hacked. It’s not a good feeling.
A Google hacker created it. Ha Ha
(Oh I mean “Hi Hi”)
Thanks for this post, Matt. I’ve owned and used Yubikeys from the 1st version to the latest U2F. I also use a free app authenticator. Neither provides a total guarantee of security but 2FA is way better than using just a password.
For those websites and email providers that don’t support 2-factor authentication, LastPass is your friend. You may have expounded the benefits of LastPass in a previous post but it’s worth reiterating. LastPass makes it almost trivial to create and recall a different (long) password for every website, email account, and banking site you log into. LastPass and especially LastPass with 2FA are currently about the best security we users can manage short of unplugging from the net entirely.
Thank you, Scott. All excellent points.
I think that the point is don’t make it easy for you to be a target. Using some form of additional security (like Google Authenticator or a security key) is a huge step forward in personal security.