Let's talk about how you can better secure your devices and online accounts.
What is authentication and why should you care?
Often when you need to access something – a device, account, or even a place – you have to have a way to prove that you are who you say you are, or at least that you’re allowed to access that thing. This is a process we call “authentication”.
A basic example is your home. When you want to enter your home you probably have to use some kind of key to unlock the door. That physical key allows you to enter. This is a very basic method of authentication, and it does suffer from one big problem: If somebody finds or steals your key, they can get into your house.
Another common example of authentication is the cash machine at your bank. This is a slightly more advanced example because rather than just having a physical key (usually a plastic card in your wallet) you also have to have a remembered fact – your PIN, which is generally a 4-8 digit number.
This is a more secure system because even if somebody has your physical key – the card – they can’t take your money from the cash machine because they still need to know your PIN. If they all they have is your PIN they still can’t get your cash from the machine because they also need the card. They have to have both things.
On a computer the kind of authentication we’re all familiar with is signing in with a username and password. These days our devices contain so much of our important data that it’s critical our authentication is done well. If crooks can sign into your devices or services as you, they can do a lot of bad things.
So, let’s look at how you can easily secure them.
First step: Turn on authentication on your mobile devices.
Most modern smartphones can quickly unlock with a fingerprint or facial recognition, but even the ones that don’t support those methods can be set to require a PIN to be unlocked. Turn that on.
Yes, it requires an extra step to unlock your phone when you want to use it but adding that small step makes your device much more secure. If your phone is lost or stolen whoever has your phone is a lot less likely to be able to access your sensitive data. This is especially important if you use your device for work or banking.
Multifactor authentication (AKA "2-step verification")
When you show up at your home and insert your key to unlock the door, that key is what we call a “factor”. That basic locked door is single-factor authentication. All you need is that physical key.
There are three basic kinds of factors used in authentication:
Something you know – like a password or remembered PIN.
Something you have – like a smartphone or a physical key of some kind.
Something you are – like your fingerprint or your face, that the device can scan to recognize you.
Multifactor authentication means that you need more than one kind of factor to get in. The cash machine we talked about is two-factor authentication – your plastic ATM card is one factor, and that remembered PIN is the second factor.
Nearly all online services now let you use multifactor authentication to sign in as well. The first factor is usually your username and password. The second factor is usually a special one-time code sent to your smartphone via text message. Anybody trying to sign into your account would need your username and password, but they’d also have to be able to receive that special text message. That makes it a lot harder for the crooks to get in.
Another option for that second factor can be an authenticator app on your smartphone, such as the free Microsoft Authenticator. The authenticator app has a few different ways it can work, but the most common is similar to the text message method. The authenticator generates the special one-time code on your phone for you to enter. This is faster and more secure than a text message because a determined attacker may be able to intercept your text messages; but they can’t intercept a locally generated code.
In either case the special code changes every time and expires after a very short period of time. Even if an attacker found out what code you signed in with yesterday it won’t do them any good today.
Isn’t it a hassle?
A common misconception about multifactor authentication, or two-step verification, is that it requires more work for you to sign in. In most cases, however, the second factor is only required the very first time you sign into a new app or device, or after you’ve changed your password. After that the service recognizes that you’re signing in with your primary factor (username and password) on an app and device that you’ve used before, and it lets you in without requiring the extra factor.
If an attacker tries to sign into your account, however, they’re probably not using your app or device. More likely they’re trying to sign in from their device, somewhere far away, and then the service WILL ask for the second factor of authentication – which they almost certainly don’t have!
Next step: Turn on multifactor authentication everywhere you can!
Enable multifactor authentication at your bank, your social media accounts, online shopping, and any other service that supports it. Some services may call it “two step verification” or “2 step sign-on” but it’s basically the same thing.
You’ll usually find it under your account security settings.
Password compromise attacks are responsible for most successful account hacks that we see, and multifactor authentication can defeat almost all of them.
For more information see What is: Multifactor authentication.
Say hello to Windows Hello
Windows Hello is a more secure way to sign into your Windows 10 or Windows 11 devices. It helps you get away from the old password method by using facial recognition, a fingerprint, or a remembered PIN instead.
Note: To use Hello Face your device must have a Hello-compatible camera and to use Hello Fingerprint your device must have a Hello-compatible fingerprint reader. If you don’t have either of those things there are compatible cameras and fingerprint readers you can buy, or you can just use Hello PIN.
