This is when a services or application requires nothing more than your email address, username and password. In general, if for example the website you use is mainly one that simply requires you to register to use their service and what they offer is mostly akin to online dictionary’s that do not have any interactive content and the registration to gain access is not requesting confidential information.
If the registration requires your name, surname, age, and email address then you do not need any additional layer of authentication.
However, you must read their privacy policy, since that is where you will see what information they track, keep record of, who they share your information with and such. This is usually not information you enter but recorded using scripts that record your how you use their service.
Most importantly, however, if breached there is no useful information a treat actor can make use of since these sites do not record you contact information or other confidential information and when registering these are optional.
These sites would commonly be those allowing you to pay bills online. In the past most of these sites mostly showcased what they have in store, new offers and so on. However, as of recent times these sites would allow you to settle your bill online. They may also allow you to purchase online such as takealot.com. This is where the risky part comes in because they may need your confidential information (such as your address, phone information, billing information, etc.).
Most of these sites might have the option to enable 2-FA authentication but would often not enforce it nor have it enabled by default. If a data breach occurs, to protect themselves, when asked why they do not have 2-FA authentication, they would say that they do and when confronted by clients why they did not inform clients about this option they would respond by stating that they make mention of this in their privacy policy.
These sites often have 2-FA disabled by default since it requires clients to enable an extra layer of security which means for most shoppers this may be seen as “too much” and they may fear losing these customers. The irony is that if they do suffer a security breach, they will need to reveal much of this anyhow and clients may in fact feel betrayed and never use their services again.
For this reason, I would recommend that users using services like these sign-in to the respective site and enable 2-FA authentication. If they do not offer 2-FA authentication then I suggest that people do not make use of their services, close their online account, and make use of a service offering the same but allows for 2-FA authentication.
These would be sites that have little or no reputation. This would include sites that have no need for registering in order to make use of them (meaning once registered there is no difference between the content you see when using it with or without registering. Many of these sites are essentially just a front to steal your information (infostealers). These sites would not be the typical sites users would visit under normal circumstances.
Very often you would receive an email from an unknown ‘party’ claiming that you have entered into a competition and to secure your entry you need to visit the aforementioned site and fill in some information. Some of them, upon visiting them, will look legitimate, contain reviews and often times have a privacy policy associated with them. Often these sites may only ask you for your username, email address and password.
You may think this is fine since they did not request other information so what can they possibly do with the detail you provide?
They know most users, use the same login details for other users use. Do you use the same username and password for the majority of websites you use? If I would make a guess, I would say yes you do.
Regardless whether you added layers of security please make sure that you follow the following guidelines when using passwords.
Samsmith
S@m_Sm1th
S@m5_&Sm1th#
S@@m5%%Sm!!th3#$
[Bad]
[Better]
[Good]
[Excellent]
Less than
5 minutes
About
2-4 days
About
8 570 years
About
697 816 255 000 years
or 6.98 centuries
The picture below depicts the approximate time it will take to break the passwords in yellow using brute force password cracking techniques using a computer set using parameters as to use median baseline performance of computers in circulation at the time of writing this.
It is unlikely that hackers will use just one device and more like make use of hundred of computers using greater performance compared to the average median making this process even faster.
However, as you can see difficulty increases exponentially as you make use more complex passwords.
You may look at the above, considering what makes for a strong password and say “well that is not possible for me to remember” and you will not be wrong.
It is for this reason, there exist password managers that will save login details for you and integrate with your device making it even easier since these password vaults/managers make use of 2-FA Authentication. Password managers are not new and have been for us for a long time.
Most of us never had to create complex passwords and for the most part having a password that contains a combination of uppercase, lowercase, numeric and symbolic characters was optional.
However, due the significant increase people using various online services coupled with the, quite frankly, concerning amount and frequency of data breaches this no longer an option. Password Managers range in terms of capabilities and features. I will however only mention the features that is most relevant.
One of the big problems which Password Managers take care off is not even technical. Even back before other methods of authentication became available it was (still is) common for people to write down their passwords on a piece of paper, a plain notebook or similar.
Even if the service you make use of requiring a login may not have additional layers of security those I recommend do. It is essentially the difference between storing your valuable items where you assume people will not look but if they locate the location, they can simply grab your items with zero effort and storing your valuables in a vault
With the mentioned increase in data breaches, the number of services people use online, the requirements that needs to be met by users in order to have a strong password and whether there is a data breach or not some services would frequently ask users to update (create a new password) their password details.
However, the most important reason is that these Password Managers are mostly easy to use and there is no excuse not to use them.
This section is deals 2-FA Authentication and takes into consideration that you have ensured, that even though this section deals with the additional layer of authentication, that you have at the very least secured your standard log-in details.
