Every day passwords of Internet users are being stolen worldwide, be it their email, social networking or banking passwords. So how do you protect yourself?
One of the simplest ways to secure your numerous accounts, other than the recommended complex and confusing mix of alphanumeric characters, is the two-step verification. It has been there for some time, but many of us have not used it at all. It is about time you did.
Google, Facebook, Yahoo, PayPal, Dropbox and many other sites have begun offering this facility. Two-step authentication relies on “something you know” (a password) and “something you have,” (a cell phone). It works like this: whenever you sign in, you enter your username and password as usual. Then, you will be asked for a code that will be sent to you via text on your mobile. Upon entering this code correctly you will be allowed to log in to your account. It is as simple as that.
There is even an app called Google Authenticator for your smartphone. You can generate the code directly on your phone without the need of a network connection. The app is available for Android and iOS devices. You may well ask how will Google know what code is generated if there is no network connection. The simplified answer is that a six-digit code is generated using cryptography techniques that are a combination of something that is unique to your account and the current time. The code lasts for 30 seconds so you must log in within that time window.
To enable two-step verification for your Google account sign in to Gmail as usual. Then go to Account Settings by clicking on the image of your account. You will find it in the top right of your browser screen. Go to Security and enable Two-step Verification.
Those of you who have a Microsoft account go to https://account.live.com/proofs/Manage. Log in and then select Security Info on the left and then click the Set Up Two-Step Verification link. Then work through the onscreen instructions.
Even Apple has joined the growing list of online services that have been incorporating two-factor authentication security. To set it up, go to the My Apple ID page at https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/. Click on Manage Your Apple ID, sign in and navigate to Password and Security and then click on Get Started for Two-step Verification.
Two-step authentication will make your account safer and less likely to get hacked. It is by no means foolproof since you are still using a password. You are only making it more difficult for a hacker to get access to it.
Eric Grosse, vice-president of security engineering at Google, thinks the concept of password should be abolished because people choose them badly, lose them, write them down, and reuse them across different websites. In fact, Google is trying to replace the password with a USB device and a piece of jewellery with an embedded microchip. “No matter how complex your password is it can no longer protect you. Recently hackers released 15 GB of wordlist file that can crack almost of all passwords you can think of,” says Abir Atarthy, ethical hacker and co founder of the Indian School of Ethical Hacking (www.isoeh.com).
In a paper published in January this year, at a security conference in San Francisco, Mayank Upadhyay, security engineer at Google, said the company had developed a prototype ring that could take the place of a password. These rings will not contain any passwords. Instead they will contain an encrypted key that will communicate with a USB device that you will have to plug on to your computer. To log in to Gmail you will have to plug the USB device into your computer. Then it will communicate with the microchip embedded in something that you always carry with you such as a ring or bangle. The two will communicate through a technology called Near Field Communication or NFC for short.
Most mobile devices, except Apple’s, are NFC-enabled so you will not require the USB stick. The authentication will be done automatically between your phone and the ring on your finger.
Google did not say which company would supply the hardware chip and the USB device, but the features described in the paper are identical to a USB security key called Yubikey NEO. Currently, all stocks have been sold out.
The campaign to kill the password seems to be gathering momentum at last.
Send in your computer- related problems to askdoss@abpmail.com with bits&bytes in the subject line