Hello Face or Hello Fingerprint are just as fast and simple as the facial recognition or fingerprint reader you might use on your smartphone. When you get to the Windows login prompt instead of getting prompted to enter your password, you just have to look at your camera, or place your finger on the fingerprint reader. As soon as it recognizes you, you're in. Usually, it's almost immediate.
Hello PIN works the same way most PIN entry systems do. When you go to sign in Windows will ask for your PIN and sign you in. What makes Hello PIN special is that when you set it up it associates the PIN to the device you’re signing in with. That means that, just like other forms of multifactor authentication, if an attacker got your PIN, it would only work on your device. They can't use it to sign into your accounts from any other device.
Next step: Turn on Windows Hello
On your Windows 10 or Windows 11 devices go to Settings > Accounts > Sign-in options. There you can see which types of Windows Hello your device can support and easily set it up.
Choosing better passwords
The only people who like passwords are attackers. The good ones can be hard to remember, and people tend to reuse the same passwords over and over again. Also some passwords are pretty common across a large group of people – “123456” is not only a bad password, but it’s also one of the most commonly used. And you’re not fooling anybody if “iloveyou” is your password, that was the 8th most common password in 2019.
Hopefully you’ve turned on multifactor authentication and Windows Hello, so you’re not quite as dependent on passwords now. But for those services where a password is still necessary let’s pick a good one.
What makes a good password?
To pick a good password it helps to know a couple of the ways that attackers most commonly try to guess passwords:
Dictionary attacks – Many people use common words like “dragon” or “princess” as their password so attackers will just try all the words in a dictionary. A variation is to try all the common passwords like “123456”, “qwerty” and “123qwe”.
Brute force – Attackers may just try every possible combination of characters until they find the one that works. Naturally each added character adds exponentially more time, so with current technology it’s not practical for most attackers to try passwords longer than 10 or 11 characters. Our data shows that very few attackers even try to brute force passwords longer than 11 characters.
In either case the attacker isn’t typing these in by hand, they have their system automatically try thousands of combinations a second.
Given those types of attacks we know that length is more important than complexity and that our password shouldn’t be an English word. Not even “affectionately”, which is 14 characters long. Ideally our password should be at least 12-14 characters long, with both upper and lowercase letters, and at least one number or symbol.
Next step: Let’s create a good password
Here’s a tip for creating a password that has length, complexity, and isn’t too hard to remember. Pick a favorite movie quote, line from a book, or song lyric and take the first letter of each word. Substitute numbers and symbols where appropriate to meet the password requirements.
Perhaps you’re a baseball fan. The first two lines of the classic baseball song “Take me out to the ballgame” are:
Take me out to the ballgame,
Take me out with the crowd
Take the first letter of each word, with one obvious substitution:
That’s 13 characters long, mixed case, with numbers and symbols. It looks pretty random and would be hard to guess. You can do the same thing with any quote, lyric, or line if it’s long enough. You just have to remember what quote or lyric you used for that account and say it back to yourself in your head as you type.
If the system you're signing into supports spaces in passwords, you should use them.
Consider using a password manager application. A good password manager can generate long, random, passwords for you and remember them too. Then you just need one good password, or better yet a fingerprint or facial recognition, to sign into your password manager and the password manager can do the rest. Microsoft Edge can create and remember strong and unique passwords for you.
Now that you have a good password
There are a couple of other types of password attacks to watch out for:
Reused credentials – If you use the same username and password at your bank and at TailwindToys.com and Tailwind gets compromised, those attackers are going to take all the username and password combinations they got from Tailwind and try them at all the banking and credit card sites.
Tip: Join Cameron as she learns the dangers of reusing passwords in this short story - Cameron learns about reusing passwords
Phishing – Attackers may try to call or message you, pretending to be from the site or service, and try to trick you into “confirming your password".
Don’t reuse passwords on multiple sites and be very wary of anybody who contacts you (even if they appear to be a person or organization you trust) and wants you to give them personal or account information, click a link, or open an attachment you weren’t expecting.
Is it bad to write down your passwords?
Not necessarily, as long as you keep that paper in a secure location. It may be a better idea to write down a reminder for your password, rather than the password itself, in case the paper does fall into the wrong hands. For example if you were using the "Take me out to the ballgame" example we gave above you could write down the name of your favorite baseball team as a reminder of what you used for the password.