Passwords & 2FA. Go beyond “password123”
With the recent Optus cyberattack still making headlines it’s time for Australians to do better when it comes to protecting themselves online.
Our world is almost entirely transacted online these days and keeping our digital identity in tact is more important than ever. Research has found that many Australians have their password as simple as ‘password123’. Not the most complex password in the world! Likewise, sticking a post-it note on your computer screen may fend off cyber criminals but it still leaves you open to individuals who have physical access to your environment.
In banking, many institutions will not provide coverage if it is found that you have been negligent in securing your password or customer/member number. This includes sharing that information with your partner, spouse or significant other.
Password Managers are a first step.
We recommend Bitwarden to our customers. Bitwarden is an open source password management solution that allows individuals and organisations to safely and securely store passwords. These passwords are encrypted using a key known as your ‘master password’. The premise is that you’ll remember one complex password that will then unlock your vault of passwords. The ‘master password’ is the key to the kingdom!
Here is an example of how this all works.
You go to a new website and create an account. Perhaps this is an online shopping site. At checkout your create an account with your username as your email address and are prompted for a password. Instead of entering your usual password - password123, you ask Bitwarden to generate a new unique password or passphrase. This you then save in your personal vault which is protected by your ‘master password’.
By adding the Bitwarden extension to your favourite web browser you’ll have quick and easy access to auto fill this password next time you return to the online store and need to login.
Bitwarden also provides applications in both iOS and Google Play stores for loading to your mobile devices. This means you have access to your password vault where ever you go.
What does it cost?
Bitwarden is free to use for personal use but does have paid premium features and a very generously priced family plan for up to 6 users.
Bitwarden Password Manager - Beginners Guide
2 Factor Authentication (2FA) or Multi-Factor Authentication. Sometimes called TOTP (Time-based One-Time Password)
The next step is to always make use of 2 Factor Authentication when ever possible. This is where a website or application will send you a special code to use in addition to logging in with a username and password. So using the example we used above, when we login to the shopping site with our username and secure password (which we stored in Bitwarden), the site then sends via SMS or prompts for a code from our code generator application. You enter this code to the site and once successfully authenticated you are then allowed access to your account.
Many Australian’s would be familiar with this process from accessing the my.gov website for Australian government services.
Code Generator Apps
Bitwarden allows you to generate codes directly within the password vault. The field is called TOTP. There are pro’s and con’s for having Bitwarden generate the codes within the app. The thought being that if your master password was compromised, then the 2FA codes would be an additional level of security. If the 2FA codes are within the app then that additional level of security is removed. Whilst I agree with this, there is a level of convenience with having those codes within the app.
It is absolutely fine to use an external 2FA or TOTP code generator application. Here are some other choices:
Google Authenticator - Apple iOS App Store / Google Play Store
Microsoft Authenticator - Apple iOS App Store / Google Play Store
Twilio Authy - Apple iOS App Store / Google Play Store
This will all seem like a lot to do and become a pain to implement. And yes, to start with the additional step of setting up and entering these new complex passwords into a password manager is annoying and adds a few extra seconds to the login process. But the payoff is so big. The ability for someone to easily get hold of your credentials for websites, apps and accounts is now much more difficult. With data breaches become more common it is on us to do our bit to help safeguard the data that is ours.
Some other password managers available include: LassPass, Dashlane and 1Password to name a few.
If you’d like assistance with setting up Bitwarden or another password manager our team are able to assist.