Some services and products may not call it 2-FA but some such as Google prefer to use 2-Step verification which is the very same thing.
When you have enabled this service, it will make it much harder for bad actors to make use of your data. So, for example, let assume for whatsoever reason your login details have compromised. If a bad actor, then types in your username and password, they will be shown a screen like this
This will then alert you via email or a push message (such as an SMS message) that someone tried to access your account. If this is not you, you can then ignore this (or at times on the email received click on the link “this was not me”, after you verified it came from the service in question, thus preventing the person to access your account. If this was you, you will open your Authenticator application and time in the 5–8-digit code, upon which you access your site as per normal.
From the get go, by just the mention of the above you can immediately see why having this enabled is a must. Now, imagine you have this enabled, depending on the services you use, you will start to notice how many bad actors are constantly trying to access your account. It may very well result in an ontological shock (essentially meaning your worldview in terms of security will drastically shift).
If you use online banking for example, you will notice that when you sign-in, perform transactions or otherwise mentioned receive an OTP (One Time Pin) which is based on the same concept. In many ways, the OTP is the reason why 2-FA Authentication have start to become the norm rather than the exception.
One of the common responses I get when suggesting dedicated Password Managers is claims such as “my browser already goes about doing this for me” which is true. However, this extremely unsafe since it is also
Whether you have 3 or 300 accounts you will only have to remember the one needed for your password vault/manager. The following recommendations take into consideration, pricing, safety, ease of use and value (such as how many accounts can you secure without paying), the selection I recommend is thoroughly tested.
It is pretty much the best for what it does. This is not a suite and also the problem with free software is that they do not need adhere to the same as those who pay.
Proton Pass have a free version but the Paid version is where it really blows the rest of these password managers out of the water and perhaps most importantly it Proton as of recent with the ever increasing rise of cyber threats is not only fortifying all their tools but constantly adding new features
LastPass, 1Password.
Doing some further research you will find out why I have Zero-Tolerance policy when it comes to security. I also do no endorse products that Youtubers who do not deal with security endorse. They do so because they get paid to do so.
Using Twitter / X
You’ll now see a QR code on the Link the app to your Twitter account page. Open your authenticator app and click the Scan a QR code option. Point your phone at the screen and the code will be scanned automatically.
If the previous step worked, you’ll see a 6-digit code being generated for Twitter in your authenticator app. Enter the code in the popup box on Twitter in order to link your account. If the code changes before you can enter it, don’t worry. Just enter the fresh code. Make a note of the recovery code, which can be used to sign in if you lose your device or access to your authentication methods
To find out more click here
Using Facebook
To find out more click here
Using Google
The above is just to show you the basic difference one how each of these services go about help you to enable this feature. In terms of Google, since Google offers many services, I would suggest that you follow their own guidelines. You can do so here
In this article I addressed why you cannot make use of simplistic passwords and outlined the issues in having a weak password. The most important takeaway from this article is the use of 2-FA Authentication and why you have to enable it on services you use.
Unfortunately, many services do no have this additional layer of protection available (at the time of writing this) and for that reason I spent a lot of time on passwords.
The first part dealt only with 2-FA Authentication in terms of how you would go about by enabling 2-FA authentication on these services. This part covers what you will require on a mobile device, such as your cellphone, to make use of what is outlined above.
Below is a list of recommended Authenticator apps (Android Phones). I am recommending these apps based on their track record, safety, privacy and long-term usability.
GOOGLE AUTHENTICATOR
Google Authenticator adds an extra layer of security to your online accounts by adding a second step of verification when you sign in.
This means that in addition to your password, you'll also need to enter a code that is generated by the Google Authenticator app on your phone
MICROSOFT AUTHENTICATOR
Use Microsoft Authenticator for easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless, or password autofill.
You also have additional account management options for your Microsoft personal, work or school accounts.
PROTON PASS
Get the password manager created by the scientists who met at CERN behind Proton Mail, the world’s largest encrypted email provider. Proton Pass is open source, end-to-end encrypted, and protected by Swiss privacy laws. My personal recommendation
Pass offers more than other free password managers and has no ads or data collection. You can use it for free forever on all your devices to create and store unlimited passwords, autofill logins, generate 2FA codes, create email aliases, secure your notes, and more.
Visit the the Google Play Store on your cellphone or click here to be redirected to the playstoreLASTPASS AUTHENTICATOR
LastPass Authenticator offers effortless two-factor authentication for your LastPass account and other supported apps. With one-tap verification and secure cloud backup, LastPass Authenticator gives you all the security, without any of the frustration
There are other options, however, at the time of posting this, these are the only recommendations I have thoroughly tested. The above have not been breached and have been in use for a long time. Some of the other authentication apps may or may not conform to the same quality/safety standards as those recommended above.
