A few weeks ago a friend called me, very worried, about a threatening email he is receiving, someone claiming to have access to his email, threatening to release some compromising information, sharing part of his email password as proof, and asking for a ransom to be paid via Bitcoin. The password was in fact a password he used in the past, or maybe for a different site, not his current email password, but still he was very worried on how this happened.
I told him not to worry about the email, its just spam, but also provided some advice and explanations on how this happened.
How this happened? Link to heading
When you register to gain access to a website you typically provide your email and a password. How well the website stores and protect that information is up to the website, and often not very well done, and even in cases where it is been done correctly it could get leaked or stolen.
Lists of those emails and password are available, sometimes for sale sometimes for free, and with that information people with no so good intentions will try to gain access to your email, bank, Facebook, and every other Internet service which might give them some direct or indirect gain. The email my friend received was put together using this same data.
How can I protect myself from this? Link to heading
Avoiding creating accounts in shady websites is one way, but even reputable sites are of course targets of all sorts of attacks, to stole this kind of information, and eventually some of those attacks will succeed, not much we as individuals can do about it, however there are two things you can and should do to protect yourself.
Do not reuse password, use a password manager Link to heading
If you use the same password everywhere, when one of those websites leak your password that will be very bad. Passwords should be unique, hard to guess and hard to infer, however managing unique difficult passwords can be a challenge and that is where a password manager comes in. Password Managers are applications that automatically generate strong passwords, can automatically update your passwords for some sites, automatically log you in, and can ensure that passwords are not reused.
One critical point here is, if I have all my passwords on that application, how can I trust that application? And my approach here is to leverage the recommendations from security experts who have deeply inspected those applications, and strong and reputable application vendors who are continually verifying security and if something needs fixing, it gets fixed as soon as reasonably possible.
I personally use LastPass, after hearing about it from Steve Gibson almost 10 years ago, and very happy about it since then. From a security perspective I really trust Steve’s judgment, from a features perspective it does everything I need, including web, mobile and sharing, and from a price perspective the free tier offers all this features.
I have also heard very good comments about 1Password from another of my favorite experts, Troy Hunt, I have not tried it, but I am sure it is at least as good as LastPass.
Use second factor authentication Link to heading
Authentication refers to how you probe you are you, and in most websites is by demonstrating your knowledge of a password. While this works most of the time it is very weak in the sense that knowing a password does not really proves it is you. That password can get leaked, can be guessed, and can be used by anyone else without the website having any way to prevent this from happening.
One way to improve this process is by adding another factor of authentication, emphasis on the “factor”. Its not just about having a second password, is about having other way to authenticate users, so what other factors exist? The knowledge of the password is something you know, the other factors are something you are, and something you have.
Something you are refers to the usage of biometrics, for example Face Id or Touch Id on Apple devices, Windows Hello in Windows 10, thumbprint readers, the more sophisticated retina scanners, and the not yet technically practical DNA verification.
Something you have refers for example to the key to your house, and in the case of computers and websites it can an USB device, a Bluetooth device, or a physical dongle that produce random numbers on its screen.
The level of sophistication and requirements for this can get very complicated specially if you need to buy a physical reader or dongle, however there is a great solution where the something you have is your own smartphone.
There, you run an application, which previously received a seed from the website, and based on that seed it produces a number that changes every 30 seconds. When you login to a website that supports this technology, you provide your username and password, and then get challenged for this number.
This is similar to what some websites offer, specially banks, where a 6 digits code is received as an SMS, it this case however it is the application the one that calculates the code without requiring internet connectivity. In general this technology is know as OTP.
The application I use is Microsoft Authentication, which works great, and automatically backups my seeds. Before Microsoft Authenticator I used Google Authenticator, which I am sure works fine as well.
To setup the usage this kind of authentication you need to go to each particular site and configure it, it takes some time but its absolutely worth it, since this way even if your password gets leaked its not enough to login.
Currently, I use this kind of authentication for the following sites/services, the link goes to the documentation with the details on how to set it up: