top of page
sensible security

Logging In


Making logins harder is the best way to protect an account. It's a bit like bigger locks on your door: each one makes your life a little harder, but way harder for the thief.


Passwords

Start with a good password. Good passwords are hard: they have to be hard for a computer to guess, but easy for you to remember. The best password is something completely random (impossible to guess). Unfortunately, people aren't good at random. I recommend two tricks:


Get a computer

to generate something random. Good password managers contains a password generator. There are also websites.


Use a passphrase

Passphrases don't rely on weird symbols or numbers to make them complicated, they just use 4-6 regular words. You can put spaces in between them, or leave them out.

Each word in your passphrase must be random, or it doesn't work. the words should have anything to do with each other, and certainly not spell out a phrase. "OMG 90210 rocks my socks" is a bad passphrase. "Is my shepherd I shall not want" is also bad. Here are some good ones:

  • dirt yourself arrangement dot

  • control research thin accident

  • this refugees loud Dave

  • merely tape fastened along

  • root London ten carefully

  • golden stop francis spider

If you have a hard time coming up with random words for your passphrase, there are online services. Even if you generate it, passphrases are usually easy to remember. Most people create a little story that strings the words together.


Extra steps

You can also protect your login by adding extra steps. Here are some popular choices, sorted with the strongest last:

  • Ask for more secrets: lets you write in answers to questions about your life. When the platform wants to make sure it’s really you, they ask you a question, and makes sure your answer matches. Note: lie when answering these questions, they don't care what your mother's maiden name really is.

  • Remember this device: whenever you log in from this device, it will only ask for the password.

  • Email/text secret code: you give them your cell or email address, and when you try to log in, they send you a code. You type the code into the login screen. Not as good as the app version below because phone companies are easily tricked and email can be snooped.

  • App secret code: popular phone apps from Google and Microsoft generate secret codes every minute. When you log in, you also type in whatever code is showing in the app. Some platforms allow this, you can check here in the “soft token” column.

  • App push notification: like a secret code, but instead of having to type in a code, a prompt comes up on your phone asking if you're trying to log in. You just have to unlock your phone and press "yes" and it will let you log in.

  • Keyfob: you can buy a keyfob that will show a secret code just like the app above. Some versions also allow you to plug them in, and they tell the code directly to the login page. Few platforms allow this, you can check here in the “hard token token” column. Yubikey makes the best and cheapest keyfobs. “FIDO” is the best and latest tech.

Not all services allow passphrases or all the extra steps described here. If they don't, think about switching: if they let you set up stronger options, they are probably serious about security in the ways you do not see.


Comments


Subscribe for more:

  • RSS
  • LinkedIn
  • Twitter
  • YouTube
bottom of page